In early October, the Russian hacking group, infamous for infiltrating the computer networks of the Democratic National Committee (DNC) last year, launched a new operation targeting potential attendees of an upcoming US cybersecurity conference, research suggests.
The Kremlin-linked unit, known as APT28 or Fancy Bear, weaponised a real Word document titled “Conference_on_Cyber_Conflict.doc” with a reconnaissance malware known as “Seduploader” to target delegates from Washington DC-based Cyber Conflict US, or CyCon.
The two-page file, lifted from the conference’s website, was created on 4 October and threat researchers from Cisco Talos, who first spotted the malware, said that attacks peaked three days later.
“Due to the nature of the document, we assume that the targeted people are linked or interested by the cybersecurity landscape,” three Talos experts wrote in a joint report (22 October).
High profile speakers billed to talk at CyCon, which is set to take place on 7-8 November, includes former US National Security Agency director Keith Alexander and current commanding general of the US Army’s Cyber Command, Paul Nakasone.
The Fancy Bear hackers, known to Talos as “Group 74”, has been linked to the Seduploader in the past and regularly uses real-world events as the launch pad for attacks.
Multiple cybersecurity analysts believe the hackers are associated with Russian intelligence.
“In this case, Group 74 did not use an exploit or any 0-day but simply used scripting language embedded within the Microsoft Office document,” Talos said.
Zero-day exploits are typically used in sophisticated attacks and exploit a gap in security previously unknown to anyone, including vendors and manufacturers.
“We could suggest that they did not want to utilise any exploits to ensure they remained viable for any other operations,” the team continued.
“Actors will often not use exploits due to the fact that researchers can find and eventually patch [fix] these which renders the actors’ weaponised platforms defunct.”
If the Fancy Bear cyberattack was successful, the team would attempt to siphon any secretive data from victims’ computers. In one of its most famous attacks, it exfiltrated tens of thousands of emails from the DNC network, which were later leaked online for the world to see.
A US military spokesperson told The Daily Beast that it was aware of the attempted hacks and had launched an investigation. “We will publish details as appropriate,” he added.
News of the Fancy Bear operation was published in the wake of a report from US-Cert, a division of homeland security, which said officials had observed attempted hacks on “government entities and organisations in the energy, nuclear, water, aviation, and critical manufacturing sectors”.
These were also linked, at least on first analysis, to Russian cyber-espionage operatives.