A hacker group believed to be sponsored by the Russian government has attacked governments in Georgia, the Caucasus and eastern Europe, as well as Nato and defence contractors across the west of Europe.
The so-called APT28 group has been sending targets emails offering information of interest relevant to the recipient, while registering websites that mimic legitimate news and current events sites. Such â€œphishingâ€ sites can either be used to trick victims into handing over data, such as usernames and passwords, or to thrust malware onto the visitorâ€™s PC, phone or tablet.
Though it could find no direct link to the Russian government, US security company FireEye said the intelligence sought by the hackers was consistent with Russian interests.
APT28 tried to break into the systems of Georgiaâ€™s Ministry of Internal Affairs (MIA) and Ministry of Defense (MOD), as well as a journalist covering issues in the Caucasus and a Chechen news site.
In the attack on the MIA, a malicious Excel file was emailed to employees. When opened, it launched a decoy document containing a list of Georgian driverâ€™s license numbers, while in the background a backdoor was installed on the victimâ€™s PC that would try to connect to the organisationâ€™s email server. This would collect network information and send it back in an attachment from a seemingly legitimate email address.
The attempt to compromise Georgiaâ€™s MOD also involved attacks on a US defence contractor that was working with the Georgian military to develop training programmes. The journalist was sent an email with a malicious attachment claiming to come from US political magazine Reason.
APT28 had previously used an email lure containing information on the Malaysia Airlines flight downed in Ukraine in a â€œprobable attemptâ€ to compromise the Polish government, FireEye said. It had also set up a fake website on the Baltic Host logistical planning exercises, which are hosted by one of the three Baltic States – Estonia, Latvia, and Lithuania – and coincided with training programmes carried out by the US Army and Nato forces this year.
â€œSuch targets would potentially provide APT28 with sensitive tactical and strategic intelligence concerning regional military capabilities and relationships,â€ FireEye said in its report. Russiaâ€™s deputy foreign minister, Vladimir Titov, had previously described the training drills as â€œa demonstration of hostile intentionâ€ and that â€œall necessary political and military measures to ensure our securityâ€ would be taken.
The hacker group has also created a number of fake domains for UK-based defence events, including the Farnborough Airshow and the Counter Terror Expo, probably as part of a campaign to gather intelligence on attendees.
Alongside the list of targets, other data has indicated the Russian governmentâ€™s involvement, FireEye said, including the long-term development of its hacker tools – the Sourface downloader, which installs the Eviltoss backdoor on target machines.
â€œAPT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organisation, most likely a nation-state government,â€ the report read.
â€œAPT28â€™s malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours, which suggests that the Russian government is APT28â€™s sponsor.â€
Russia has been suspected of attacks on Ukraine too, including attempts to gain access to politiciansâ€™ mobile phone communications, though FireEye did not find APT28 active in the country. Putinâ€™s administration had previously been linked with cyber attacks on Georgia during the nationsâ€™ conflict in 2008.
The Russian Embassy in London had not responded to a request for comment at the time of publication.
Nikolay Shelekov, senior specialist for threat prevention in the investigation department of Russian firm Group-IB, told the Guardian the report offered no concrete evidence of Russian government involvement.
â€œUnfortunately, with this information all we can say is that developers may be located in Russia, thatâ€™s all.â€
However, Russian security firm Kaspersky Lab said it had been tracking the same group, which it calls Sofacy. It was involved in investigations into a Sofacy attack in eastern Europe and has also gathered evidence showing the involvement of Russian-speaking hackers.
â€œThe Sofacy group is using multiple malware families, including some that are not mentioned in the FireEye paper,â€ Aleks Gostev, chief security expert in the Global Research and Analysis Team at Kaspersky Lab, told the Guardian.
â€œThey have been very active lately and have registered many domains in order to launch phishing attacks.â€
Gostev said his team has also seen suggestions of a link between Sofacy and a group called Miniduke, which has been attempting to infiltrate a range of European targets and Nato.