Researchers uncovered new an Espionage Operations by an APT28 hacking group that targets Military and Government Organizations to exfiltrate the highly sensitive data.
APT28 has involved various cybercrime activities since 2007, but its public attention was started in 2016 since then they are involving very sophisticated cyber attack around the world.
APT28 also called as Fancy Bear, Sofacy Group, Sednit who is associated with the Russian military intelligence agency.
This cyber Espionage group was responsible for political targets against members of the Democratic National Committee (DNC).
They ware targeted via a malicious email campaign to trick recipients into supposedly changing their email passwords on a fake webmail domain.
Later they have accessed trick recipients into supposedly changing their email passwords on a fake webmail domain using stolen credentials to steal sensitive data and leaked it online.
2017 and 2018 Activities – The APT28 Hacking Group
APT28 activities later continuing their operation in 2017 and 2018 with more sophisticated attacks with the ultimate motivation of intelligence gathering and targeting different organization.
- A well-known international organization
- Military targets in Europe
- Governments in Europe
- A government of a South American country
- An embassy belonging to an Eastern European country
This group actively attack using a malware called Sofacy for various targets which contain two primary component,
- . Trojan.Sofacy – Basic reconnaissance on an infected computer and drop another malware.
- Backdoor.SofacyX – It is another malware using to steal the data from the infected computer.
According to Symantec, APT28 has continued to develop its tools over the past two years. For example, Trojan.Shunnael (aka X-Tunnel), malware used to maintain access to infected networks using an encrypted tunnel, underwent a rewrite to .NET.
Link with Earworm Espionage Operations
Researchers believe that APT28 might have a link with another cybercrime group called Earworm (aka Zebrocy).
Earworm actively attacking since 2016 and perform intelligence gathering operations against military targets in Europe, Central Asia, and Eastern Asia.
They are using two different following malware component to infiltrate the target network,
- Trojan.Zekapab – capable of carrying out basic reconnaissance functions and downloading additional malware
- Backdoor.Zekapab – Taking screenshots, executing files and commands, uploading and downloading files, performing registry and file system operations
It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools, Symantec said.