Tuesday, February 27, 2024

APT28 Hacking Group’s New Espionage Operations Targets Military and Government Organizations

Researchers uncovered new an Espionage Operations by an APT28 hacking group that targets Military and Government Organizations to exfiltrate the highly sensitive data.

APT28 has involved various cybercrime activities since 2007, but its public attention was started in 2016 since then they are involving very sophisticated cyber attack around the world.

APT28 also called as Fancy Bear, Sofacy Group, Sednit who is associated with the Russian military intelligence agency.

This cyber Espionage group was responsible for political targets against members of the Democratic National Committee (DNC).

They ware targeted via a malicious email campaign to trick recipients into supposedly changing their email passwords on a fake webmail domain.

Later they have accessed trick recipients into supposedly changing their email passwords on a fake webmail domain using stolen credentials to steal sensitive data and leaked it online.

APT28 hacking group

2017 and 2018 Activities – The APT28 Hacking Group

APT28 activities later continuing their operation in 2017 and 2018 with more sophisticated attacks with the ultimate motivation of intelligence gathering and targeting different organization.

  • A well-known international organization
  • Military targets in Europe
  • Governments in Europe
  • A government of a South American country
  • An embassy belonging to an Eastern European country

This group actively attack using a malware called Sofacy for various targets which contain two primary component,

  • Trojan.Sofacy  –  Basic reconnaissance on an infected computer and drop another malware.
  •  Backdoor.SofacyX – It is another malware using to steal the data from the infected computer.

According to Symantec, APT28 has continued to develop its tools over the past two years. For example, Trojan.Shunnael (aka X-Tunnel), malware used to maintain access to infected networks using an encrypted tunnel, underwent a rewrite to .NET.

Link with Earworm Espionage Operations

Researchers believe that APT28 might have a link with another cybercrime group called Earworm (aka Zebrocy).

Earworm actively attacking since 2016 and perform intelligence gathering operations against military targets in Europe, Central Asia, and Eastern Asia.

They are using  two different following malware component to infiltrate the target network,

  •  Trojan.Zekapab – capable of carrying out basic reconnaissance functions and downloading additional malware
  •  Backdoor.Zekapab – Taking screenshots, executing files and commands, uploading and downloading files, performing registry and file system operations

It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools, Symantec said.

Related Read

Hackers Offering Less than $150 to Hack Corporate Email Accounts – 12.5 Million Email Archive Files are Exposed

Hackers Selling Facebook Account Logins Details On Dark Web For $3


Latest articles

Zyxel Firewall Flaw Let Attackers Execute Remote Code

Four new vulnerabilities have been discovered in some of the Zyxel Firewall and access...

Hackers Abuse Telegram API To Exfiltrate User Information

Attackers have been using keywords like "remittance" and "receipts" to spread phishing scripts using...

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles