Russia and its hackers have been popular in the news for the past several years. Whether to allegedly influence foreign elections or steal intellectual property its sphere of influence is worldwide.
But first a bit of history.
How did we get to this point in time? Countries have always been involved with clandestine activities to undermine or even overthrow neighboring governments. They have used deception and sometimes even force to accomplish their goals. So it was only a matter of time before technology was embraced as a tool to this end. And so began the partnership between hacker and government.
In 2009, Google China was hit by a security breach. Upon further investigation, it was determined that China was targeting the emails of individuals and groups who were focused on human rights and human rights violations. These Google users resided not just in China, but in the United States and Europe. Google had entered the Chinese market in 2006 subject to China’s strict internet policy. However, the resulting breach three years later caused the company to relocate its servers to Hong Kong.
One very active Russian hacker team is known by several names:
- APT 28,
- Fancy Bear, or
It is most known for its attack on the Democratic National Committee’s computer in 2016 but it has existed since at least 2007. The DNC has never allowed government agencies to analyze the computers so it is difficult to determine the extent of the attack.
This group’s signature mark is to cause its viruses and other malware to evolve into different threats. But in a nod to the past, it also makes use of previous malware that evades detection because it is no longer deemed a threat.
In the latter case, recent malware attacks from the group have focused on using an encrypted connection to carry the malware.
This means that while delivery is taking place the malware is not detected. This type of attack has pretty much disappeared until recently when it started making a comeback in October and November of this year. It was determined that the suspected targets were government entities in North America, Europe, and an unnamed former USSR state. In this particular phishing sweep, the malware contained evidence of an evolution AND the encrypted connection.
APT28’s New Trojan
It has been reported that APT28 has started to use a new Trojan named Cannon, as well as its favorite, Zebrocy, which it used to target government agencies in North America and Europe. Both Trojans download another wave of malware after a computer system has already been compromised. The difference between the two is that Cannon uses legitimate email providers for its email accounts. In this way, the malware makes itself harder to detect.
Another group of hackers has a similar name, APT29. It has been very quiet since 2017 but appears to have come roaring back with a vengeance. Its targets have included
- law enforcement,
- think tanks,
- drug companies,
- different media outlets, and
- contractors in the defence industry.
APT29, also known as Cozy Bear and like APT28 is believed to be working on behalf of Russia’s military intelligence service. The group has been operational since at least 2014.
This is how the latest malware worked
the email falsely appeared to come from the US State Department from a well-known individual who is employed there. The email even had a legitimate US State Department form to lend an air of authenticity to it. The email had links that when clicked, caused a Windows back door named Cobalt Strike to infest the device.
This attack is very similar to one which occurred in November of 2016 which took advantage of a hacked email server in a hospital. In this scenario, the emails contained a ZIP archive which in turn held a Windows shortcut file with the malware payload.
An interesting possibility is that these malware attacks are really false flags, intended to make them appear to come from state sponsored hackers in Russia. But the attacks are being published in the media with the hope that malware researches can contribute their opinions on the attacks.
Earlier in 2018, Microsoft acknowledged that it had assisted the US Government to thwart attacks by Russian hackers against at least three politicians who were running in this year’s midterm elections.
The software company attributed the attacks to members of the APT28 group, which they have nicknamed Strontium.
The attempts involved web domain sites that appeared to belong to the US Senate or to conservative think tanks, and even to a product page of Microsoft’s. But in all cases they were actually fake sites.
There was no evidence that hackers successfully tricked any visitors to give out personal information; the company acknowledged that the fake sites were created recently and registered with major web-hosting companies. Microsoft’s Digital Crimes Unit has used the US court system to seize and shut down 84 fake websites since 2016 that were allegedly created by the APT28 group of hackers.
While the Russian hackers seem to have their fingers in a lot of digital pie, it has become apparent that the biggest threat from them is during the election cycle. Political campaigns usually do not have the funding required to mount a good defense against cyber attacks. While it may be possible to hack into voting machines, experts say it would be extremely unlikely that enough machines would be compromised to change the outcome of an election. All fifty states and some 1000 local governments have opened a center to share and compare investigations and findings.
It is a game of cat and Russian mouse that continues unabated 24/7/365. Unrelenting vigilance is necessary to combat the threat that according to Kirstjen Neilsen, Secretary of Homeland Security, has “democracy in the crosshairs”.