The Russian Connection: An In-depth Analysis On Present Cyber Threats
Or why reading this report can help you understand the importance of online security
Who can defend your online security in a virtual cyber war?
FireEye, one of the leading voices in cyber security and advanced malware protection, has released at the end of October a security report on Apt28, a professional cybercriminal group that specialized into targeting and stealing political and state secrets from Eastern European governments and Western security organizations, such as NATO and OSCE.
You can read the report for more details, but for the moment we would like to focus on the main ideas of the report, so that you may understand the major implications of involving and using cybercriminal threats and groups for reaching political goals.
Just another group of hackers. What’s new?
- The group targets political and state confidential data. The novelty is brought by the different goal of this threat group. In contrast to most cybercriminal organizations and groups which conduct phishing and malware campaigns for financial gains, this group targets political information.
- The group seems to be created from professionals. The analyzed code suggests skilled developers, who constantly update the malicious software to complicate reverse engineering efforts.
- The group seems to be supported by the Russian government. The report is not only exposing the main actions and methods employed in the attacks, but it brings evidences which imply that this threat group is tied and suported by the Russian state.
What are their main targets?
The reports indicates the group targets political and military objectives from Georgia, Eastern European governments and military organizations.
This country has been mainly targeted by trying to retrieve political and security information from the Ministry of Internal Affairs and the Ministry of Defense. The Georgian Ministry of Internal Affairs keeps sensitive data about the state’s security operations and the Georgian Ministry of Defense is closely connected to the Georgian Armed Forces. Since the 2008 invasion of Georgia by Russian forces, these two departments of Georgian government are important targets for the Russian intelligence.
- Eastern European Governments
The countries from the Eastern part of Europe have long been under the Russian economic, political and military influence. Since many of these countries, which were part of the Soviet Bloc, have joined NATO and EU, Russia tried to regain its lost influence. The main targets of the cybercriminal group were Hungarian and Polish governments’ domains, for which they registered similar domains to those legitimate in order to steal important strategic information about these states’ political decisions.
- Military organizations: NATO, OSCE
Using domain registrations, APT28 proved a strong interest in NATO and other European security organizations, such as OSCE. To obtain sensitive information about these two security organizations, this threat group registered domain names to imitate legitimate NATO websites.
An important military event targeted by APT28 was the Baltic Host exercises, a logistics planning event hosted annually by one of the three Baltic States. In 2014, this event combined with a U.S. Army training event and focused on improving collaboration with NATO allies. The group registered a similar domain to target individuals that participated in the security exercises. The interest of the group was quite clear: they searched to retrieve strategic data on military capabilities in the region.
The Russian connection
The report from FireEye indicates the following connections between this cybercriminal group and the Russian political interests:
- There is a consistent use of Russsian language in compiling malware over a period of 6 years.
- The malware samples compile times from 2007 to 2014 correspond to the working hours period in Moscow and St. Petersburg areas.
- There is a strong correlation between malicious actions employed by APT28 and Russia’s political interests.
Latest events and security news from the online world brought into attention a shadow cyber war taking place on the invisible front of world wide web.
Though it may not seem like a serious threat for a private individual, the cyber warfare involves actions taken by a state against another, and sooner or later the results will affect us all. So, who is responsible for our online security in cyberspace?
Since a state employs online criminals or organizes threat forces against national institutions, how can an individual or the private sector maintain privacy and security?
Should we pick a side?
This post was originally published by Aurelian Neagu in November 2014.