Russian-based cyber spies going after military, intelligence targets
FireEye today released a comprehensive intelligence report that assesses that an advanced persistent threat (APT) group may be sponsored by the Russian government.
The report – APT28: A Window into Russia’s Cyber Espionage Operations? – details the work of a team of skilled Russian developers and operators, designated by FireEye as APT28, that has been interested in collecting information from defense and geopolitical intelligence targets including the Republic of Georgia, Eastern European governments and militaries, and European security organizations, all areas of particular interest to the Russian government.
“Despite rumors of the Russian government’s alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence. “FireEye’s latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”
This FireEye report offers details that likely link APT28 — a threat group whose malware is already fairly well-known in the cybersecurity community — with a government sponsor based in Moscow, exposing long-standing, focused operations that indicate government backing.
Unlike the China-based threat actors tracked by FireEye, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.
Specifically, FireEye found that since at least 2007, APT28 has been targeting insider information related to governments, militaries, and security organizations that would likely benefit the Russian government.
The report includes malware samples compiled by FireEye that indicate that the developers are Russian language speakers who are operating during business hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.
FireEye experts also found that APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.
The full report, including examples of APT28 targeted attacks and malware indicators, can be accessed here.