In 2017 and 2018, a Russian cyber-espionage group believed to be government-backed has engaged in covert attacks targeting military and government organizations in Europe and South America, Symantec warns.
Tracked as APT28 but also referred to as Fancy Bear, Swallowtail, Strontium, Sofacy and Sednit, the group was accused of targetingthe Democratic National Committee (DNC) during the 2016 Presidential elections in the United States.
Unlike the 2016 attacks, however, the campaigns the group has conducted this year and the last were low-key intelligence-gathering operations, a new Symantec report reveals.
The assaults, the security firm says, hit a well-known international organization, as well as military targets and governments in Europe, a government of a South American country, and an embassy belonging to an Eastern European country.
According to Symantec, between 2007 and 2016, Fancy Bear had conducted intelligence-gathering operations, and the targeting of DNC marked a major change in the group’s activity. Also in 2016, the group targeted the World Anti-Doping Agency (WADA)and leaked confidential drug testing information.
“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering,” Symantec notes.
Despite the recent change in tactics, the actor remains focused on expanding its tools portfolio. Last week, ESET revealed that Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkitin a malicious campaign.
The hackers updated other tools as well over the past couple of years, including XTunnel(Trojan.Shunnael), which was specifically built to compromise the DNC network. The malicious tool was completely re-written in .NET.
Some security researchers attribute the Zebrocy malwareto Fancy Bear, but Symantec claims that another group is responsible for this threat, namely Earworm (aka Zebrocy).
Active since at least May 2016 and focused on military targets in Europe, Central Asia, and Eastern Asia, the group is apparently involved in operations that differ from those of Fancy Bear. Despite that, Symantec did notice command and control (C&C) overlaps between the two groups, which suggests a potential connection between them.
“It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools. This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets,” Symantec concludes.
Source: infosec island