APT28 Timeline of Malicious Activity


#1

Additional information and Indicators of Compromise associated with APT28 can be viewed by ThreatStream users here and here.

Overview
The Advanced Persistent Threat (APT) “APT28” (also known as Fancy Bear, Group 74, Pawn Storm, Sednit, Sofacy, Strontium, and Threat Group-4127) is one of the most prolific and sophisticated APT groups based on their large custom toolset, organized infrastructure, and ability to remain hidden on compromised networks. The group is believed to operate under the Main Intelligence Directorate (Glavnoye razvedyvatel’noye upravleniye: GRU), the foreign intelligence agency of the Russian armed forces, and has been active since at least 2007.

They have engaged in longstanding cyber espionage campaigns, such as Operation Pawn Storm, and have targeted some of the world’s largest political organizations, such as the U.S. Senate and Democratic National Committee (DNC). The group primarily targets governmental and political organizations, but other targets such as defense contractors, media organizations, and Non-Governmental Organizations (NGOs) have also been targeted. This report will serve as a timeline of APT28 malicious activity from the first report discussing the group, up to the end of February 2018.

The image below briefly summarizes reported APT28 activity from when they were first reported on in 2014, up to the end of September 2018.

Figure 1 - Summary of APT28 Malicious Activity


Figure 2 - Summary of APT28 Malicious Activity in 2018


Figure 3 - Summary of APT28 Malicious Activity in 2018 (continued)

Up to 2014
In 2014, Trend Micro researchers published their findings regarding a cyber espionage campaign dubbed “Operation Pawn Storm” that is attributed to APT28 and is believed to have begun in at least 2004. The group used geopolitical-themed spear phishing emails that would be relevant to the recipient to lure her/him into opening a malicious file attachment that contained the group’s custom backdoor and information stealing malware “Sednit.” The group was also found to have created fake Outlook Web Access login pages to link to in phishing emails to steal user credentials. Lastly, the group created two malicious iOS applications; one called “XAgent” and another that impersonated an authentic iOS game called “MadCap.” Both applications were found to contain Sednit. Operation Pawn Storm is believed to still be ongoing.

APT28 has conducted multiple malicious campaigns against numerous targets, and some of the earliest identified attacks took place in 2014. In June and September 2014, APT28 used a custom exploit kit, dubbed “Sedkit,” in combination with strategic web compromise attacks that resulted in Polish government and the energy company “Power Exchange” websites to deliver the group’s custom “Sofacy” malware.

From October 2014 through September 2015, FireEye researchers discovered that changes had been made to DNS records that indicated that APT28 had intercepted emails from the Kyrgyzstan Ministry of Foreign Affairs. This was accomplished by modifying DNS records of the ministry’s authoritative DNS servers.

The Ukrainian Central Election Commission (CEC) was attacked in May 2014, purportedly by the Russian hacktivist group “CyberBerkut.” However, the network activity appeared indicative of APT28 activity. While attribution may remain unclear, what is known is that threat actors were able to compromise a CEC system, destroy data, leak data, conduct Distributed Denial-of-Service (DDoS) attacks against the CEC, as well as attempted to deface the CEC website with fake election results.

2015
While Operation Pawn Storm was still observed to be ongoing in 2015, another separate campaign was also identified. This campaign, dubbed “Operation RussianDoll,” exploited a zero-day vulnerability in Adobe Flash Player (CVE-2015-3043) that first required a target to click on a link leading to a website controlled by the group. The group then subsequently used a Windows privilege escalation vulnerability (CVE-2015-1701) to deliver a malware family that shares characteristics with the group’s custom backdoors in “Chopstick” and “Coreshell.” This operation was conducted against an unnamed “international government entity.”

In April 2015, a threat group calling themselves the “CyberCaliphate” claimed responsibility for defacing the television network “TV5Monde’s” websites and social media profiles. The attack forced the company’s 11 broadcast channels offline. In February, researchers identified that APT28 had compromised TV5Monde’s network due to the fact that the group’s Coreshell malware was observed beaconing from the company’s network. Additionally, researchers found that registration information for CyberCaliphate’s website coincided with registration data associated with APT28 infrastructure. Researchers believe that this may have been an attempt by APT28 to hide their activity via misattribution, or that APT28 is masquerading as the CyberCaliphate.

Germany’s Federal Office for Security in Information Technology (BSI) announced in June 2015 that APT28 was behind a spear phishing campaign that targeted multiple German political parties. The head of Germany’s domestic intelligence agency “Bundesamt für Verfassungsschutz” (BfV) also stated that it believes that APT28 compromised the “Bundestag’s” (German parliament) network in June 2015.

The following month in July 2015, APT28 registered two domains “nato-news[.]com” and “bbc-press[.]org” as part of a targeted attack. The group used the websites to host an Adobe Flash zero-day exploit to target the Afghan Ministry of Foreign Affairs, NATO, and the Pakistani military.

The final malicious operation identified to have taken place in 2015 took place when the group sent spear phishing emails to the musical and feminist protest group “Pussy Riot.”

2016
From March through November 2016 APT28 conducted a large-scale phishing campaign that targeted the U.S. Democratic political party. Specifically, the U.S. intelligence community discovered that Hillary Clinton’s presidential campaign chairman, John Podesta, had his email account compromised. APT28 used shortened URLs to lure phishing recipients into visiting malicious locations. From October to early November 2016, WikiLeaks published 34 instances of email conversations that were stolen from John Podesta, for U.S. Secretary of State Colin Powell, and Clinton’s campaign employee William Rinehart, among others, on the “DC Leaks” website.

In June 2016, the U.S. Democratic National Committee (DNC) announced that it had suffered a network compromise. An investigation revealed evidence of two separate breaches; one conducted by APT28 and the other by another Russian APT “Cozy Bear” (APT29). The DNC breach and theft of documents, which were later published by WikiLeaks, was claimed by the threat actor known as “Guccifer 2.0.”

The World Anti-Doping Agency (WADA) announced on September 13, 2016, that its network had been compromised by APT28. WADA announced that athlete medical data had been accessed. The “Fancy Bear” threat group, known to be an alias of APT28, claimed responsibility for compromising WADA’s network and released athlete’s medical data. Fancy Bear claim that this was done to provide “proof of American athletes taking doping.”

Other malicious operations that occurred in 2016 include the breach of the Organization for Security and Cooperation in Europe (OSCE) and targeting of Germany’s Christian Democratic Union (CDU). In the latter campaign. APT28 created a fake CDU email server that was used to send phishing emails to CDU members. The objective of this campaign was to steal CDU member email account credentials. The spear phishing emails had a malicious, macro-based document that impersonated a hotel reservation. If macros are enabled, a recipient would be infected with the groups custom “Gamefish” (Sednit) backdoor. The group was also observed using the open source tool “Responder” to move laterally on the network.

2017
In August 2017, FireEye researchers published information detailing a campaign targeting the hospitality sector with the objective of then targeting individuals staying in hotels throughout Europe and the Middle East. The campaign was found to have begun in at least July 2017. In this campaign, APT28 send spear phishing emails to hospitality organizations. The group also used the “EternalBlue” exploit, associated with U.S. National Security Agency (NSA) and leaked by the “Shadow Brokers” threat group, to move laterally on the network.

APT28 has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. The group was observed targeting an unnamed Non-Governmental Organization (NGO) in the Netherlands, as well as the United States Senate. The NGO was targeted with phishing emails designed to steal user credentials in October and November 2017. The emails purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password. Another claimed that there is a new file on the recipient’s “Microsoft OneDrive” system, and provided a link to view the supposed file. The group also targeted the U.S. Senate with a phishing website that impersonated the Active Directory Federation Services (ADFS). During the Iranian elections in May 2017, APT28 created a phishing website targeting “chmail[.]ir” users one day prior to the election on May 18, 2017.

APT28 was discovered to have targeted multiple International Olympic Winter Sports Federations including the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation, and the International Luge Federation. This preference in targeting is may be in response to Russia being banned from the 2018 Winter Olympics in South Korea.

2018
In early February 2018, Palo Alto Unit 42 researchers identified a new cyber espionage campaign in which APT28 is targeting Ministries of Foreign Affairs located around the globe. To target said Ministries, APT28 distributes Microsoft Excel .(xls) documents with malicious macros with an email address that purports to be from Jane’s 360 defense events. The documents were found to have been created with an open source office document generating tool called “Luckystrike.” Enabling the macro will fill in the cells with text regarding “Upcoming Events” relevant to the recipient while simultaneously using the content of the cells in column 170 in rows 2227 to 2248 to retrieve a base64 encoded payload. The macro creates a text file in the “C:\Programdata” folder with the base64 payload to a randomly named “.txt” file. Next the macro uses the command “certutil –decode” to decode the payload and move it to a randomly named file with a “.exe” extension in the “C:\Programdata” folder.

The dropped executable is a loader trojan that will install and run the primary malicious payload which was observed to be a variant of the group’s custom “Carberp” (SofacyCarberp) backdoor. The backdoor will gather system information of the infected machine and send it to a C2 to discern which payload should be downloaded next to best accomplish the group’s objectives.

Researchers noted in regards to Ministries of Foreign of Affairs that one was located in Europe and another in North America. Palo Alto’s report comes on the same day that the German media company “Deutsche Welle” published an article discussing how APT28 was able to access the “Informationsverbund Berlin-Bonn” (IVBB) network that is used solely by the Chancellery, the German parliament, federal ministries, the Federal Audit Office, and several other security entities in Berlin and Bonn. ATP28 is reported to have placed malware inside of the IVBB in December 2017. Said malware is believed to have present inside IVBB until February 28, 2018.

The following month, in March 2018, APT28 continued with phishing emails but changed the theme of the emails and the malware attempted to be propagated. On March 12 and 14, APT28 was identified to have distributed phishing emails to an unnamed European government agency. The emails attempting to convince the recipient to open a Microsoft Word document titled “Defence & Security Conference Agenda”; the information in the document appears to have been copied from a website for the “Underwater Defence & Security 2018 Conference.” In this campaign, APT28 introduced new tactics in the use of their “DealersChoice” exploit platform. In previous campaigns that used DealersChoice, the platform would exploit Adobe Flash objects contained inside of distributed documents as would load upon opening the document was opened. In this campaign, the Flash object is only loaded if the recipient scrolls through the entire three pages of the document to reach the final page that contains the Flash object. DealersChoice itself was modified “ActionScript,” which is an open source video player, to include code capable of loading an embedded Flash object. The purpose of launching Flash objects for APT28 is to use DealersChoice (with ActionScript) to load said Flash object that subsequently utilizes ActionScript to steal system data and send it back to a C2 server.

One of the largest campaigns reported on in 2018 was the discovery of a botnet consisting of approximately 500,000 devices reported on May 23. The malware responsible for creating the botnet was dubbed “VPNFilter” that specifically targeted numerous kinds of Network-attached Storage (NAS) devices and routers. Cisco Talos researchers observed that the VPNFilter code had some overlap with “BlackEnergy,” which is the malware that targeted the Ukrainian power grid in the winter of 2015-2016 and is believed to have been conducted by Russian threat actors according to the US Department of Homeland Security. This connection led researchers to contend that APT28 may have been responsible for the malware and botnet. VPNFilter is a complex malware that has multiple malicious capabilities and stages. Stage one is used to infect a device and gain persistence (a hard reset of an infected device was reported to remove stage one); the stage two malware is used to support plugin features capable of sniffing network packets and intercepting traffic, monitor Modbus SCADA protocols, and communicate with a C2 via Tor; stage two also contains a wiper feature that can overwrite a section of a device’s firmware and reboot the device to make the device unusable because the overwritten portion was switched with junk data to prevent the device from booting. The FBI obtained an affidavit to take control of VPNFilter’s C2 domain (toknowall[.]com) to prevent infected devices from receiving additional commands.

By June 2018, APT28 was found to have launched a new phishing campaign that distributed a tool called “Zebrocy.” The infection vector is similar to other APT28 phishing campaigns in that the phishing emails that have Microsoft Office attachments with macros, and archive, or executable files. Zebrocy functions as a loader that is capable of downloading different malware on to an infected machine. Zebrocy consists of three components: a Delphi downloader, an Autolt downloader, and a Delphi backdoor. Zebrocy is also capable of downloading the groups exploit platform “DealersChoice.” These first-stage droppers are then used to download the groups second-stage malware “XAgent” followed by, potentially, the “XTunnel” malware used for lateral movement. APT28 also utilized a Dynamic Data Exchange (DDE) exploit delivered via Office documents in phishing emails to distribute Zebrocy or an open source penetration tool called “Koadic.”

Also in June, but not reported on in open sources until July, APT28 was found to have updated their custom modular backdoor family “XAgent/X-Agent” (Chopstick). While the distribution method was not reported, it is likely that it was propagated via phishing emails, XAgent is installed by a first-stage Delphi dropper. XAgent was observed to use the HTTPS protocol for its C2 communications to prevent security personnel and researchers to eavesdrop on the traffic. However, C2 names were identified and the name of one them “marina-info[.]net” leads researchers to believe that this updated version of XAgent was used to target the Italian Marina Militare (Italian military corp) or at least entities associated with it.

APT28 is perhaps most well-known for their targeting of the Democratic National Committee (DNC) in 2016, and the theme of targeting U.S. political-related entities resurfaced in August 2018. APT28 was discovered to have registered domains associated with phishing campaigns by Microsoft researchers, who were able to shut down six domains. Each of the domains were themed around discernable targets. One appeared similar to the domain for the International Republican Institute (IRI), another impersonated the Hudson Institute, and the remaining for attempted to masquerade as domains that would be part of the U.S. Senate’s IT infrastructure.

By September 2018, APT28 was once again found to be conducting malicious activity with a new custom rootkit dubbed “LoJax” after the anti-theft software “LoJack” which was abused by APT28 in previous instances. LoJax is unique in that it is the first rootkit observed in the wild to target the Unified Extensible Firmware Interface (UEFI) of a machine that connects a software to the operating systems. Targeting the UEFI specifically allows LoJax to run every time an infected machine is turned on. LoJax is able to maintain persistence on a machine by being embedded into the Serial Peripheral Interface (SPI) where the UEFI firmware is located. To access the UEFI settings, APT28 used kernel driver of the “RWEverything” tool to manipulate the settings for persistence. The RWEverything tool is used because it is signed with a valid certificate and thus more difficult to identify potential malicious behavior. Lastly, if write operations to the UEFI settings is denied, the now malicious RWEverything tool will exploit a UEFI race condition vulnerability registered as “CVE-2014-8273.” Exploitation of the vulnerability bypasses potential setting-manipulation defenses allows LoJax to achieve its objective to drop malware into Windows operating systems and ensure that it is executed every time an infected machine turned on.

APT28 was also found to have added new features to the VPNFilter malware in September, specifically, third-stage modules to conduct different malicious activity, according to Cisco Talos researchers. The new capabilities some of which include: mapping networks and exploiting endpoint systems connected to a device infected with VPNFilter; new obfuscation and encryption techniques used to conceal C2 communication and data theft; tools used for lateral movement to identify potential new targets on a network or “new edge devices in other networks of interest”; the ability to build a distributed network of proxies that could be used in future attacks to make the attack appear as if it was conducted by VPNFilter via obfuscating traffic.

Figure 4 - Phishing Email Attachment “Hotel_Reservation_Form.doc.”

Figure 5 - Attachment “Hotel_Reservation_Form.doc” Properties

Analysis
The sophistication of APT28 is evident in their long standing cyber espionage campaign (Operation Pawn Storm) and their ability to create custom tools to conduct malicious activity and avoid detection. Their choice in targets can also potentially be identified by geopolitical events surrounding the Russian government. For example, their targeting of the U.S. DNC is view by many as an attempt to slander the presidential candidate Hillary Clinton and thus assisting Donald Trump in winning the presidency. While this is a heated debate, it does appear to coincide with some of the comments President Trump has made in regards to improving relations with Russia. Another example can be observed in APT28’s targeting of WADA in 2016 under the alias “Fancy Bear.” This targeting appears to coincide with Russian athletes being banned from the Rio Summer Olympics for doping. In addition, the same coincidence can be found in the group’s targeting of International Wintersport Organization as some Russian athletes were banned from competing for doping allegations.

References

Additional information and Indicators of Compromise associated with APT28 can be viewed by ThreatStream users here and here.