The clearest signal yet that the Russian government is launching cyber-attacks against western targets - including NATO, British defence attachés and even people attending events like the Farnborough Airshow - has been given by FireEye.
The malware protection company has released a detailed report on ‘APT28', a cyber espionage group which it says has been carrying out, “long-standing, focused operations that indicate a government sponsor – specifically, a government based in Moscow”.
Since 2007, APT28's East European targets have included the Polish and Hungarian governments, and Georgia's Ministries of Defence and Internal Affairs.
Its western targets include NATO and the OSCE (Organisation for Security and Cooperation in Europe) and other European security organisations.
Worryingly, the group's targets have also included British defence attachés and - based on domain names used by APT28 - defence events and exhibitions held in the UK, including the Farnborough Airshow 2014, the Counter Terror Expo and events run by London-based SMi.
FireEye's report says: “In September 2014, APT28 registered a domain (smigrouponline.co[.]uk) that appeared to mimic that for the SMi Group, a company that plans events for the defence, security, energy, utilities, finance and pharmaceutical sectors. Among other events, the SMi Group is currently planning a military satellite communications event for November 2014.”
This may be Global MilSatCom 2014, which is due to take place in London on 4-6 November. Scheduled attendees include representatives from the UK Ministry of Defence, Thales Communications and the European Defence Agency.
The FireEye report says: “Targeting organisations and professionals involved in these defence events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defence technologies, as well as the victim organisations' operations, communications and future plans.”
FireEye says other likely targets of APT28 include the European Commission, World Bank, Norwegian Army and a European embassy in Iraq.
The group uses various data theft techniques, FireEye says, such as backdoors using the HTTP protocol and the victim's mail server, and local copying to defeat closed/air-gapped networks.
APT28 is believed to be the same group as that exposed by Trend Micro a few days ago, which planted the SEDNIT malware in a campaign Trend dubbed ‘Operation Pawn Storm'.
Cyber expert Mikko Hypponen, chief research officer at F-Secure, told SCMagazineUK.com via email: “APT28 is Sofacy (aka SEDNIT) which is believed to be somehow linked to Turla/Ultra. These are all Russian. The link to Sofacy can be confirmed from the APT28 report, as they mention Kavkazcentr.info as a vector of infection. This is a Sofacy domain.”
As such, APT28 joins a growing list of cyber-attacks launched from within Russia, such as the recent Sandworm group identified by iSIGHT Partners attacking NATO and others.