NATO and UK defence groups hit by Russian cyber-attack

News by Tim Ring

NATO, UK defence attachés and even visitors to Counter Terror Expo and Farnborough Airshow were targeted by 'APT28' Russian state-backed spy group, says FireEye.

The clearest signal yet that the Russian government is launching cyber-attacks against western targets - including NATO, British defence attachés and even people attending events like the Farnborough Airshow - has been given by FireEye.

The malware protection company has released a detailed report on ‘APT28', a cyber espionage group which it says has been carrying out, “long-standing, focused operations that indicate a government sponsor – specifically, a government based in Moscow”.

Since 2007, APT28's East European targets have included the Polish and Hungarian governments, and Georgia's Ministries of Defence and Internal Affairs.

Its western targets include NATO and the OSCE (Organisation for Security and Cooperation in Europe) and other European security organisations.

Worryingly, the group's targets have also included British defence attachés and - based on domain names used by APT28 - defence events and exhibitions held in the UK, including the Farnborough Airshow 2014, the Counter Terror Expo and events run by London-based SMi.

FireEye's report says: “In September 2014, APT28 registered a domain ([.]uk) that appeared to mimic that for the SMi Group, a company that plans events for the defence, security, energy, utilities, finance and pharmaceutical sectors. Among other events, the SMi Group is currently planning a military satellite communications event for November 2014.”

This may be Global MilSatCom 2014, which is due to take place in London on 4-6 November. Scheduled attendees include representatives from the UK Ministry of Defence, Thales Communications and the European Defence Agency.

The FireEye report says: “Targeting organisations and professionals involved in these defence events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defence technologies, as well as the victim organisations' operations, communications and future plans.”

FireEye says other likely targets of APT28 include the European Commission, World Bank, Norwegian Army and a European embassy in Iraq.

The group uses various data theft techniques, FireEye says, such as backdoors using the HTTP protocol and the victim's mail server, and local copying to defeat closed/air-gapped networks.

APT28 is believed to be the same group as that exposed by Trend Micro a few days ago, which planted the SEDNIT malware in a campaign Trend dubbed ‘Operation Pawn Storm'.

Cyber expert Mikko Hypponen, chief research officer at F-Secure, told via email: “APT28 is Sofacy (aka SEDNIT) which is believed to be somehow linked to Turla/Ultra. These are all Russian. The link to Sofacy can be confirmed from the APT28 report, as they mention as a vector of infection. This is a Sofacy domain.”

As such, APT28 joins a growing list of cyber-attacks launched from within Russia, such as the recent Sandworm group identified by iSIGHT Partners attacking NATO and others.

However, other researchers have been more loathe than FireEye to directly blame the Russian Government for such campaigns.

And Sean Sullivan, security adviser with F-Secure - which has investigated the Havex and Cosmic Duke malware attacks from the Russian region – questioned the strength of the attribution.

He told “When we've written about attacks in the past, we've been more circumspect - so it's Russian but not necessarily Russia. Is it an oligarch that's friendly with the Government or is it the Government? It's very hard to tell.

“FireEye may be going a bit further in saying a ‘government in Moscow'. I don't see anything compelling that it's officially the government.”

But Dan McWhorter, FireEye VP of threat intelligence, insists: “FireEye's report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”

FireEye's evidence includes the fact that APT28 focuses on collecting insider information related to governments, military and security organisations that would likely benefit the Russian Government, its consistent use of Russian language in malware, and that malware compile times correspond to the working day in Russian cities such as Moscow and St Petersburg.

Sullivan at F-Secure also commented on the fact that the volume of attacks from within Russia currently seems to be outstripping those identified from within China. But he does not see Russia taking over from China in terms of the cyber threat presented to the West.

Sullivan added: “Russia certainly has got greater capabilities, they have more expertise to build something more dangerous. There's a lot of expertise that can be called on and probably that expertise is more advanced than what China has.”

Jason Steer, director of technology strategy at FireEye, agreed with this analysis. He told “Russia and China have got very different focuses. For China the objective is much more about developing China as a nation, and having a first-world economy.

“For Russia ‘cyber' is just an extension of the espionage that Russia has been incredibly adept at for hundreds of years. It's just an extension of what they've been able to do with eavesdropping equipment, spy cameras and all the other techniques which we've watched on James Bond.

“Probably Russia are just a little bit more sophisticated and they probably want to be below the radar.”

Steer added: “The challenge for most governments in securing their infrastructure is - they don't pay the best wages, they don't attract the best so unfortunately most government organisations across the world are fairly easy to attack and successfully breach.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews