Russian Fancy Bear APT linked to Earworm hacking group

The hacking rings may be separate but it seems they share a system or two in order to launch their attacks.
Written by Charlie Osborne, Contributing Writer

APT28, also known as Fancy Bear, has been connected to another threat group which is launching attacks against military targets in Europe and Asia.

Fancy Bear, which is also tracked under the names Sednit, STRONTIUM, and Sofacy, is a well-known hacking ring that allegedly has the backing of the Russian government and is state-sponsored.

The advanced persistent threat group (APT), believed to have been active since at least 2004, has been connected to attacks against political bodies ahead of the 2016 US election, the World Anti-Doping Agency (WADA), and the Ukrainian military, among others and extensive intelligence attacks across Asia, Europe, and the United States.

The group's hacking toolkit is extensive and includes double-agent software, Trojans, backdoors, and surveillance systems. Fancy bear was also recently linked to the first case of a UEFI rootkit being detected in the wild.

See also: FBI forces Apple iPhone X owner to unlock device through Face ID

In comparison, Earworm -- also known as Zebrocy -- has been active for just over two years and appears to focus on covertly gathering intelligence from targets in Europe and Asia by way of spear phishing campaigns.

The name Zebrocy has been previously issued to a malware family used by Fancy Bear by other cybersecurity firms, although it may be that the malware tools are linked to a different hacking group altogether and perhaps could simply be a shared resource.

TechRepublic: Python is a hit with hackers, report finds

Researchers from Symantec that despite the differences, these two threat groups appear to have some similar goals -- and are willing to share resources as a result.

On Thursday, the cybersecurity firm said that in 2016, the shared use of a single command-and-control (C2) server revealed some overlap between Earworm and Fancy Bear operations.

The same infrastructure was being used by both separate groups, and separate attacks were conducted.

According to ESET, Earworm has targeted embassies, ministries of foreign affairs, and diplomats in countries including Russia, Saudi Arabia, Serbia, Switzerland, Iran, and Ukraine.

The group only uses two malware tools; Trojan.Zekapab, a downloader component capable of basic surveillance functions, and Backdoor.Zekapab, a persistence module which is able to exfiltrate files, download and execute payloads, tamper with registries and take screenshots.

CNET: Google cracks down on malicious Chrome extensions

It may not be that Earworm is connected to the Russian government in the same way as Fancy Bear, especially considering that Russian targets are on the hacking group's list. Perhaps, however, the criminal rings find there is intelligence to be gathered and money to be made in pooling their resources.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards