Military secrets theft hacking trail leads to Russia

FireEye has released a detailed report suggesting that state-sponsored attacks originating from Russia have focused on lifting military, government and security information.
Written by Charlie Osborne, Contributing Writer
credit cnet
Credit: CNET

Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.

Security company FireEye's latest report (.PDF), titled "APT28: A window into Russia's cyberespionage operations?" details an Advanced Persistent Threat (APT), APT28, which the firm believes has been targeting institutions for confidential data over at least the last six years.

Targets include the Republic of Georgia, Eastern European governments and militaries, and European security organizations, which may all be of interest to the Russian government. FireEye says that "skilled" Russian developers and operators can be linked to APT28 through a government sponsor based in Moscow.

"Despite rumours of the Russian government's alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence.

"FireEye's latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks."

FireEye says that over half of malware samples analyzed in order to track APT28 were set in the Russian language, and "a significant portion of APT28 malware was compiled in a Russian-language build environment consistently over the course of six years." In addition, 96 percent of malware detected was compiled between Monday and Friday during the business hours of 8am and 6pm in Moscow's timezone.

The APT28 campaign uses spearphishing emails to target victims, as well as malicious websites doctored to appear as legitimate news and politics websites.

The security team also states that APT28 has systematically evolved its malware since 2007, and both flexible and lasting platforms suggest the APT controllers plan to continue lifting sensitive data for the long haul.

"Unlike the China-based threat actors tracked by FireEye, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government," the report claims. "Specifically, FireEye found that since at least 2007, APT28 has been targeting insider information related to governments, militaries, and security organisations that would likely benefit the Russian government."

Read the full report  (.PDF).

Read on: In the world of security

Editorial standards