FireEye research, analysis exposes long-standing operations by APT28 targeting government, military, and security groups of interest to Russia
FireEye, Inc, the leader in stopping today’s advanced cyber attacks, has released a comprehensive intelligence report that assesses that an advanced persistent threat (APT) group may be sponsored by the Russian government.
The report – APT28: A Window into Russia’s Cyber Espionage Operations? – details the work of a team of skilled Russian developers and operators, designated by FireEye as APT28, that has been interested in collecting information from defence and geopolitical intelligence targets including the Republic of Georgia, Eastern European governments and militaries, and European security organisations, all areas which are of particular interest to the Russian government.
“Despite rumors of the Russian government’s alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence. “FireEye’s latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”
This FireEye report offers details that likely link APT28 — a threat group whose malware is already fairly well-known in the cybersecurity community — with a government sponsor based in Moscow, exposing long-standing, focused operations that indicate government backing.
Unlike the China-based threat actors tracked by FireEye, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting insider information related to governments, militaries, and security organisations that would likely benefit the Russian government.
The report includes malware samples compiled by FireEye that indicate the developers are Russian language speakers who are operating during business hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.
FireEye experts also found that APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.
In addition to the report, FireEye is releasing indicators that can be downloaded at https://github.com/fireeye/iocs
The full report, including examples of APT28 targeted attacks and malware indicators, can be accessed at http://www.fireeye.com/resources/pdfs/apt28.pdf