Russian APT activity is resurgent, researchers say

Bears. Phishing. Get it? (Getty)


Written by

Cybersecurity researchers have detected new spearphishing and malicious-email campaigns associated with two Russian-government-linked hacking groups known for breaching the Democratic National Committee in 2016.

One campaign spotted by Palo Alto Networks featured a wave of malicious documents targeting government organizations in Europe, North America, and an unnamed former Soviet state. The documents, which researchers intercepted in late October and early November, included a variant of the Zebrocy Trojan that sends screenshots of a victim’s network back to a command-and-control server.

Unit 42, Palo Alto Networks’ intelligence team, tied the malicious-email campaign to the Sofacy Group, a Russian hacking outfit also known as APT28 and Fancy Bear, which has deployed Zebrocy.

Meanwhile, FireEye researchers on Monday published details on a spearphishing offensive that had technical similarities with a 2016 campaign from the APT29 Russian hacking group.

Western governments have attributed APT28 and APT29 to different parts of Russia’s intelligence services.

The campaign tracked by FireEye sent malicious emails purporting to be from a State Department public affairs official. The offensive targeted a range of sectors, from the U.S. military and defense contractors, to the law enforcement, media, transportation, and pharmaceutical industries, FireEye said.

Russian hackers carried out a 2014 breach of the State Department’s unclassified computer system, according to reporting from The Washington Post and The New York Times.  FireEye said there is no indication that State Department networks were used in the newly uncovered campaign.

“The attacker appears to have compromised the email provider for a hospital and the corporate website of a consulting company, in order to use their infrastructure to send phishing emails,” FireEye analysts wrote in a blog.

If confirmed, FireEye said it would be the first known activity from APT29, also known as Cozy Bear, in more than a year. But FireEye, which is still analyzing the activity, is not certain that APT29 is the culprit. Whoever is responsible reused some old APT29 phishing tactics, techniques and procedures.

“[S]eemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services,” the researchers wrote.

One of the FireEye researchers, Andrew Thompson, tweeted multiple hypotheses the FireEye team considered in attributing the activity. One theory held that an unidentified threat actor emulated APT29 in an attack Thompson said was “technically feasible.”

But that seems unlikely, he added, because “we had no evidence to support the idea that an actor stole intrusion data in order to project as APT29.”

Thompson said his “leading hypothesis” is that APT29 is behind the spearphishing and that the group intentionally reused an old tactic “with the intent of causing doubt and dissent within the security community.”


The research comes as the Department of Justice has steadily built criminal cases against Russian hacking operations. DOJ has charged more than a dozen Russian intelligence officers with hacking in the last five months, including for their alleged role in the breach of DNC and other political organizations in 2016.

-In this Story-

APT28, APT29, Cozy Bear, Department of Justice (DOJ), Fancy Bear, FireEye, security research, spearphishing, Unit 42