FireEye has released a report which discusses the tools-of-the-trade used by what it names APT28, the group of Russian state-sponsored hackers who are carrying out hacks to further promote the Russian political agenda.
The report kicks off by highlighting that on 29 December 2016, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report confirming FireEye’s long-held public assessment that the Russian Government sponsors APT28.
According to FireEye, the group is almost certainly comprised of a sophisticated and prolific set of developers and operators, and has historically collected intelligence on defence and geopolitical issues. APT28 espionage activity has primarily targeted entities in the US, Europe, and the countries of the former Soviet Union, including governments and militaries, defence attaches, media entities, and dissidents and figures opposed to the current Russian Government.
However FireEye notes a change in the group’s behaviour: “Over the past two years, Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine. After compromising a victim organisation, APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests.”
To date these have included the conflict in Syria, NATO-Ukraine relations, the European Union refugee and migrant crisis, the 2016 Olympics and Paralympics Russian athlete doping scandal, public accusations regarding Russian state-sponsored hacking, and the 2016 US presidential election.
FireEye says: “We have tracked and profiled this group through multiple investigations, endpoint and network detections, and continuous monitoring. Our visibility into APT28’s operations, which date to at least 2007, has allowed us to understand the group’s malware, operational changes and motivations.”
APT28 employs a suite of malware with features indicative of the group’s plans for continued operations, as well as the group’s access to resources and skilled developers.
Key characteristics of APT28’s toolset include: A flexible, modular framework that has allowed APT28 to consistently evolve its toolset since at least 2007; Use of a formal coding environment in which to develop tools, allowing the group to create and deploy custom modules within its backdoors; Incorporation of counter-analysis capabilities including runtime checks to identify an analysis environment, obfuscated strings unpacked at runtime and the inclusion of unused machine instructions to slow analysis; Code compiled during the normal working day in the Moscow time zone and within a Russian language build environment.
FireEye says 97 percent of APT28’s malware samples were compiled during the working week. Eighty-eight percent of samples compiled are between 8am and 6pm in the time zone that includes major Russian cities such as Moscow and St. Petersburg.
Some of the tools used by APT28 include, CHOPSTICK, which is a backdoor also known as Xagent, webhp, SPLM. EVILTOSS, another backdoor, also known as Sedreco, AZZY, Xagent, ADVSTORESHELL, NETUI. GAMEFISH, a backdoor also going by name of Sednit, Seduploader, JHUHUGIT, Sofacy.
SOURFACE, a downloader and older version of CORESHELL and Sofacy. OLDBAIT, which is a credential harvester also known as Sasfis. Finally CORESHELL, a downloader and newer version of SOURFACE, also known as Sofacy.
FireEye said: “APT28 continues to evolve its toolkit and refine its tactics in what is almost certainly an effort to protect its operational effectiveness in the face of heightened public exposure and scrutiny.”
In addition, FireEye notes the continued evolution of the group’s first stage tools where they might leverage zero-day vulnerabilities in Adobe Flash Player, Java, and Windows, use a profiling script to deploy zero-days and other tools more selectively, decreasing the chance that researchers and others will gain access to the group’s tools.
APT28 is increasing reliance on public code repositories, such as Carberp, PowerShell Empire, P.A.S. webshell, Metasploit modules, and others in a likely effort to accelerate their development cycle and provide plausible deniability.
It is also obtaining credentials through fabricated Google App authorisation and Oauth access requests that allow the group to bypass two-factor authentication and other security measures. Moving laterally through a network relying only on legitimate tools that already exist within the victim’s systems, at times forgoing their traditional toolset for the duration of the compromise.
These changes are not only indicative of APT28’s skills, resourcefulness, and desire to maintain operational effectiveness, but also highlight the longevity of the group’s mission and its intent to continue its activities for the foreseeable future.
FireEye concluded: “We have observed APT28 rely on four key tactics when attempting to compromise intended targets. These include sending spear-phishing emails that either deliver exploit documents that deploy malware onto a user’s systems, or contain a malicious URL designed to harvest the recipient’s email credentials and provide access to the their accounts.
“APT28 has also compromised and placed malware on legitimate websites intending to infect site visitors, and has gained access to organisations by compromising their web-facing servers.”