Private sector cybersecurity researchers are closely monitoring ongoing digital intrusions to see if any share similarities with cyberattacks conducted by the infamous hacking group known as APT28, or Fancy Bear — which is best known for breaching the Democratic National Committee.
After mass attention from the media, a comprehensive U.S. intelligence investigation and pressure from the White House, many of APT28’s known digital tools, tactics and other characteristics have been made public.
While a wealth of information is now openly available about the hacking group — from a both analytical and strategic viewpoint — cybersecurity experts tell CyberScoop that APT28’s future operations will nevertheless remain difficult to track down.
“This is a highly innovative, technologically advanced group that is known to rapidly procure and drop zero-days,” said FireEye intelligence analyst Jonathan Wrolstad. “They’ve shown an incredible capability in the past to adapt, evolve and change in realtime based on new situations.”
Accurate attribution — otherwise described as tracing a cyberattack back to a specific actor — is a notoriously difficult thing to accomplish, explained FireEye Senior Manager for Intelligence Production Nick Rossmann.
“Attribution is really an art form. It’s not an exact science,” Rossman said, it includes a comprehensive analysis of tactics, operations and contextual strategy. FireEye will typically only attribute an incident to a specific threat actor if both the operational code used in the attack and its control server matches existing forensic evidence, he said.
Known victims of APT28 — in which attribution was announced publicly — include the World Anti-Doping Agency, multiple Ukrainian political organizations and the DNC.
“Capabilities — including the tools actors employ — infrastructure, victimology and attack motivation have to be evaluated at the time that they are used in attacks to [accurately] determine the extent to which the activity is attributable to a given actor,” said Kyle Ehmke, senior intelligence researcher at ThreatConnect. “We can’t really speak to which … tools are going to be indicative of APT28 activity in the long term.”
The group, which is believed to have ties to Russian intelligence, consistently relies on a comprehensive toolbox of computer viruses to compromise victims.
APT28 boasts a complex malware suite that contains at least six different hacking tools, which FireEye believes are unique to the group, according to a newly released intelligence report authored by the company. Those tools are codenamed Chopstick, Eviltoss, Gamefish, Sourface, Oldbait and Coreshell. The group largely deploys this malware by sending phishing emails or compromising a web property, where a victim is likely to click the page.
Potential victims of APT28 that match the group’s known targeting profile include foreign embassies, policy workshops, political organizations, news outlets, individual journalists and politicians, nonprofits and defense contractors.
Regardless of recently announced economic sanctions aimed at Russian officials, APT28 continues to mount operations in support of Russian strategic interests, said Rossmann. There has been no lull in the group’s activity.
“We know that APT28 is reading security blogs. We know that they know what’s being made public, and they’re shifting the way they do things already,” Wrolstad said. “If we look at some of their characteristic malware like EvilToss and X-Agent … that stuff has been around since like the mid-2000s. What we see today is an iteration of an iteration, with far greater capability — adding evasion and detection mechanics to fool defenders.”
Private sector cybersecurity firms FireEye, ThreatConnect and CrowdStrike are commonly recognized as having published the most extensive research on APT28, dating the group’s first operations back to at least early 2000.
“Two of the notable infrastructure tactics we’ve identified for APT28 activity is their use of dedicated IP addresses and their use of small or boutique, seemingly random, name servers. Hosting their malicious domains on dedicated IP addresses provides actors with more control over their infrastructure and helps ensure that their operations won’t be detected [as easily],” said Ehmke.
He added, “We assess that APT28’s need to procure and manage attack infrastructure most likely will persist and result in the use of similar, exploitable domain registration and infrastructure tactics that can be used to alert on and identify potential APT28 domains.”
Most security researchers and U.S. intelligence officials agree that APT28 shows all the attributes of a well-resourced, highly technical, nation-state-backed entity.
“All these advanced threat groups — whether it’s the Russians, the North Koreans, the Chinese or the Iranians — they want to keep from being detected and as a result, they dedicate significant resources to stay hidden,” said Wrolstad. “What you may find interesting is that a lot of APT28’s attacks are relatively unsophisticated in nature because the targets themselves are vulnerable to simple schemes … That, alone, makes them difficult to track.”