Russian APT activity is resurgent, researchers say

The bears are back in town.
russian hackers
Bears. Phishing. Get it? (Getty)

Cybersecurity researchers have detected new spearphishing and malicious-email campaigns associated with two Russian-government-linked hacking groups known for breaching the Democratic National Committee in 2016.

One campaign spotted by Palo Alto Networks featured a wave of malicious documents targeting government organizations in Europe, North America, and an unnamed former Soviet state. The documents, which researchers intercepted in late October and early November, included a variant of the Zebrocy Trojan that sends screenshots of a victim’s network back to a command-and-control server.

Unit 42, Palo Alto Networks’ intelligence team, tied the malicious-email campaign to the Sofacy Group, a Russian hacking outfit also known as APT28 and Fancy Bear, which has deployed Zebrocy.

Meanwhile, FireEye researchers on Monday published details on a spearphishing offensive that had technical similarities with a 2016 campaign from the APT29 Russian hacking group.


Western governments have attributed APT28 and APT29 to different parts of Russia’s intelligence services.

The campaign tracked by FireEye sent malicious emails purporting to be from a State Department public affairs official. The offensive targeted a range of sectors, from the U.S. military and defense contractors, to the law enforcement, media, transportation, and pharmaceutical industries, FireEye said.

Russian hackers carried out a 2014 breach of the State Department’s unclassified computer system, according to reporting from The Washington Post and The New York Times.  FireEye said there is no indication that State Department networks were used in the newly uncovered campaign.

“The attacker appears to have compromised the email provider for a hospital and the corporate website of a consulting company, in order to use their infrastructure to send phishing emails,” FireEye analysts wrote in a blog.

If confirmed, FireEye said it would be the first known activity from APT29, also known as Cozy Bear, in more than a year. But FireEye, which is still analyzing the activity, is not certain that APT29 is the culprit. Whoever is responsible reused some old APT29 phishing tactics, techniques and procedures.


“[S]eemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services,” the researchers wrote.

One of the FireEye researchers, Andrew Thompson, tweeted multiple hypotheses the FireEye team considered in attributing the activity. One theory held that an unidentified threat actor emulated APT29 in an attack Thompson said was “technically feasible.”

But that seems unlikely, he added, because “we had no evidence to support the idea that an actor stole intrusion data in order to project as APT29.”

Thompson said his “leading hypothesis” is that APT29 is behind the spearphishing and that the group intentionally reused an old tactic “with the intent of causing doubt and dissent within the security community.”




The research comes as the Department of Justice has steadily built criminal cases against Russian hacking operations. DOJ has charged more than a dozen Russian intelligence officers with hacking in the last five months, including for their alleged role in the breach of DNC and other political organizations in 2016.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts