A warning that unidentified hackers broke into an company of the US federal authorities and stole its knowledge is troubling sufficient. But it surely turns into all of the extra disturbing when these unidentified intruders are recognized—and seem more likely to be a part of a infamous group of cyberspies working within the service of Russia’s army intelligence company, the GRU.
Final week the Cybersecurity and Infrastructure Safety Company revealed an advisory that hackers had penetrated a US federal company. It recognized neither the attackers nor the company, however did element the hackers’ strategies and their use of a brand new and distinctive type of malware in an operation that efficiently stole goal knowledge. Now, clues uncovered by a researcher at cybersecurity agency Dragos and an FBI notification to hacking victims obtained by WIRED in July counsel a possible reply to the thriller of who was behind the intrusion: They look like Fancy Bear, a group of hackers working for Russia’s GRU. Also referred to as APT28, the group has been liable for the whole lot from hack-and-leak operations concentrating on the 2016 US presidential election to a broad marketing campaign of tried intrusions concentrating on political events, consultancies, and campaigns this yr.
“They’re a formidable actor, and so they’re nonetheless able to having access to delicate areas.”
John Hultquist, FireEye
The clues pointing to APT28 are based mostly partially on a notification the FBI despatched to targets of a hacking marketing campaign in Might of this yr, which WIRED obtained. The notification warned that APT28 was broadly concentrating on US networks, together with authorities companies and academic establishments, and listed a number of IP addresses they have been utilizing of their operations. Dragos researcher Joe Slowik seen that one IP handle figuring out a server in Hungary utilized in that APT28 marketing campaign matched an IP handle listed within the CISA advisory. That will counsel that APT28 used the identical Hungarian server within the intrusion described by CISA—and that at the very least one of many tried intrusions described by the FBI was profitable.
“Based mostly on the infrastructure overlap, the sequence of behaviors related to the occasion, and the overall timing and concentrating on of the US authorities, this appears to be one thing similar to—if not part of—the marketing campaign linked to APT28 earlier this yr,” says Slowik, the previous head of Los Alamos Nationwide Labs’ Pc Emergency Response Crew.
Apart from that FBI notification, Slowik additionally discovered a second infrastructure connection. A report final yr from the Division of Power warned that APT28 had probed a US authorities group’s community from a server in Latvia, itemizing that server’s IP handle. And that Latvian IP handle, too, reappeared within the hacking operation described within the CISA advisory. Collectively, these matching IPs create an internet of shared infrastructure that ties the operations collectively. “There are one-to-one overlaps within the two circumstances,” Slowik says.
Confusingly, a few of the IP addresses listed within the FBI, DOE, and CISA paperwork additionally appear to overlap with recognized cybercriminal operations, Slowik notes, reminiscent of Russian fraud boards and servers utilized by banking trojans. However he suggests meaning Russia’s state-sponsored hackers are most probably reusing cybercriminal infrastructure, maybe to create deniability. WIRED reached out to CISA, in addition to the FBI and DOE, however none responded to our request for remark.
Though it would not identify APT28, CISA’s advisory does element step-by-step how the hackers carried out their intrusion inside an unidentified federal company. The hackers had by some means obtained working usernames and passwords for a number of workers, which they used to achieve entry onto the community. CISA admits it would not understand how these credentials have been obtained, however the report speculates that the attackers could have used a recognized vulnerability in Pulse Safe VPNs that CISA says has been exploited extensively throughout the federal authorities.
The intruders then used command line instruments to maneuver among the many company’s machines, earlier than downloading a chunk of customized malware. They then used that malware to entry the company’s file server and transfer collections of recordsdata to machines the hackers managed, compressing them into .zip recordsdata they may extra simply steal.