Current News



Report details Russia's sophisticated hacking toolkit

Tim Johnson, McClatchy Washington Bureau on

Published in News & Features

While it's not included in Wednesday's report, Wrolstad said APT28 had also targeted U.S. defense contractors, military attaches in Europe and Asia, and the governments of Georgia and Chile.

"We saw the Chilean government as a target of this activity back in 2014. And you wonder: How does that fit with Russia at all? So we started researching and we found that at that time there were discussions between the two militaries of Russia and Chile over some sort of arms sale or cooperation," Wrolstad said.

APT28 and other hackers alleged to be linked to the Russian state under President Vladimir Putin have used spearphishing thousands of times.

The Obama administration's declassified intelligence report on Russian hacking, released Dec. 29, said a parallel Russian hacking team known as APT29, thought to be operated by a domestic spying agency, the FSB, launched a massive spearphishing campaign in the summer of 2015, sending targeted emails "to over 1,000 recipients, including multiple U.S. government victims."

It said that Russian team had routed the fake emails through domains belonging to universities and other respected institutions or groups, worming their way into the network of "a U.S. political party," known to be the Democratic National Committee.

APT28 used a different technique to get into the DNC, luring one or more employees to click on a link to a fake webmail domain that mimicked Gmail or another service and tricked them into changing their passwords, thus sharing the new passwords with unseen Russian hackers observing from afar, the report said.

The FireEye report says, however, that the malicious toolbox owned by APT28 is large and growing. It listed six so-called "zero day" vulnerabilities the unit is known to have utilized, allowing its hackers to use software flaws in products that U.S. vendors, such as Adobe, Java and Microsoft, hadn't known existed, although they were eventually patched.

The flaws bear the name "zero day" because they allow hackers to take over systems the moment the flaws are known, leaving victims unaware that they have been compromised.

"APT28 has shown over the past two years that they are able to procure these vulnerabilities called zero days at a rate much higher than any other group we've observed," Wrolstad said.

When a zero-day flaw is known only to hackers, there's no defense until it is discovered and patched.


swipe to next page


blog comments powered by Disqus