Atlanta-based SecureWorks has a Counter Threat Unit which has been closely watching the Russian hacker gang APT28 over the last few years and released brand new research. This group of criminal hackers is also known as Pawn Storm, Sofacy, Strontium, Fancy Bear, and SecureWorks calls them “IRON TWILIGHT”.

Their researchers state it is highly likely they are supported by the Russian Government, specifically the GRU which is the Russian military intelligence arm, the counterpart of the FSB (former KGB). APT28 “active measures” were trying to influence U.S. presidential elections and at the moment try to do the same thing in France and Germany.

APT28 moves from just spying to sabotage 

SecureWorks said: “The threat group has targeted non-governmental organizations (NGOs), journalists, politicians, political organizations, governments, and militaries since at least 2009. SecureWorks® Counter Threat Unit™ (CTU) researchers assess it is highly likely that IRON TWILIGHT is sponsored by the Russian government. In Spring 2015, the Russian government began tasking IRON TWILIGHT with activity beyond covert intelligence gathering. The group conducted a sabotage operation against France-based TV station TV5Monde and leaked political details in what U.S. intelligence agencies concluded was an attempt to influence the U.S. presidential election.”

“Prior to 2015, IRON TWILIGH targets were consistent with a government intelligence agency tasked with covertly gathering military intelligence. In 2015, there were reports that IRON TWILIGHT had performed credential spear phishing attacks against Russian political activists, bloggers, and politicians; had targeted U.S. journalists; and had compromised the network of the German Bundestag parliament.”

Attack vectors: phishing emails and drive-by downloads at scale

Since March 2015, the group has attacked thousands of Gmail users using phishing attacks to steal credentials. IRON TWILIGHT has used spearphishing emails with malicious document attachments or links to a custom exploit kit. Its toolset includes malware for Windows, Mac OS X, and Linux-based operating systems and mobile devices. The threat actors also use targeted phishing campaigns to steal webmail credentials. As IRON TWILIGHT operates this capability at scale, automation likely accesses and exfiltrates data from compromised accounts.

IRON TWILIGHT’s hacking toolkit

• Exploit Kits, one for spear phishing campaigns and strategic web compromises. The other one as malware via an attachment to a spearphishing email.
• First Stage Malware like the Carberp trojan to establish access to a target environment, perform reconnaissance, and facilitate installation of second-stage tools.
• Second Stage Tools like the XAgent modular remote access trojan (RAT) and the XTunnel persistent backchannel tool. XAgent can jump air-gapped networks by infecting USB storage devices and can be used against Windows and Unix-based operating systems.
• Endpoint Tools like a kit named Scaramouche that consists of screen capture and credential theft tools.

What to do about It

SecureWorks recommends the following excellent best practices to prevent network compromise:

1. Apply best-practice security controls such as regular vulnerability scanning and patching,
2. Have network monitoring tools in place.
3. User education reduces your susceptibility to compromise.
4. Implement two-factor authentication (2FA) on internal and third-party webmail platforms.
5. Encourage employees use 2FA on their personal accounts.
6. Restrict work-related communication from personal email.

If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step your employees through effective security awareness training. It will help you prevent compromises like this or at least make it much harder for the bad guys to social engineer your users. Several of our clients are using Fortidm’s Phishing diagnostic platform and awareness training. Find out how affordable this is for your organization. Get a quote now.