Cyber Espionage Attacks Attributed To Russian Government

FireEye report meticulously details clues that all point to state-sponsorship of the Sofacy/Sourface malware and tracks its evolution over seven years.

A new round of details released yesterday on the nearly decade-long activity by the group of hackers responsible for the Sofacy malware family has researchers from FireEye definitively pointing their fingers at the Russian government as the sponsor of the group.
Following up on the
Operation Pawn Storm report from TrendMicro last week
, FireEye provided greater historical context and details about the modus operandi of the actors in question, who make up a
hacking collective they call APT28
. Tracing activity back seven years through attacks found to be based on modularly designed malware, FireEye says it has solidified whats only been a dotted line connection between the Russian government and the Sofacy malware family -- also known as SEDNIT -- which consists of a dropper FireEye calls Sourface, along with the Eviltoss backdoor malware, and a modular implant called Chopstick.
This Russian government-backed type of espionage has been very mysterious and hard to nail down over all these years on the Internet, says Dan McWhorter, lead researcher for the report and vice president of threat intelligence for FireEye. In my opinion after looking at our research, it confirms that yes, in fact, the Russian government is doing this, and it gives us a body of evidence to put against that assertion that wasn’t there previously.
The evidence laid out by FireEye includes several important clues. As TrendLabs and
other researchers
have already publicly shown, FireEye research similarly found that APT28 has targeted European security-related organizations such as NATO, OSCE, and defense events and exhibitions. Additionally, FireEye pointed to attacks against Eastern European governments and militaries of particular interest to the Russian government, such as Polands and Hungarys.
In particular, though, this latest report includes evidence of what McWhorter calls almost a fascination of the Caucasus countries, Georgia in particular, in its targeted attacks utilizing Sourface. This tracks with the security communitys hunch since the first sparks of the Georgia-South Ossetia conflict back in 2008 that cyber mercenaries have been carrying out Russian government bidding to move forward the countrys interests in the region.
In addition to the intel about APT28s targets, this most recent report also showed further evidence that bolsters the claim that the Russian government is behind these attacks. First, all of the code created for these constantly updated malware variants is developed by coders who speak Russian as a first language and is compiled almost exclusively during business hours in the Moscow and St. Petersburg time zones. And more tellingly, the malicious software developed by the group is perpetuated through flexible and lasting platforms that have been evolved since 2007.
The targeting was consistent, the growth of the malware was consistent, the dedication to the mission over seven years remained consistent, McWhorter says. So we got this development that went on steadily for seven years that required a whole development team in modular malware and that obviously took some level of funding. People weren’t doing it for fun off to the side.
According to Tom Kellermann, chief cybersecurity officer for Trend Micro, while the FireEye report is pretty good, he was disappointed that it didnt include further information about the prevalent attack techniques used by the group, namely the use of targeted phishing attacks against Outlook Web Access (OWA) users using typo squatted domains of defense exhibitions.
We also investigated advanced phishing of Google, Yahoo, Live, Hushmail, and Yandex free mail, by the same group. This is not targeted at free mail users in general but only at very specific users -- of defense contractors and even government officials who use Gmail or Yahoo for sensitive stuff, Kellerman says. We leaked credentials on purpose to the attackers and monitored what happened. We witnessed that the attackers logged in on the compromised accounts and tried to download mail with IMAP connections. They used IP addresses in the US and Latvia for that.
However, McWhorter says that the intent of this report was more about attribution and following the evolution of the malware platform used by APT28 than anything else. In particular, he said, it was interesting to follow the behavioral patterns of a group tied to the Russian government versus a Russian financial crime ring.
People tend to combine together Eastern European financial crime with the Russian government, but theyre very distinct, he says. One may know about the other, but the activities are very distinct in what they’re going after.
However, some researchers believe that line is more blurry than that. Another research outfit, iSight, reports that for the past year it too has been following the movements of the group FIreEye calls APT28. According to iSight researchers, the movement of this group extends beyond government, says John Hultquist, head of cyber espionage intelligence for iSight. The attackers are not just looking for information about military or diplomacy matters, Hultquist says.
These operators have been tasked with answering questions on energy, on dual use technology, even on sanctions. These are all important questions to the government of Russia, but many of the answers are found in the private sector, he says. Right now the countrys economic base has been jeopardized by falling oil prices. We’d anticipate at the very least they are taking efforts to understand.
McWhorter agrees that, though the report focused primarily on government and military targets in order to nail down attribution, he does believe the group will go as broad as it needs to in order to further Russian government espionage goals. This means enterprises of many types need to be on their toes.
I think the takeaway from that is if you have any kind of information that the Russian government would be interested in, APT28 doesn’t seem to be shy about targeting you, and we have evidence of that in the report, he says. When Russia has an interest, you can bet that APT28 also has an interest in what you’re doing.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyber Espionage Attacks Attributed To Russian Government