Kremlin-linked hacker crew's tactics exposed

Security researchers have published more intel on the tactics of the infamous Russian government-linked hacker crew blamed for compromising the Democratic National Committee (DNC) during last year's US presidential election.

A report by SecureWorks' Counter Threat Unit offers an analysis of the connection between the APT 28 crew and Russia's Main Intelligence Directorate (GRU) as well as a look at the comprehensive toolkits the cyberspies have put together.

APT 28 (AKA Fancy Bear) has moved beyond covert intelligence gathering using tactics such as email credential theft, exploit kits, the XAgent RAT (remote access trojan) and XTunnel backchannel tool, and an endpoint exploitation kit called Scaramouche.

SecureWorks' report also documents attacks by APT 28 (which it nicknames Iron Twilight) on a wide range of targets ranging from individuals in Russia and former Soviet states, current and former military and government personnel and organisations in the US and Europe, as well as authors and journalists with an interest in Russia. Particularly high-profile attacks – against TV5Monde, the DNC, and the Dutch Safety Board following a report on the crash of Flight MH17 in Ukraine – are explored.

The DNC hack marked a departure in the crew's operations that might be carried forward this year into interference against important French and German elections, SecureWorks warns.

In 2015 and 2016, the Russian government used Iron Twilight to target a variety of organisations. The threat group's activity can be characterised by the theft of confidential information and its calculated release to influence global events. Characteristics of Iron Twilight's activity suggest it is operated by the GRU. The threat group's departure from purely military and regional affairs to broader political and strategic operations, evidenced by its US political operations, suggests the Kremlin views Iron Twilight's role as supporting Russian 'active measures'. These active measures correspond to the Soviet doctrine of manipulating popular opinion to align with Russian strategic interests, enabling other Russian threat groups to carry out traditional covert intelligence gathering operations.

If Iron Twilight's 'active measures' operations in 2016 were intended to influence the US presidential elections, then CTU researchers expect similar operations against elections of strategic interest to the Russian government. These elections include the French presidential and German federal elections in 2017. The operations against TV5 Monde and the UK-based television network could indicate that the Russian government considers the disruption of foreign television broadcasts as a key capability.

Iron Twilight is opportunistic but less sophisticated than other Russian threat groups, according to SecureWorks. "By applying best practice security controls such as regular vulnerability scanning and patching, network monitoring, and user education, organisations can reduce their susceptibility to compromise," SecureWorks advises, adding that rolling out two-factor authentication (2FA) controls on internal or third-party webmail platforms represents another sensible precaution. ®

Bootnote

APT 28 is variously known as Pawn Storm, Sofacy, Tsar Team, Strontium, Fancy Bear, and (now) Iron Twilight.