The Russian government has long been suspected of being heavily involved in cyber-espionage campaigns against a range of targets including a network compromise at the US Department of Defence in 2008, and a cyber-attack which coincided with its invasion of Georgia also in 2008.
Until now these allegations have been just that, lacking concrete evidence that the Russian government has sanctioned any such actions.
Today, security company FireEye has published a report entitled ‘APT28: A Window Into Russia’s Cyber Espionage Operations‘ which may lack details on specific buildings, personnel or government agencies, but what it does have “is evidence of long-standing, focused operations that indicate a government sponsor – specifically, a government based in Moscow.”
The report details the work of a team of “skilled Russian developers and operators” dubbed APT28 which has been collecting information from defence and geopolitical intelligence targets including the Republic of Georgia, Eastern European governments and militaries, and European security organisations – all areas which FireEye says are of interest to the Russian government.
According to a report in the Wall Street Journal, earlier in 2014 FireEye was called into the US defence contractor Science Applications International (previously known as Blackwater) and discovered a highly sophisticated tool which was able to evade detection and even spread through a computer network which was not connected to the internet.
The cyber-weapon was coded on Russian-language machines and written during working hours in Moscow, strongly pointing to Russian government involvement in the creation of this tool.
Unlike the highly-active hacking groups backed by the Chinese government, the Russian group known as APT28 was not interested in stealing intellectual property or profiting from pilfered financial account information – it simply wanted to remain undetected, collecting information on its targets.
APT28 has been in operation since at least 2007 and in that time has been systematically evolving its malware “using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.”
Previous reports about the Russian government’s involvement in high-level cyber-espionage campaigns have been limited to hearsay or speculation.
“Despite rumours of the Russian government’s alleged involvement in high-profile government and military cyber-attacks, there has been little hard evidence of any link to cyber-espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence.
“FireEye’s latest advance persistent threat report sheds light on cyber-espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”-
The report also highlights the sophistication of the campaigns carried out by APT28, including a formal code development environment and configuring malware to send data back using the victim’s own mail server to avoid detection.
APT28 targeted victims by using spear-phishing campaigns, sending emails which looked to come from reputable sources with topics which would be relevant to their targets.
APT28 has been targeting three main themes in its campaigns according to FireEye – Caucasus (especially the Georgian government), Eastern European governments and militaries, and specific security organisations including NATO and OSCE.
FireEye says the group’s sophisticated development process and long-term outlook suggests it receives “direct ongoing financial and other resources from a well-established organisation, most likely a nation state government” which is another indication that this is a group backed by the Russian government.