Tackling Strontium: a cyber-espionage group


What are the different malicious tools used by the Russian hacking group? What are their main targets?

What are the different malicious tools used by the Russian hacking group? What are their main targets?

The story so far: On April 7, Microsoft said it had halted cyberattacks by a Russian nation-state hacking group. The group called “Strontium” by the software company targeted Ukrainian companies, media, government agencies and think tanks in the US and EU. The Richmond-based company took control of seven internet domains used by the group to launch its attacks after a court order allowed it to seize the infrastructure. In the past, Microsoft had made 15 similar seizures to take over more than 100 Strontium-controlled domains. In addition to Microsoft, security companies, government agencies and individual researchers monitor the attack group, which has been active for over a decade and a half deploying different attack methods to target individuals and organizations across multiple industries. worldwide.

What is strontium?

Strontium, also known as the Fancy Bear Group, Tsar Team, Pawn Storm, Sofacy, Sednit, or Advanced Persistent Threat 28 (APT28), is a very active and prolific cyber espionage group. It is one of the most active APT groups and has been operating since at least the mid-2000s, making it one of the oldest cyber espionage groups in the world. It has access to highly sophisticated tools to conduct espionage operations and has attacked targets in the United States, Europe, Central Asia and West Asia. The group is believed to be linked to the GRU, the main military intelligence arm of the Russian armed forces. GRU cyber units are believed to have been responsible for several cyber attacks over the years and his unit 26165 is identified as Fancy Bear.

How does it attack networks?

The group deploys various malware and malicious tools to breach networks. In the past, he used X-Tunnel, SPLM (or CHOPSTICK and X-Agent), GAMEFISH and Zebrocy to attack targets. These tools can be used as hooks in system drivers to access local passwords and can track keystrokes, mouse movements, and control webcam and USB drives. They can also search and replace local files and stay connected to the network, according to a report from the UK’s National Cyber ​​Security Center (NCSC).

APT28 uses spear-phishing (targeted campaigns to gain access to an individual’s account) and zero-day exploits (taking advantage of unknown computer software vulnerabilities) to target specific individuals and organizations. He used spear-phishing and sometimes water-holing to steal information, such as account credentials, communications and sensitive documents. A waterhole attack compromises a site that a targeted victim visits to gain access to the victim’s computer and network.

For high volume attacks, the group used Zebrocy, which is also primarily deployed via spear phishing emails.

Fancy Bear also used the VPNFilter malware to target hundreds of thousands of network access routers and storage devices around the world. The infection allows attackers to potentially control infected devices, rendering them inoperable and intercepting or blocking network traffic, according to the NCSC. More recently, a cybersecurity advisory released by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) noted that APT28 had deployed malware called Drovorub, designed for Linux systems. When deployed on a victim machine, it offers file upload and download capabilities; execution of arbitrary commands; and implements concealment techniques to evade detection.

Which organizations were targeted?

The Democratic National Committee (DNC) hack during the 2016 U.S. presidential election, the global television network TV5Monde cyberattack, the World Anti-Doping Agency (WADA) email leak, and several other high-profile breaches would be the work of APT28.

The DNC was allegedly hacked by Fancy Bear, and documents including emails stolen in the cyberattacks have been published online. Throughout the campaign, dozens of politicians, DNC staff, speechwriters, data analysts, former Obama campaign staff, Hillary Clinton campaign staff and even Corporate sponsors have been repeatedly targeted, according to a report from cybersecurity software firm Trend Micro. . During the same year, Fancy Bear was suspected of being behind the disclosure of confidential medical records relating to numerous international athletes. WADA has publicly stated that this data came from a hack of its anti-doping administration and management system.

In 2015, Germany’s federal parliament, the Bundestag, was allegedly attacked by Fancy Bear. During the attack, a significant amount of data was stolen and the email accounts of several MPs, as well as Chancellor Angela Merkel, were affected. Later that year, the same group was believed to be responsible for accessing and stealing content from several email accounts belonging to a small UK-based TV station.

How have governments and security agencies reacted?

In 2018, a jury indicted 12 Russian nationals in the DNC hack of committing federal crimes aimed at interfering with the 2016 US presidential election. The convicted were members of the GRU. Later that year, another jury indicted seven defendants, all GRU officers. The conspirators included a Russian intelligence hacking team that traveled overseas to compromise computer networks used by anti-doping and sports officials.

In the UK, the government had announced it would apply asset freezes and travel bans against two Russian GRU officers and GRU Unit 26165, responsible for the 2015 cyberattacks on the German parliament. Additionally, the country’s NCSC had issued a detailed technical advisory to help detect the presence of malicious tools used by APT28 on platforms and networks, along with mitigation guidelines for protection against the group’s activities. .

In addition to security agencies, software and cybersecurity companies as well as researchers have published detailed reports, describing Fancy Bear’s notorious cyberattacks and the tools used to execute them. This is to assist and prepare organizations against persistent cyber threats from APT groups working in association with nation states.

THE ESSENTIAL

Strontium (aka Fancy Bear) is a very active cyber espionage group. The group is believed to be linked to the GRU, the main military intelligence arm of the Russian armed forces. GRU unit 26165 is identified as Fancy Bear.

The group deploys various malware and malicious tools to breach networks. These tools can be used as hooks in system drivers to access local passwords and can track keystrokes, mouse movements, and control webcam and USB drives. They can also search and replace local files and stay connected to the network.

The Democratic National Committee (DNC) hack during the 2016 U.S. presidential election, the global television network TV5Monde cyberattack, the World Anti-Doping Agency (WADA) email leak, and several other high-profile breaches would be the work of Fancy Bear.

Previous Compromised CCTV procurement process | Additional News
Next Federal Contractors Notified After DOJ Announces First Civilian Cyber ​​Fraud Initiative Settlement | Troutman pepper