Some hackers have notoriety when it comes to the execution of their breach. GRU is one of these “elite” hacking gang.
GRU is a Russian military intelligence agency that has executed some of the worst hacking in history, including blackouts, worms, and a hacking and leaking operation to manipulate the U.S. 2016 Presidential election.
“A new GRU hacking campaign targeting U.S. organizations in 2020 also raises the specter of another round of election meddling, given the GRU’s notorious campaign of electoral interference in 2016. U.S. intelligence officials have been warning since early this year that Russia has sought to interfere in U.S. electoral politics again to help reelect President Trump. But the FBI and FireEye both say they saw no signs that this particular string of intrusions by APT28 was related to the upcoming presidential election.”
FireEye’s Read said, “the campaign shows that the GRU’s general interest in U.S. targets hasn’t ended, even as its endgame remains unclear. The U.S. continues to be the chief antagonist for Russia in their mind. It’s an important reminder that this is still going on, It’s hard to say if it’s a significant escalation. But it’s not good.”
The FBI is tight-lipped about the name of affected victims, or if an attack was successful, but one victim, who pleaded to remain anonymous, explained that the attack was subtle—no indication of phishing mails all email boxes had been compromised. The staff member said, “once they were on the server, they stole entire mailboxes. The natural worry is, am I the next John Podesta?”
(John Podesta’s— Hillary Clinton’s campaign director—emails were stolen and leaked by APT28 ahead of 216 elections).
The FBI eventually notified the organization that APT28 had breached them. “Reading the victim notification and realizing how many different organizations were probably targeted, it just underscores that exactly what we worried about in 2016 is something that Russia is still doing as we speak.”
Ben Read, a cyberespionage analyst at FireEye, noticed that the hackers were stealthy in their hack. Instead of infecting the system with malware, as they normally do, they navigated their way around the corporate network—like regular employees, using stolen credentials. While also being tight-lipped about actual numbers, they volunteered information suggesting that the organizations which were attacked, shared I.P. address listed in the FBI victim notification
According to an FBI notification sent to hack victims, it confirms that from December 2018 up till May 2020, GRU hacking gang, APT28 or Fancy Bear, orchestrated hacking campaigns against U.S. targets. “The GRU hackers primarily attempted to break into victims’ mail servers, Microsoft Office 365 and email accounts, and VPN servers. The targets included “a wide range of US-based organizations, state and federal government agencies, and educational institutions. And technical breadcrumbs included in that notice reveal that APT28 hackers have targeted the U.S. energy sector, too, apparently as part of the same effort.”
An FBI spokesperson wrote in a statement responding to WIRED’s request for further comment on the notification sent to APT28 hacking victims. He said, “although not all motives are clear, we can make judgments based on the nature of the target as seen through past indictments.”
The FBI also says that the GRU hacking campaign has likely continued into recent months. “An Advanced Persistent Threat is just that,” the spokesperson added, referring to the APT acronym from which APT28 takes its name. “There is an expectation of continued activity.”
The report also sheds light on the pattern of attack and methods, stating that the APT28 hackers used spear-phishing emails to access personal and work email accounts. Another method includes using random combinations—password spraying attacks—to cross-reference passwords across many accounts.
Within days of the FBI’s notification being sent to victims in early May, the NSA issued a public advisory that Sandworm, a separate but closely linked GRU hacker group, was exploiting a vulnerability in Exim mail servers to target victims. The FBI told WIRED it knew of no connection between that Exim exploitation and the APT28 campaign.
Spotting the connection between DOE advisory and the FBI victim notification, Joe Slowik, the security researcher at industrial-control-system security firm, Dragons, commented that the Energy-sector intrusions would represent a shift in targeting for APT28. He said that “just given what we understand about how APT28 operates and its typical victimology, identifying that group interacting with the U.S. energy sector would be substantially different from how this group has behaved previously.”
Hacking critical infrastructure seems to be a recent niche for APT28, though there has been an incidence of infrastructural hacking in the past.
E.g., in 2014, the group planted a Sandworm malware on the networks of U.S. electric utilities.
In the following year, 2015 to 2016, the first-ever cyberattack induces blackout in Ukraine was as a result of APT28.
Former incidences and the idea that APT28 is scouting the U.S. energy industry raises concerns.
Slowik adds, “this is a concerning data point. It’s the first time in a while that this group has targeted U.S. critical infrastructure.”