Towards the end of May, we covered an article concerning APT28 and their potential involvement in the creation of VPNFilter. The group has earned notoriety stemming from multiple attacks and campaigns. The group also seems to be trying to break records for the most names; the group also goes by Sednit, Sofacy, Fancy Bear, Pawn Storm, and Tsar Team. The group who is widely believed to operate under orders from the Kremlin has typically operated by targeting a small number of users inside an organization, usually with the same exploit chain and the same malware. Researchers at Palo Alto believe the group is changing tactics to what they call “parallel attacks”.
In a report recently published by security firm, Palo Alto details how they believe the group is in the process of changing and adapting new tactics to carry out cyber espionage operations. Researchers at Palo Alto have conducting intense analysis on the group dating back to February and March of this year. Part of the analysis has dealt specifically with analyzing a lesser known tool widely attributed to the APT28 group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments. Researcher’s track this now as the third campaign using the Zebrocy malware.
Typically financially motivated hackers apply a shotgun approach to hacking by trying to infect multiple computers in the shortest amount of time. APT28 applied the opposite philosophy by targeting a few individuals in key positions in economic sectors of interest. However, with these recent campaigns, the group appears to now be targeting a wider selection of individuals. This marks a significant change in tactics by the infamous advanced persistent threat (APT). APTs can be defined as a group, such as a government, with both the capability and the intent to target, persistently and effectively, a specific entity. The term is commonly used to refer to cyber threats, in particular, that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information.
Central to this new tactic appears to be a diversification of their infection chain. This means that the group is now deploying multiple different attack methods to infect victims with varying strains of malware. Often these attacks occur at the same time prompting researchers to refer to the method as a “parallel attack.” Often the infection chain begins with a spear phishing campaign designed to spread Office documents laced with a variety of malware strains. In many instances, the Office documents exploit a well-known DDE exploit. DDE or Microsoft Dynamic Data Exchange allows an Office application to load data from other Office applications. It has been superseded by the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications. When exploited by malware authors the service can be abused to initiate macros without warning the user and without the user needing to enable macros.
Once the victim downloads and runs the booby-trapped files they can infect the user either with one of three variants of Zebrocy or a remote access trojan called Koadic. Zebrocy is used as a backdoor to install other malicious files, namely Xagent and Xtunnel which is done after reconnaissance has been done and the operators have found targets deemed to be of interest. What is of interest to researchers is that the three Zebrocy versions were coded in different programming languages, those being AutoIt, C++, and Delphi, all of which were deployed in the recent attacks, sometimes against the same target organization. Researchers believe this to be a unique tactic especially for a grouped deemed to be an APT. Researchers believe that this tactic is used to switch tactics mid-mission potentially making detection more difficult. This capability may also increase the likelihood that the mission is successful in the long run.
Foreign Affairs Organisations Targeted
All this begs the question, why the change in tactics? This apparent shotgun method of attack generally carried out by financially motivated hackers has never really been a tactic adopted by well-funded and knowledgeable nation state APTs. Generally, by employing such shotgun targeting method it makes it easier for researchers and authorities to detect. This is because it leaves behind far more artifacts, so called as they provide clues about an intruder to IT security professionals. This means that the change in tactics may assist in successfully carrying out the mission but will leave knowing that something happened. The MO of cyber-espionage groups has generally been to go undetected for extended periods of time gather the information slowly.
While the change of tactics has got much of the InfoSec community scratching their heads the targets of the latest campaigns remains true to form. Palo Alto says that APT28 deployed these recent "parallel attacks" in campaigns targeting government organizations dealing almost exclusively with foreign affairs. The group also didn't focus on particular countries, but targeted foreign affairs organizations all over the world, from North America to Asia. Foreign affairs organizations have traditionally been a major target for nation-state groups such as APT28 due to the wealth of information potentially on offer. Such a target would be considered typical in a cyber espionage campaign even if the methods employed are new. One thing is for sure and that is these methods are far from subtle.