According to the Norwegian police secret service (PST), APT28 is also known as Fancy Bear was behind a recent cyberattack on the Norwegian Parliament. The attack happened in August 2020 with hackers gaining access to the Parliament's email system and accessed inboxes for Stortinget (Parliament) employees and government elected officials.
At the time of the initial announcement of the attack in September by government officials, no details of the hack were released to the public. In a follow-up announcement in October, Norwegian Foreign Minister Ine Eriksen Søreide stated that from initial investigations several clues suggested that the attack was carried out by Russian hackers.
This was immediately denied by Russian officials, with Russian Foreign Ministry Spokeswoman Maria Zakharova stating,
“It is baffling that despite the existing and well-known to the Norwegian side order of investigation of such situations, Oslo chooses the path of unfounded accusations, not bothering at all to provide any proof," she said. "We can conclude that there is simply no evidence. If there was any, it would be provided or at least mentioned.”
On December 8, 2020, the Norwegian PST looked to provide that evidence in a statement released to the public, confirming earlier statements made by Norwegian officials. In a statement issued by officials, it was noted that hackers breached email accounts then attempted to pivot to the Parliament's internal networks. The attempt failed, however, PST did point out that the attack was made possible due to employees using weak passwords and also failed to implement two-factor authentication.
The attack is believed to be part of a wider APT28 campaign which can be traced back to 2019. Targets of the attack include other organizations in Norway as well as abroad. PST officials noted the Norwegian parliament is a prime target for several reasons including,
“As Norway's Legislative Assembly, the [Parliament] is a strong symbolic target, and is one of the most important pillars for the integrity of Norwegian sovereignty and for the democratic processes between Norwegian elected representatives. In addition, the [Parliament] manages very specific, partly sensitive values that are critical of Norway, and which are of great interest to several foreign states' intelligence services.”
In providing evidence suggesting APT28 involvement officials noted,
“The investigation shows that the player has used a procedure called password "brute-forcing" to obtain valid usernames and passwords. This technique has been used against a high number of user accounts at the Storting's e-mail systems, and has resulted in the player being able to obtain a user password, which it could again use to log in to a smaller number of accounts. It has been revealed that sensitive content has been extracted from some of the affected e-mail accounts…The investigation shows that the network operation that the Storting was affected by is part of a larger campaign nationally and internationally, which has been going on at least since 2019. The analyzes show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear. This actor is linked to Russia's military intelligence service GRU, more specifically their 85th Special Services Center (GTsSS).”
Change in APT28 Tactics
A recent report by Microsoft’s Threat Intelligence Center (MSTIC) detailing changes to APT28’s tactics, the group is tracked by the codename STRONTIUM by Microsoft researchers, notes that new credential harvesting and brute-forcing tactics have been added to an already expansive toolset. A brute force attack is one whereby the attackers use a computer to guess login credentials by running through possible combinations. This type of attack has proved simple and reliable over the years for a few reasons. Firstly, people will often choose weak passwords as they are easy to remember and secondly by not adopting two-factor authentication it is made a lot easier for attackers to compromise the network once the right combination is found. One method these attacks are carried out is by attackers using dictionaries, or lists of possible usernames and passwords and getting a computer to try each one.
Returning to APT28 tactics, the state-sponsored group is probably most well-known for the cyberattacks on the 2016 US presidential election. During this campaign, the group focussed mainly on acquiring credentials via spear-phishing campaigns. This made use of spam emails using a variety of social engineering tactics to trick recipients into entering credentials via malicious documents and fake links.
Microsoft noted that now the group has switched to brute force attacks to enable large scale credential harvesting with the bonus of doing so in a more anonymous way. To do this APT28 has created an IP infrastructure of roughly 1,100 unique IP addresses many of which are associated with a Tor anonymizing services to not only carry out the brute force attacks but remain relatively anonymous while doing so. APT28 is not the only nation-state group to have recently adopted these tactics but several others have adopted similar tactics.
The infrastructure used by APT28 can be used in two unique ways. In what has been termed password-spray mode, the infrastructure, and tooling attempt to guess the correct username and password combination in a slow and restrained way. In this mode, roughly four attempts to compromise the organization are made every hour over a period of several weeks. Described as “low and slow” by researchers this mode makes it harder to detect if the failed attempts are malicious or not, if the attackers did a large number in a short period of time suspicions would likely be raised. To make detecting the attempts even more difficult each attempt is done from one of the thousand or so IP addresses making up the infrastructure.
The second mode has been called a brute-force mode. This mode involves the infrastructure attempting combinations at a rate of roughly 300 attempts per hour. This is done over several days or weeks. This one may be easier to detect but organizations targeted only saw an increase of 20% in attempts when compared to total account attempts. The brute-force attack could coincide with periods where organizations are busier than usual effectively hiding their attempts.
Recent US Elections
In a previous report published by Microsoft, researchers noted increased APT28 activity targeting organizations with a stake in the recent US elections. In summary, the state-sponsored group attacked more than 200 organizations including political campaigns, advocacy groups, political parties, and political consultants. Targeted organizations included both consultants serving Republicans and Democrats; think tanks including The German Marshall Fund of the United States and advocacy organizations; national and state party organizations; as well as political parties in the UK and Europe. These attacks which date back to September 2020 and before involved the use of the nation-state groups brute-force infrastructure with researchers echoing latter reports, stating,
“In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
Brute-force attacks like the ones mentioned above can be defended against. Researchers advise that multi-factor authentication should be enabled wherever possible. This provides an added layer of security in case password and username combinations are correctly guessed by such an attack. It is important to note that multi-factor authentication can be circumvented but in general it is too costly and time-consuming to be used on massive campaigns such as those mentioned above. Organizations are also advised to monitor the amount of failed login attempts the organization experiences. Patterns should be noted as well as averages during specific times to help detect malicious attempts.