Russian Government behind Long-Term Cyberespionage Campaign?

In a report issued by security firm FireEye last October, a group of hackers known as APT28 has been secretly targeting government organizations around the world in an attempt to gather as yet unknown information in a campaign with its roots in Russia. Specifically, FireEye was able to determine that APT28 has an apparent government sponsor located in Moscow. Unlike many of the China-based threats that have made recent headlines, the hackers of APT28 do not appear to be seeking financial gain from the intellectual property stolen during a breach.

Instead, this group targets intellectual property that would be useful to a government with unknown intentions. FireEye's October report indicates that this group has been infiltrating the IT systems of government organizations, military contractors, and private security firms since at 2007. All of the information obtained thus far indicates that the information directly benefits the Russian government. For instance, last year a breach of the US State Department specifically sought information about President Barack Obama's travel schedule has been linked to this clandestine organization.

Recently, APT28 was reported as using vulnerabilities to infiltrate these integral data systems that affect Adobe Flash and Microsoft Windows.

According to the FireEye report, the group uses a series of constantly evolving malware platforms that have been designed for long-term infiltration campaigns that have been tailored to the target environment. These malware strains have been designed to hamper reverse-engineering efforts, although security researchers know that the code has been developed in a formal code development environment.

Russian Government behind Long-Term Cyberespionage Campaign?

Specifically, the report indicates that a limited APT28 campaign was targeting zero-day vulnerabilities in Adobe Flash and a yet unpatched vulnerability in Microsoft Windows. This new pattern of attacks reportedly began on April 13th of this year. Adobe has already patched one of the vulnerabilities being exploited by the Russian cybercriminals (CVE-2015-3043). The outstanding local privilege vulnerability in the Windows OS (CVE-2015-1701) has not yet been patched by Microsoft; however, updating Adobe Flash to the latest version renders the Windows flaw useless (these flaws are being used in conjunction by APT28 during recent cyberespionage campaigns).
From a high-level point-of-view, the exploit works as follows:

1. User clicks on a malicious link redirecting them to a hacker-controlled website
2. JavaScript launcher serves the Flash exploit
3. CVE-2015-3043 is triggered and shell code is executed
4. Shell code downloads and runs payload
5. Payload exploits local privilege escalation (CVE-2015-1701) to steal system token

Again, while the Microsoft vulnerability remains unpatched, as long as Adobe Flash is updated to the latest version, APT28 is unable to complete the exploit and gain elevated privileges on the compromised system. To protect yourself from this threat, ensure that both Flash and Windows are updated with all of the latest patches and if you haven’t done so already, enable automatic updating of both programs to protect your PC from this threat and any new techniques that APT28 may employ in the future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal