Enlarge /. The FBI informed the organizations in May that the Russian elite hackers had attacked them. The campaign is likely to continue.
Russian military intelligence agency GRU has carried out many of the most aggressive hacking actions in history: destructive worms, blackouts, and – most closely related to Americans – a comprehensive hacking and leaking operation designed to affect the 2016 President's outcome. It now appears that the GRU has again encountered US networks in a series of previously unreported interventions targeting organizations ranging from government agencies to critical infrastructures.
From December 2018 to at least May this year, the GRU hacker group, known as APT28 or Fancy Bear, carried out a comprehensive hacking campaign against US targets. This emerges from an FBI notice sent to the victims of the violations in May and received by WIRED. According to the FBI, the GRU hackers primarily tried to penetrate the victims' mail servers, Microsoft Office 365 and email accounts, and VPN servers. The goals included "a wide range of US-based organizations, state and federal government agencies, and educational institutions," the FBI release said. And the technical breadcrumbs contained in this release show that APT28 hackers appear to have targeted the U.S. energy sector as part of the same effort.
The unveiling of a potentially ongoing US-targeted GRU hacking spree is particularly worrying given the GRU's previous operations, which often went beyond mere espionage and included embarrassing email leaks or even disruptive cyber attacks. In particular, APT28 hackers have been the subject of U.S. charges of hack-and-leak operations targeting both the 2016 US election and the global anti-doping agency. The latter attack was an obvious retaliation for the International Olympic Committee, which banned Russia from the 2018 Olympics for performance-enhancing drug use.
"Although not all of the motives are clear, we can make judgments based on the nature of the target, as evidenced by previous charges," wrote an FBI spokesman in a statement, following WIRED's request for further comments on the notification replied to the hacking victims of APT28. The FBI also says the GRU hacking campaign has likely continued in the past few months. "An extended persistent threat is just that," added the spokesman, referring to the acronym APT, after which APT28 is named. "There is an expectation of continued activity."
According to the FBI's victim notification, APT28 hackers have been given access to networks through spear phishing emails sent to both personal and business email accounts. They have also used password spray attacks, in which hackers try to share passwords for many accounts, as well as brute force attacks, in which a long list of passwords for one or a small number of accounts is guessed.
Within days of notifying the FBI to victims in early May, the NSA issued a public notice that Sandworm, a separate but closely related GRU hacker group, was exploiting a vulnerability in Exim mail servers to target victims. The FBI informed WIRED that it had no connection between this exploitation and the APT28 campaign.
"You stole entire mailboxes"
An employee of an affected organization told WIRED that the IT staff had seen no signs of a successful phishing attack, but found that the hackers had accessed their email server. "Once they were on the server, they stole entire mailboxes," says the employee who asked WIRED not to reveal their identity or the organization they work for.
The FBI finally informed the organization that they had actually been injured by APT28. "The natural concern is, will I be the next John Podesta?" The employee refers to Hillary Clinton's campaign leader, whose emails were stolen and leaked by APT28 prior to the 2016 election. "Reading the victim notification and seeing how many different organizations are likely to be affected only underlines that Russia is literally still doing what we were worried about in 2016 as we speak."
The FBI declined to comment on how many victims the APT28 campaign might target or how many of these attempts were successful. However, security firm FireEye has heard of a "handful" of victim organizations that have been compromised by hackers using the same IP addresses that APT28 used in the FBI victim notification. In these cases, the hackers don't seem to have infected systems with malware, says Ben Read, a cyber espionage analyst at FireEye, and instead uses stolen credentials to act like employees on the corporate network. "It was a pretty light touch," says Read.
While neither FireEye nor the FBI would reveal the identity of the victims of APT28, at least one of the group's goals appears to have been in the U.S. energy industry. A note released by the Department of Energy in January warned that on Christmas Eve last year someone checked the login pages of a "US energy company" using an IP address that had previously been used by APT28. The same IP address was also listed by the FBI among those used by hackers from APT28 through May, confirming that APT28 is very likely behind this incident.
"This is a worrying data point"
Entry into the energy sector would mean a shift in focus to APT28, says Joe Slowik, security researcher at security company Dragos for industrial control systems, who discovered the link between the DOE report and the FBI victim's notification. "Given what we understand about how APT28 works and its typical victimology, identifying this group that interacts with the US energy sector would be significantly different from the behavior of this group," he says.
Although it appears to be a new company for APT28, the GRU as a whole has hacked critical infrastructures in the past. The GRU hacker group Sandworm planted malware in the networks of US electricity suppliers in 2014 and then carried out the first power outages in Ukraine caused by cyber attacks in 2015 and 2016. The notion that APT28 could now sniff out the U.S. energy industry's goals – or that Sandworm is troubling given that the two groups have teamed up in the past – argues Slowik. "This is a worrying data point," says Slowik. "It is the first time in a while that this group is targeting critical US infrastructures."
A new GRU hacking campaign against U.S. organizations in 2020, in light of the GRU's infamous election campaign in 2016, will also result in another round of interference in elections. US intelligence officials have been warning since the beginning of this year that Russia has tried to interfere in the US election policy again to re-elect President Trump. But the FBI and FireEye both say they have seen no evidence that this particular set of APT28 interventions is related to the upcoming presidential election.
Instead, according to FireEye & # 39; s Read, the campaign shows that the general interest of the GRU in US goals has not ended, even if its endgame remains unclear. "The United States remains the main enemy for Russia. This is an important reminder that this is still the case," said Read. "It is difficult to say whether the escalation is significant, but it is obviously not a good thing."
This story originally appeared on wired.com.