When Hillary Clinton’s former campaign chief received a bogus email that an elite Russian hacking unit allegedly sent, he clicked on its infected link, giving the hackers access to 58,000 or so emails.
Such a hack is known as “spearphishing,” and it turns out to be only the simplest tool in a sophisticated Russian hacking kit, according to a report issued Wednesday by FireEye, a Milpitas, California, cybersecurity company whose experts have been examining the group since 2007.
Other tools include setting up “watering holes” on websites likely to be visited by individuals of interest, infecting the users in the equivalent of a drive-by digital shooting, or finding “zero day” flaws that allow hackers to control every aspect of targeted computers, servers or networks and the material they store.
The techniques are malicious and nearly impossible for nonprofessionals to block.
“They are so capable,” FireEye’s Jonathan Wrolstad said of the Russian military unit. “In some ways, it may seem futile because they are so skilled. If you block them one way, they are going to look for the next way and the next way until they achieve their goal.”
The Russian hackers are linked to the Russian military intelligence service, known as the GRU, and its targets span the globe and parallel the interests of the Russian state, FireEye said.
In late 2014, FireEye dubbed the Russian hacking unit APT28, a name derived from “advanced persistent threat.” Other cybersecurity firms have given the unit names like Fancy Bear, Sofacy, Tsar Team and Pawn Storm. All the names refer to the same hacker team.
The FireEye report says APT28 hackers have targeted areas of strategic Russian interest including “the conflict in Syria, NATO-Ukraine relations, the European Union refugee and migrant crisis, the 2016 Olympics and Paralympics Russian athlete doping scandal, public accusations regarding Russian state-sponsored hacking and the 2016 U.S. presidential election.”
The 13-page FireEye report is called: “APT28: At the Center of the Storm: Russia Strategically Evolves its Cyber Operations.”
Targets of APT28 hacks, compiled by FireEye, include government entities or political parties in Germany, Poland, Kyrgyzstan, Ukraine and the United States, the World Anti-Doping Agency, the Organization for Security and Cooperation in Europe and French TV5Monde as well as active or retired political figures, including former Clinton campaign chief John Podesta and former Secretary of State Colin Powell.
While it’s not included in Wednesday’s report, Wrolstad said APT28 had also targeted U.S. defense contractors, military attachés in Europe and Asia, and the governments of Georgia and Chile.
“We saw the Chilean government as a target of this activity back in 2014. And you wonder: How does that fit with Russia at all? So we started researching and we found that at that time there were discussions between the two militaries of Russia and Chile over some sort of arms sale or cooperation,” Wrolstad said.
APT28 and other hackers alleged to be linked to the Russian state under President Vladimir Putin have used spearphishing thousands of times.
The Obama administration’s declassified intelligence report on Russian hacking, released Dec. 29, said a parallel Russian hacking team known as APT29, thought to be operated by a domestic spying agency, the FSB, launched a massive spearphishing campaign in the summer of 2015, sending targeted emails “to over 1,000 recipients, including multiple U.S. government victims.”
It said that Russian team had routed the fake emails through domains belonging to universities and other respected institutions or groups, worming their way into the network of “a U.S. political party,” known to be the Democratic National Committee.
APT28 used a different technique to get into the DNC, luring one or more employees to click on a link to a fake webmail domain that mimicked Gmail or another service and tricked them into changing their passwords, thus sharing the new passwords with unseen Russian hackers observing from afar, the report said.
The FireEye report says, however, that the malicious toolbox owned by APT28 is large and growing. It listed six so-called “zero day” vulnerabilities the unit is known to have utilized, allowing its hackers to use software flaws in products that U.S. vendors, such as Adobe, Java and Microsoft, hadn’t known existed, although they were eventually patched.
The flaws bear the name “zero day” because they allow hackers to take over systems the moment the flaws are known, leaving victims unaware that they have been compromised.
APT28 has shown over the past two years that they are able to procure these vulnerabilities called zero days at a rate much higher than any other group we’ve observed.
Jonathan Wrolstad, FireEye
“APT28 has shown over the past two years that they are able to procure these vulnerabilities called zero days at a rate much higher than any other group we’ve observed,” Wrolstad said.
When a zero-day flaw is known only to hackers, there’s no defense until it is discovered and patched.
The Russian hacking toolkit includes other methods, such as creating a “watering hole.” If hackers want to penetrate a network of an organization, they might first hack into the website of a nearby business that employees use, perhaps a restaurant.
(The hackers) can just insert a line of code that tells the viewer’s browser to go load another page.
Patrick Neighorn, FireEye
“The attackers, if they gain access to that restaurant’s website, they can just insert a line of code that tells the viewer’s browser to go load another page,” said Patrick Neighorn, head of global media relations for FireEye. That activity would be invisible to the victim, beginning a process of deeper control of a targeted computer.
The FireEye report says this technique “was used to compromise and infect visitors to numerous Polish government websites in 2014.”
APT28 hackers can even beat vaunted two-factor authentication, which requires users not only to type in passwords but also to type ever-changing security codes, the report says.
They also can spoof a Google App authorization request, such as when a user visits a retail or other site that allows visitors to log on using Gmail accounts, the report says.
“In a matter of about 20 minutes . . . they would have the entire contents of both your Google Drive and your Gmail account,” Wrolstad said.