Online Security Experts Link More Cyber Attacks to Russian Government

Russian President Vladimir Putin, Oct.17, 2014From Nicole Perlroth, New York Times:  For the second time in four months, researchers at a computer security company are connecting the Russian government to electronic espionage efforts around the world.

In a report released on Tuesday by FireEye, a Silicon Valley firm, researchers say hackers working for the Russian government have for seven years been using sophisticated techniques to break into computer networks, including systems run by the government of Georgia, other Eastern European governments and militaries, the North Atlantic Treaty Organization and other European security organizations.

The report does not cite any direct evidence of Russian government involvement, such as a web server address or the individuals behind the attack, nor does it name the Russian agency responsible. The researchers have made the government connection because the malicious software used in the incidents was written during Moscow and St. Petersburg working hours on computers that use Russian language settings and because the targets closely align with Russian intelligence interests.

“This is state espionage,” Laura Galante, FireEye’s manager of threat intelligence, said in an interview on Tuesday. “This is Russia using its network operations to bolster their key political goals.”

FireEye is one of several security firms to tie the Russian government to hacking incidents. In July, three security firms, Symantec, F-Secure and CrowdStrike, also tied a string of coordinated attacks on Western oil and gas companies to Moscow.

“You only exist as a significant Russian cybercriminal if you abide by three rules,” said Tom Kellermann, chief cybersecurity officer at Trend Micro, a security firm based in Irving, Tex. “You are not allowed to hack anything within the sovereign boundary; if you find anything of interest to the regime you share it; and when called upon for ‘patriotic activities,’ you do so. In exchange you get ‘untouchable status.’ “

One top-secret 2009 N.S.A. report, for example, named the Russian Nashi, a pro-Kremlin youth group, as the culprit behind the powerful 2007 cyberattacks on Estonia that nearly crippled the Baltic nation. . . .

The espionage campaign, called APT28 by researchers at FireEye, started in 2007. Security researchers say professional hackers have been infecting their targets with malware, using emails containing malicious links and attachments. This malware can change its characteristics, making it hard to detect. . . .

The targets, FireEye’s researchers say, include the Ministry of Internal Affairs of Georgia and its Ministry of Defense, journalists writing on Caucasus issues, and the Kavkaz Center, an international news agency focused on issues in Chechnya, Russia, and Islam. Researchers have also tied the campaign to attacks on the governments of Poland and Hungary and an Eastern European government’s ministry of foreign affairs. European security organizations, including NATO, the Organization for Security and Co-operation in Europe and the Baltic Host, a military exercise, have also been targets.

From the Guardian:  Alongside the list of targets, other data has indicated the Russian government’s involvement, FireEye said, including the long-term development of its hacker tools – the Sourface downloader, which installs the Eviltoss backdoor on target machines.

“APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organisation, most likely a nation-state government,” the report read.

“APT28’s malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours, which suggests that the Russian government is APT28’s sponsor. . . .”

However, Russian security firm Kaspersky Lab said it had been tracking the same group, which it calls Sofacy. It was involved in investigations into a Sofacy attack in eastern Europe and has also gathered evidence showing the involvement of Russian-speaking hackers.

“The Sofacy group is using multiple malware families, including some that are not mentioned in the FireEye paper,” Aleks Gostev, chief security expert in the Global Research and Analysis Team at Kaspersky Lab, told the Guardian. . . .

Gostev said his team has also seen suggestions of a link between Sofacy and a group called Miniduke, which has been attempting to infiltrate a range of European targets and Nato.

Image: Russian President Vladimir Putin, Oct.17, 2014 (photo: Office of the President of Russia)