Russian cyber espionage groups targeting EU governments

Nato member states are the top European targets of two state-backed Russian cyber espionage groups in the run up to European elections, according to researchers at security firm FireEye.

The groups known as APT28 and Sandworm Team are believed to be responsible for ongoing cyber espionage campaigns that date back to mid-2018.

APT28 – also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and Strontium – has previously been linked to several prominent cyber attacks, including attacks targeting the German parliament, French television station TV5Monde, the White House, Nato, the US Democratic National Committee, and the election campaign of French presidential candidate Emmanuel Macron.

The Sandworm Team has also been tied to similar campaigns in the past, including a campaign in 2014 that used a vulnerability in Microsoft software to spy on targets including Nato and Western European governments.

In addition to government organisations, researchers found that the groups have targeted media outlets in France and Germany, political opposition groups in Russia, and LGBTQ+ organisations with links to Russia.

The groups’ most common method of initial compromise is spear phishing, which involves sending emails to targets with the intention of prompting them to click a malicious link or attachment. This can deliver a malicious document or link to a fake login site used to steal passwords.

To increase their chances of success, the attackers register and use internet domains similar to those which are familiar and trusted by the recipients, the researchers said.

For example, targets within European governments have been sent emails containing links which could appear to direct to real government websites. They also display a sender that appears to be genuine. These emails may entice targets to click a link to change their password, which would share their credentials with the attacker.

“The groups could be trying to gain access to the targeted networks to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, senior manager of cyber espionage analysis at FireEye.

“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”

Although the activity of APT28 and Sandworm Team appears to be aligned, researchers said the tools and methods used by the two groups differ. Sandworm Team tends to use publicly available tools, whereas APT28 uses custom costly tools, and has deployed zero-day exploits. This type of attack takes advantage of a weakness that has been discovered in software, before a fix becomes available.

Where possible, FireEye said it had notified targeted organisations after identifying attacks.