Russia’s Latest Cyber Weapon

Russia’s new technique for stealing data involves sending “weaponised documents” as email attachments that retrieve system information about the target’s computer, which is then sent back to a remote server set up by the hackers.

Background

A January 2017 assessment by the United States’ Office of the Director of National Intelligence (ODNI) stated that Russian leadership favoured presidential candidate Donald Trump over Hillary Clinton, and that Russian president Vladimir Putin personally ordered an "influence campaign" to harm Clinton's chances and "undermine public faith in the US democratic process”. On October 7, 2016, the ODNI and the Department of Homeland Security (DHS) jointly stated that the U.S. Intelligence Community was confident that the Russian government had directed recent hacking of emails with the intention of interfering with the U.S. election process. According to the ODNI's report on January 6, 2017, the Russian military intelligence service (GRU) had hacked the servers of the Democratic National Committee (DNC) and the personal Google email account of Clinton campaign chairman John Podesta and forwarded their contents to WikiLeaks.  On July 13, 2018, 12 Russian military intelligence agents were indicted by Special Counsel Robert Mueller for allegedly hacking the email accounts and networks of Democratic Party officials.

Analysis

When Robert Mueller’s grand jury handed down an indictment against 12 Russian intelligence officers early in November, one name in the 29-page document was instantly familiar to security experts who have been on the trail of one of the Internet’s most notorious hacker groups.

Known variously as Fancy Bear, Sofacy, Pawn Storm, Strontium, Tsar Team, Sednit, and APT28, the Russian hackers that did the intrusions for the Kremlin’s election interference campaign have been active for 12 years, breaching NATO, Obama’s White House, a French television station, the World Anti-Doping Agency and countless NGOs, and militaries and civilian agencies in Europe, Central Asia and the Caucasus. 

Researchers know Fancy Bear by the methods they use, the maze of covert servers undergirding their campaigns, and, most of all, their code. The most intriguing aspect of the code is demonstrated in its famous malware, X-Agent. X-Agent was used in the 2016 DNC hack, but its history stretches back even to years prior to this. It comes out at the tail end of what the security world calls the “cyber kill-chain.” After the hackers have reconnoitred a target, found their way onto a computer and made the decision that the machine is worth keeping, the final step is to install persistent malware that will let them monitor and control the computer indefinitely. X-Agent is a reliable long-term backdoor with all the basic features a cyber spy needs. Among other things, it can steal passwords, watch keystrokes and capture images of the infected computer’s screen.

Where some other state-sponsored attackers prefer off-the-shelf malware, Fancy Bear is known for mostly staying in-house, developing and continuously improving dozens of purpose-built tools.

According to findings from the security firm Palo Alto Networks, the prolific hacking group has a new phishing tool in its arsenal. The trojan, concealed in a malicious document attachment, uses some classic techniques to send information about a target system back to a remote server, but the tool has been reworked for current use.

The malware communicates with its command and control server via emails sent over an encrypted connection, so they can't be read on the way. Hackers use all sorts of communication schemes for command and control, including hiding communications in a victim's regular network traffic, piggybacking on compromised web services, or manipulating normal internet protocol requests. Using email for this communication is a technique that was widely popular several years ago, but had largely faded until its reappearance here.

Palo Alto Networks identified a particularly suspicious email attachment titled “crash list(Lion Air Boeing 737).docx” that attempts to load Microsoft Word templates containing malicious code when opened on a target’s computer. That means Russian hackers are using recent events to lure in targets — Lion Air Boeing 737 refers to a deadly plane crash in October that resulted in the death of all 189 people on board.

Assessment

Our assessment is that in order to combat hackers that are known for constantly evolving their tools and creating new attacks that fly under the radar, governments will need to increase support and funding to national cybersecurity resources. We believe that failure to develop a strong security infrastructure in digital spaces could lead to political instability.