Project#2: A Window into Russia’s cyber espionage operations (APT 28 – Fancy Bear)

Published on 30 January 2024 at 12:01

you'll find an in-depth exploration of my comprehensive thesis and submitted CTI research project. This initiative is dedicated to enhancing the safeguarding of data and systems against potential threats, offering valuable insights into APT28.

Explore how this research contributes to a deeper understanding of advanced persistent threats, ultimately aiming to fortify cybersecurity measures.

Introduction & Tracing the Evolution of Fancy Bear

Fancy Bear is the nick name of a  computer hacking unit of GRU(Russia's Military Intelligence agency). 

The United States believes Voodoo Bear, is operated by the GRU’s cyber warfare unit, Military Unit 74455  form a part of this threat actor. 

The nation-state adversary group known as FANCY BEAR (also known as APT28 or Sofacy) has been operating since at least 2007.

The saga of Fancy Bear is commonly believed to have begun in the mid-2000s, when security researchers first identified the Sofacy trojan malware.

Over time, their campaigns grew more sophisticated, reflecting an escalating cyber arms race between attackers and defenders. The group's origins have been traced back to Russia by the UK’s National Cyber Security Centre (UCSC), and it is widely believed to operate under the sponsorship of the Russian government, although definitive attribution in the realm of cyber warfare is often complex and challenging.

Characteristics& Formation of Advanced Persistent Threat 28 (APT28)

Fancy Bear employs advanced methods consistent with the capabiliti -es of state actors.

They use spear phishing emails, malware drop websites disguised as news sources, and zero-day vulnerabilities.

  • Formation of Advanced Persistent Threat 28 (APT28):
    • APT28, a notorious state-backed hacking team, is formed, with its origins traced back operated by the GRU’s cyber warfare unit, Military Unit 74455  form a part of this threat actor.
    • This enigmatic group, also known as APT28, has left a trail of sophisticated attacks and targeted infiltrations in its wake.
    • Fancy Bear is classified by FireEye as an advanced persistent threat.
    • Fancy Bear is a state-run program and not a gang or a lone hacker that has emerged as a strong force in the realm of cyber espionage.

 

  • Fancy Bear Alias:
    • APT28 is given the nickname "Fancy Bear" by Western cybersecurity engineers, identifying it as a distinct threat actor in the cyber landscape.
    • It goes by many names amongst intrigued researchers, and An extended list is provided below. These terms have been used interchangeably in cybersecurity literature and publications to refer to the same threat actor, APT28.

1. APT28(By Mandiant)

2. Fancy Bear

3. Sofacy(by Kaspersky)

4. Sednit(by Fireeye)

5. Pawn Storm(by Kaspersky)

6. Tsar Team(by Fireeye)

7. Strontium(by Microsoft)

8. Iron Twilight

9. Grizzly Steppe(When combined with cozybear)

10. Swallowtail

11. Sandworm

12. BlackEnergy Actors

Connection to Russian Military Intelligence

  • APT28, also known as Fancy Bear, is spawned by the GRU, underlining its affiliation with Russian military intelligence.
  • Cyber threat actors from the following Russian government and military organizations have conducted malicious cyber operations against IT and/or OT networks:
  • The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
  • Russian Foreign Intelligence Service (SVR)
  • Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
  • GRU’s Main Center for Special Technologies (GTsST)
  • Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
  • The Russian Federal Security Service

Unraveling Motivations: Fancy Bear's Objectives

 

As we probe into Fancy Bear's motives, a multifaceted picture emerges:

  1. Political Agenda: Fancy Bear's primary focus has been on political entities, governments, and international organizations. Their operations often coincide with pivotal geopolitical events, seeking to acquire sensitive information, sway public opinion, or gather intelligence on foreign affairs.
  2. Economic Espionage: While political targets remain a priority, Fancy Bear has also set its sights on economic gains. By infiltrating corporate networks, they seek to pilfer trade secrets, intellectual property, and strategic business intelligence, providing their backers with a competitive edge.

A Glimpse into Fancy Bear's Arsenal

Fancy Bear's toolkit is a virtual armory of cutting-edge cyber weaponry, including:

Spear-Phishing Mastery

At the heart of Fancy Bear's strategy lies their cunning use of spear-phishing emails.

Crafted to deceive even the most discerning eye, these messages often impersonate trusted sources, tricking recipients into downloading malicious attachments or clicking on harmful links.

Fancy Bear is known to frequently use Zebrocy to assist in this task, a trojan malware containing a set of downloaders, droppers, and backdoors.

Zero-Day Exploits

The group has a history of leveraging zero-day vulnerabilities – previously unknown flaws in software – to launch highly targeted attacks before patches are developed.

This allows Fancy Bear to breach systems that are not yet fortified against their methods.

Custom Malware

Fancy Bear is infamous for deploying bespoke malware, tailored to evade traditional security measures.

Their arsenal includes RATs (Remote Access Trojans) and backdoors, granting them surreptitious access to compromised systems.

Watering Hole Attacks

By compromising websites frequented by their intended victims, Fancy Bear has perfected the art of "watering hole" attacks, redirecting unsuspecting users to malicious websites laden with malware.


IOCs of the APT & Detection Techniques and Rules

APT28 has previously utilized tools, like X Tunnel, X Agent and CompuTrace to infiltrate targeted networks as per accessible information.

These tools enable them to establish connections with system drivers and gain access to passwords and the LDAP server.

Their reported capabilities include monitoring keystrokes and mouse movements accessing webcams and USB drives searching for and replacing files well as maintaining a persistent connection. (Centre, 2018).

To detect APT28 malware this advisory provides signatures and Indicators of Compromise (IOCs). 

However, it's important to note that relying on network-based signatures may not guarantee APT28 detection within a network. This is because many of the threat actor's communication modules are concealed within protocols, like SSL/TLS in order to evade content-based signatures.

X AGENT Command and Control (C2) servers have utilized the IP addresses and domains for communicating with victims. For Example,

IP Address: Domain

139.5.177.205: malaytravelgroup.com

80.255.6.15: worldimagebucket.com

89.34.111.107: fundseats.com

86.106.131.229: globaltechengineers.org

To effectively detect and counter the activities of Fancy Bear (also known as APT 28) it is essential to possess an understanding of their tactics, techniques and procedures (TTPs). Given their involvement, in interference and cyber espionage detecting Fancy Bear requires a multifaceted approach.

One prominent weapon in Fancy Bears arsenal is spear phishing.

To identify and block emails that aim to trick targets into revealing information or downloading malicious payloads it is advisable to implement email filtering and monitoring systems.

Additionally leveraging advanced threat intelligence feeds that highlight known tactics used by Fancy Bear can significantly enhance spear phishing detection accuracy.

Fancy Bear also favors using Mimi Katz, a harvesting tool.

To tackle this threat effectively continuous monitoring of network logs and endpoint activities for credential access patterns is crucial.

Furthermore implementing authentication measures like factor authentication can substantially mitigate the risk of successful credential theft. 

Coreshell is another custom malware associated with Fancy Bear that demands endpoint protection and behavior analysis tools.

Utilizing signature-based detection alongside heuristics and machine learning algorithms can help identify the presence of Coreshell or similar malicious code.

Regularly updating antivirus signatures and conducting system scans are components of this defense strategy.

Addressing the attribution challenges tied to Fancy Bear necessitates collaboration and sharing of threat intelligence, among parties.

By engaging with cybersecurity communities participating in platforms, for sharing information and leveraging international partnerships we can significantly improve our ability to accurately attribute cyber threats.

Given that Fancy Bear targets entities such as the Democratic National Committee (DNC) it becomes crucial to invest in network segmentation and monitoring, for security. (Howell O'Neillarchive, 2019)


TTP Summary Based on Latest Attacks

1. Infamous Chisel

  • Infamous Chisel is a set of components that allows persistent access to an infected Android device via the Tor network and collects and exfiltrates victim data from compromised devices on a regular basis.
  • The information stolen is a mix of system device information, commercial application information, and Ukrainian military applications. (Cybersecurity and Infrastructure Security Agency, 2023)
  • The malware scans the device on a regular basis for information and files of interest that match a predefined set of file extensions.
  • It also has the ability to scan the local network on a regular basis, gathering information about active hosts, open ports, and banners.
  • Infamous Chisel also allows remote access by configuring and running Tor with a hidden service that forwards to a modified Dropbear binary that provides an SSH connection.
  • Network monitoring and traffic collection, SSH access, network scanning, and SCP file transfer are among the other features. (National Cyber Security Centre, 2023)

 

2. Energy Firms Hacked in Largest Coordinated Attack on Denmark

  • In the month of May 2023, Danish, critical infrastructure was exposed to the most extensive cyber-related attack we have experienced in Denmark to date. 22 companies, that operate parts of the Danish energy infrastructure, were compromised in a coordinated attack.
  • The result was that the attackers gained access to some of the companies’ industrial control systems and several companies had to go into island mode operation.
  • In this specific case, there was a vulnerability which allowed an attacker to send network packets to a Zyxel firewall and gain complete control of the firewall without knowing either usernames or passwords for the device.
  • What made the situation extra serious was that it is precisely the firewall that must protect the equipment behind it that was vulnerable.
  • On April 25, 2023, Zyxel, which produces firewalls used by many of SektorCERT’s members, announced that there was a critical vulnerability in a number of their products.
  • The vulnerability received a score of 9.8 on a scale of 1-10, which means that the vulnerability was both relatively easy to exploit and that it could have major consequences. The reference for the vulnerability was CVE-2023-28771.
  • The vulnerability itself was exploited by sending a single specially crafted data packet to port 500 over the protocol UDP towards a vulnerable Zyxel device.
  • The packet was received by the Internet Key Exchange (IKE) packet decoder on the Zyxel device. Precisely in this decoder was the said vulnerability.
  • The result was that the attacker could execute commands with root privileges directly on the device without authentication.
  • An attack that could be performed by sending a single packet towards the device. 11 companies were compromised immediately.
  • This means that the attackers gained control of the firewall at these companies and thus had access to the critical infrastructure behind it. (Arghire, 2023)

3. APT28 exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks.

  • From at least mid-2019 to early 2021, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of governments and private sector targets worldwide.
  • GTsSS malicious cyber activity has previously been attributed by the private sector under the names Fancy Bear, APT28, Strontium, and a variety of other identifiers. The 85th GTsSS targeted organizations that use Microsoft Office 365® cloud services, but they also targeted other service
  • providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing.
  • The 85th GTsSS actors can use this brute force capability to access protected data, including email, and identify valid account credentials. These credentials can then be used for a variety of tasks, such as initial access, persistence, privilege escalation, and defense evasion.
  • The actors used identified account credentials in conjunction with publicly known vulnerabilities, such as CVE 2020-0688 and CVE 2020-17144 on Microsoft Exchange servers, to gain remote code execution and further access to target networks.
  • Many well-known tactics, techniques, and procedures (TTPs) are combined after gaining remote access to move laterally, evade defenses, and collect additional information within target networks. (US Department of Defense, 2021)

4. APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

  • Cisco initially disclosed the vulnerability on June 29, 2017. Promptly addressed it by releasing software. As, per Cisco’s measures include limiting SNMP access to trusted hosts and disabling specific SNMP Management Information Bases (MIBs).
  • Jaguar Tooth is a type of malware that targets Cisco IOS routers. This malicious software not gathers device information. Also sends it out through the Trivial File Transfer Protocol (TFTP) thus enabling unauthorized backdoor access.
  • Jaguar Tooth gained attention for exploiting the resolved Simple Network Management Protocol (SNMP) vulnerability, known as CVE 2017 6742.
  • APT28 has exploited this vulnerability by gaining entry into routers using default and weak SNMP community strings.
  • The advisories Tactics, Techniques and Procedures (TTPs) emphasize the threat, to Cisco devices stressing the significance for organizations to implement recommended mitigation strategies in order to safeguard against potential security breaches.

Mitigation Processes

By implementing these measures organizations can establish a cybersecurity foundation enabling them to defend against threats, like APT 28 and similar sophisticated attacks. It's important to reassess and update these measures to stay ahead in a changing threat landscape.

Let’s explore each step of the mitigation process in detail:

Endpoint Security

  • Utilize antivirus and anti-malware solutions that employ cutting edge techniques, like analysis, machine learning and threat intelligence. These measures help detect and prevent a range of threats, including those associated with APT 28.
  • Regularly Patch operating systems and software applications to address known vulnerabilities. This ensures that security flaws that APT 28 or other threat actors could exploit are mitigated effectively.
  • Implement application whitelisting to restrict the execution of authorized applications. This prevents malicious software from running on endpoints. (Trellix, 2023).

Network Security

  • Deploy intrusion detection and prevention systems (IDPS) that monitor network or system activities for exploits or violations of security policies. These systems play a role in detecting and blocking any activities related to APT 28.
  • Implement firewalls with up, to date rule sets to control outgoing network traffic. This helps filter out any traffic, safeguarding systems.
  • Divide the network into segments through network segmentation to limit lateral movement in case of a breach. This containment strategy effectively prevents the spread of an APT 28 compromise.

Email Security& Employee Trainings

  • Utilize email security solutions to filter out phishing attempts, malicious attachments and suspicious links before they reach end users.
  • Educate employees, on how to identify and report phishing attempts. Human vigilance plays a role in preventing social engineering attacks, which are commonly used by persistent threat (APT) groups.
  • Training, on Security: Ensure that employees receive training on the practices for security. Emphasize the importance of recognizing and reporting security incidents.
  • Promoting a Security Focused Culture: Encourage a culture of awareness among employees, where they understand how crucial their role is in preventing security breaches. Keep the training updated regularly to address emerging threats.

Access Control and Incident Response, Threat Intellegence

Access Control:

  • Implement the Principle of Least Privilege (PoLP) by granting users the access rights based on their job responsibilities. This helps minimize the impact of a compromised account.
  • Enhance security by implementing Multi Factor Authentication (MFA) which adds a layer of protection beyond passwords. MFA prevents access even if login credentials are compromised.

Incident Response:

  • Develop and regularly update an incident response plan that provides step by step procedures for detecting, reporting and responding to security incidents.
  • Conduct regular tabletop exercises to simulate security incidents. These exercises ensure that the incident response team is well prepared to handle real world scenarios. (Kirvan & Chapple, 2023)
  • Stay informed by subscribing to threat intelligence feeds that offer real time information, about APT 28s tactics, techniques and procedures (TTPs).
  • Incorporating Security Tools: Enhance defense mechanisms by integrating threat intelligence into security tools and processes. This involves keeping detection systems up, to date with the indicators of compromise (IOCs). (Lenaerts-Bergmans, 2023)

Continuous Monitoring and Encryption

Continuous Monitoring:

  • Implementing Continuous Monitoring Solutions: Deploy tools that continuously monitor network and system activities. These tools are designed to detect and alert any behavior that may indicate a security incident.
  • Regular Log Review: Consistently review logs, network traffic and system activities to promptly identify and respond to actions. Timely detection plays a role in mitigating persistent threats (APTs).

Encryption:

  • Securing Data with Encryption; Safeguard sensitive data both at rest and during transit by encrypting it. This ensures that even if a breach occurs unauthorized access is prevented.
  • Communication Protection through Encryption: Employ robust encryption algorithms for communication channels to prevent eavesdropping and man in the middle attacks.

Vendor Management

  • Evaluating Vendor Security Practices: Assess and monitor the security practices of third-party vendors. Ensure they adhere to established security standards while avoiding introducing vulnerabilities into your organization.
  • Reviewing Vendor Agreements: Continuously update vendor agreements incorporating specific security requirements. This guarantees that vendors maintain a level of security, in their products and services.

References

 

  1. Arghire, I. (2023, November 14). 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure. Retrieved from Security Week: https://www.securityweek.com/22-energy-firms-hacked-in-largest-coordinated-attack-on-denmarks-critical-infrastructure/#:~:text=Denmark's%20SektorCERT%20association%20shares%20details,against%20the%20country's%20energy%20sector.&text=Hackers%20compromised%

  2. Centre, N. C. (2018, October 4). Indicators of compromise for malware used by APT28. Retrieved from National Cyber Security Centre: https://ncsc.gov.uk/news/indicators-of-compromise-for-malware-used-by-apt28

  3. Cybersecurity & Infrastructure Security Agency. (2023, April 18). APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

  4. Cybersecurity and Infrastructure Security Agency. (2023, August 31). Infamous Chisel Malware Analysis Report. Retrieved from Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/news-events/analysis-reports/ar23-243a

  5. Howell O'Neillarchive, P. (2019, November 6). Inside the Microsoft team tracking the world’s most dangerous hackers . Retrieved from MIT Technology Review: https://www.technologyreview.com/2019/11/06/238375/inside-the-microsoft-team-tracking-the-worlds-most-dangerous-hackers/

  6. Kirvan, P., & Chapple, M. (2023, February 4). How to build an incident response plan, with examples, template. Retrieved from TechTarget: https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan

  7. Lenaerts-Bergmans, B. (2023, May 5). WHAT IS A THREAT INTELLIGENCE FEED? Retrieved from Crowdstrike: https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/threat-intelligence-feeds/

  8. National Cyber Security Centre. (2023, August 31). Infamous Chisel Malware Analysis Report. Retrieved from National Cyber Security Centre: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf

  9. Sayegh, E. (2023, February 28). APT28 Aka Fancy Bear: A Familiar Foe By Many Names. Retrieved from Forbes: https://www.forbes.com/sites/emilsayegh/2023/02/28/apt28-aka-fancy-bear-a-familiar-foe-by-many-names/?sh=65569aab59ad

  10. Stamus Networks Team. (2023, September 28). Behind the Curtain: Understanding Fancy Bear (APT 28). Retrieved from Stamus Networks: https://www.stamus-networks.com/blog/behind-the-curtain-understanding-fancy-bear-apt-28#:~:text=Operating%20since%202008%2C%20the%20shadowy,targeted%20infiltrations%20in%20its%20wake.

  11. (2023). What Is Advanced Endpoint Protection. Retrieved from Trellix: https://www.trellix.com/security-awareness/endpoint/what-is-advanced-endpoint-protection/

  12. US Department of Defense. (2021, July 1). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved from US Department of Defense: https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF


Add comment

Comments

There are no comments yet.

Create Your Own Website With Webador