FireEye, the intelligence-led security company, has identified cyberespionage efforts by two Russian cyberthreat groups targeting European governments ahead of the upcoming European elections. The observed targeting is focused on NATO member states and is ongoing following a significant increase since mid-2018.
FireEye believes the two groups behind this activity, APT28 and Sandworm Team, are both sponsored by the Russian state. In addition to targeting European government organisations, the groups have targeted media outlets in France and Germany, political opposition groups in Russia and LGBT organisations with links to Russia.
The group’s most common method of initial compromise is spear phishing, which involves sending emails to targets with the intention of prompting them to click a malicious link or attachment. This can deliver a malicious document or link to a fake login site used to steal passwords. To increase their chances of success, the attackers register and use Internet domains similar to those which are familiar and trusted by the recipients.
For example, targets within European governments have been sent emails containing links which could appear to direct to real government websites. They also display a sender that appears to be genuine. These emails may entice targets to click a link to change their password, which would share their credentials with the attacker.
“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, Senior Manager of Cyber Espionage Analysis at FireEye. “The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”
The activity of APT28 and Sandworm Team appears to be aligned but the tools and methods used by the two groups differ. Sandworm Team tends to use publicly available tools, whereas APT28 uses custom costly tools and has deployed zero-day exploits. This type of attack takes advantage of a weakness that has been discovered in software, before a fix becomes available. Where possible, FireEye has notified targeted organisations after identifying attacks.