FireEye accuses malware group of having Russia govt sponsor

By bne IntelliNews October 29, 2014

bne -


FireEye, a leading cyber-security firm, claims to have detected Kremlin links to APT28, a well-known malware distributing and network infiltrating gang. According to FireEye, the group has "ongoing, focused operations that we believe indicate a government sponsor based in Moscow."

In contrast with China-based peers tracked by FireEye, APT28 does not appear to pursue commercial targets, but instead "focuses on collecting intelligence that would be most useful to a government." Specifically, FireEye found that since 2007 APT28 has been "targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government," the company said in a press release. 

"APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts," the release continued.

According to FireEye, the APT28 cyber-attacks focused on targets in the Caucasus of interest to Russian security, such as the pro-Chechen rebels internet site Kavkaz Centre, and journalists writing about the topic, as well as sites in Poland and other Central European countries related to security and defence.

Other mundane factors, such as Russian being the apparent preferred language of the programmers, and working hours suggesting a Moscow or St Petersburg location, point to Russian involvement, according to the report.

"While we don’t have pictures of a building, personas to reveal or a government agency to name, what we do have is evidence of long-standing, focused operations that indicate a government sponsor - specifically a government based in Moscow," reads the report.

In the most recent recorded case of attempted penetration of an Eastern European state's cyber-security, the APT28 circulated to a Polish government institution - most likely the foreign ministry - a lure containing the malware, in the form of an international press report on the downing of the MH17 Malaysian Airlines flight over Ukraine July 17 that sparked an international crisis. 

The APT28 group has registered numerous domains imitating domain names of Eastern European government and media, the report adds.

Concerns over Russian cyber-warfare capabilities first surfaced internationally in 2007 when Estonia's government claimed it was subject to a Russian cyber attack, and proposed the addition of cyber-warfare defence capacities to Nato.

Related Articles

Drum rolls in the great disappearing act of Russia's banks

Jason Corcoran in Moscow - Russian banks are disappearing at the fastest rate ever as the country's deepening recession makes it easier for the central bank to expose money laundering, dodgy lending ... more

Kremlin: No evidence in Olympic doping allegations against Russia

bne IntelliNews - The Kremlin supported by national sports authorities has brushed aside "groundless" allegations of a mass doping scam involving Russian athletes after the World Anti-Doping Agency ... more

PROFILE: Day of reckoning comes for eccentric owner of Russian bank Uralsib

Jason Corcoran in Moscow - Revelations and mysticism may have been the stock-in-trade of Nikolai Tsvetkov’s management style, but ultimately they didn’t help him to hold on to his ... more

Notice: Undefined index: subject_id in /var/www/html/application/controllers/IndexController.php on line 335