Fancy Bear’s new campaign targeting governments across Europe and South America

• Although APT28 has been active since 2007, the group’s activities first came to light in 2016, when it orchestrated attacks against the US Democratic National Party during the presidential election.
• The threat group has lately become more covert, targeting various governments and military organizations.

The Russian hacker group APT28, aka Fancy Bear, Sednit, Pawn Storm, and Swallowtail, has been covertly conducting attacks against governments and military organizations across Europe and South America. Although APT28 has been active since 2007, the group’s activities first came to light in 2016, when it orchestrated attacks against the US Democratic National Party during the presidential election.

Following the 2016 presidential election, APT28’s activities were widely reported on by the news media and security experts. Although it appeared that the group went dark shortly afterward, new research suggests that the group just got more covert.

According to security researchers at Symantec, who uncovered a new APT28 campaign, between 2017 and 2018, the hackers targeted an Eastern European embassy, a renowned international organization, as well as governments and military organizations across Europe and South America.

Fancy Bear connected to Earworm

Symantec researchers also found a connection between Fancy Bear and another threat group known as Earworm (aka Zebrocy). In comparison to Fancy Bear, Earworm has only been active for a relatively short period - two years - and is not considered to be a highly sophisticated cyberespionage group.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group,” Symantec researchers said in a report.

Malware used

In their latest campaign, Fancy Bear hackers were found using their custom malware Seduploader and XAgent to conduct basic reconnaissance on targeted systems and steal data. However, the Kremlin-linked hacker group has also continually upgraded its tools. For instance, XAgent was originally a Windows malware, but now contains a Mac version of the malware also exists.

In addition to using its own custom hacking tools, APT28 may also be using Earworm’s malware. Earworm is known to use two malware variants - a downloader and a backdoor.

While the downloader is capable of conducting basic reconnaissance and downloading additional malware, the backdoor is capable of taking screenshots, executing files and commands, uploading and downloading files, and more.

“It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools,” Symantec researchers said. “After its foray into overt and disruptive attacks in 2016, the group has subsequently returned to its roots, mounting intelligence gathering operations against a range of targets. This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets.”