The Russia-linked threat group APT28 had gained a lot of recognition for its cyber espionage activities during the 2016 US elections. The group is widely believed to be responsible for targeting the Democratic National Committee. Now, the group is yet on another espionage mission, this time mainly targeting organizations related to the upcoming presidential elections in November.
What is APT28 up to?
APT28 has been found targeting Microsoft’s cloud offering with some new set of attack tactics, different from what it previously used.
- The threat group has been running a campaign to harvest credentials of Microsoft Office 365 accounts from election-related organizations in the U.S. and the U.K since April.
- The group has attempted to target 6,912 accounts belonging to 28 organizations, via brute-force and password-spraying attacks.
How the attack unfolded
During these attacks, APT28 has been observed using a new mechanism to keep its activities anonymous.
- It is routing its authentication attempts via a huge pool of around 1,100 unique IP addresses, that are mostly associated with Tor anonymizing service.
- This active pool of IP addresses is very dynamic, in which approximately 20 IP addresses are rotated on a daily basis to maintain anonymity.
- A typical victim organization is targeted with 4 to 300 authentication attempts per hour to brute-force the passwords, all with unique IP addresses.
Coming up with new malware threats
In mid-august 2020, APT28 was observed deploying a new Linux-based malware, called Drovorub, as part of its cyberespionage operations.
In May, German authorities had issued an arrest warrant against Dmitriy Sergeyevich Badin, a 29-year old Russian national, for his involvement in the 2015 Bundestag hack when he was a part of the APT28 group. Badin is believed to be living in Moscow and is still at large.
Looking at the attack attempts and continuous improvements in its tactics, it can be anticipated that APT28 is not going to stop its espionage activities until elections are over. Thus, it becomes all the more important for all directly or indirectly associated organizations to be aware of the latest methods used for espionage activities and take all possible security measures to stay safe.