Russian State-Sponsored APT28 Conducting Cyber Espionage on Middle East Defence Firms

  • Around 38 percent of the attacks targeted defense companies, banking, construction, and government bodies.
  • APT28’s spam-sending tactics included the use of VPNs to try and hide their traces. 

Researchers from a cybersecurity firm disclosed the details of the Russian state-backed hacking outfit known as APT28 or Fancy Bear, that has been scanning vulnerable email servers for more than a year.

What happened?
Security researchers found that the Russian hacking crew was targeting defense companies with Middle Eastern outposts since May last year.

  • Around 38 percent of the attacks targeted defense companies, banking, construction, and government bodies.
  • The list of victims also included a couple of private schools in France and the UK and even a kindergarten in Germany.
  • The Fancy Bear group used credential-phishing tactics to further target and hack the email accounts for a higher strike rate.

Key findings
Researchers found that the threat group was port-scanning mail servers such as Microsoft Exchange, via TCP ports 443 and 1433. They would expect to find vulnerable machines to exploit and further explore attack surfaces to support their ongoing campaign.

APT28’s spam-sending tactics included the use of VPNs to try and hide their traces. “Pawn Storm regularly uses the OpenVPN option of commercial VPN service providers to connect to a dedicated host that sends out spam. The dedicated spam-sending servers used particular domain names in the EHLO command of the SMTP sessions with the targets’ mail servers,” as mentioned in the report

What to do?
The recommendations in such cases have always been straightforward, and most common.

  • Stay vigilant to your infrastructure for any unusual, unauthorized access patterns.
  • Always patch your systems as and when updates get released from vendors.
  • Educate employees for not clicking on the links attached to unsolicited emails.

Closing lines
Recently, Western governments also publicly called out the APT28 group for its attack campaigns against Georgia, a former Soviet republic. in recent years.