Cyber security weekly summary 24 - 30 April

Last week was marked by new Russian cyber attacks. The documented activities involved well-known APT28, which reportedly hacked the Danish Ministry of Defence and thus obtained access to e-mail correspondence of its employees from 2015 - 2016. As Danish Foreign Minister Claus Hjort Frederiksen stated the attack was „linked to the intelligence services or central elements of the Russian government“.

Another case connected with the APT28 concerned cyber espionage against French presidential candidate Emmanuel Macron, who’s campaign have been targeted via phishing. To advance their goal the attackers crafted four authentically looking email accounts to lure out the credentials of Macron’s co-workers. According to a researcher familiar with the case, stolen documents could be used to undermine Macron's political reputation should he win over Russia favouring Marine Le Pen.

On 25 April Trend Micro, which was the first to connect APT28 with the attack on the Macron’s presidential campaign, also published encompassing report about the group’s activities over last two years. The analysis describes operations and methods used by the APT against dozens of organisations. The main visible trend in APT28’s behaviour is a shift from common cyber espionage to complex operations towards manipulating events and public opinion. This is illustrated for example by the World Anti-Doping Agency (WADA) case from summer 2016, in which documents have been obtained via cyber espionage and subsequently released in a controlled manner. To maximalize the harm, the hackers in some cases waited more than a year to release the stolen information.

The APT28, also known as Pawn Storm, used false flag operations. This was the case of the WADA and French TV5 Monde hacks that were designed to look like an action of Islamic hackers. The group‘s cyber propaganda methods often involve media, which are approached with offers of exclusive material. Due to the non-public character of such information, these can't be depended upon, as the hackers could have altered or cherry picked their parts to create a bigger impact.

On April 24, the INTERPOL informed about an operation against cyber crime in Southeast Asia in cooperation with police specialists from the Association of Southeast Asian Nations countries. During the investigation, with the participation of Trend Micro, Kaspersky Lab, Booz Allen Hamilton, Fortinet and Palo Alto Networks, nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites were identified. C2 servers may have served as a platform for spreading spam, ransomware and other malware strains and as the initiation of DDoS attacks. The websites infected with a malware, exploiting a vulnerability in their design, also included portals of several governments which have contained personal data of their citizens

WikiLeaks is further advancing with promised publication of the documents, stolen from the US Central Intelligence Agency (CIA). The new files are descriptions and source codes of the CIA's „anti-whistleblowing“ tool for MS Office, called Scribbles. Word documents could be then embedded with a watermark hiding a link to a CIA server. The CIA was thus able to track the time and location of documents. This technique was reportedly not applicable to alternative text editors like OpenOffice and LibreOffice, since they may reveal otherwise hidden content.

About author: Roman Šulc


Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace