For the past year, one of Russia’s top state-sponsored hacking units has spent its time scanning and probing the internet for vulnerable email servers, according to a report published yesterday by cyber-security firm Trend Micro.
The report deals with the activities of APT28, also known as Fancy Bear, Sednit, and Pawn Storm.
The group, believed to be operating on behalf of the Russian military intelligence service GRU, has been active since 2004 and is one of the two Russian groups that have breached the DNC’s email server in 2016.
Being one of the oldest state-sponsored hacking groups around, its activities have been recorded, analyzed, and classified in great depth across a large number of industry reports.
According to these reports, APT28’s primary weapon for the past decade has been the use of spear-phishing campaigns. Through carefully crafted emails aimed at specially selected targets and the use of zero-day exploits, APT28 operators have infected victims with a wide array of malware strains for more than 15 years.
Scanning the internet for vulnerable servers
However, in a report published yesterday by Trend Micro, the cyber-security firm’s analysts have spotted an important change in the group’s operations.
While spear-phishing and malware have remained on the menu, Trend Micro says APT28 has also begun last year conducting scans of the entire internet, in search of vulnerable webmail and Microsoft Exchange Autodiscover servers — on TCP ports 445 and 1433.
It is unclear what attacks APT28 launches against servers it identifies as vulnerable, although it wouldn’t be hard to imagine they’d try to take over the unpatched system — either to steal sensitive data stored within or use the email server as a pawn in other operations.
Taking over email accounts to launch phishing operations
But on top of server scans, APT28 has also been busy with another scheme, Trend Micro said.
Through a network of VPN servers, APT28 operators connect to compromised email accounts on the email servers of legitimate companies.
Trend Micro believes APT28 is phishing the employees of legitimate companies and stealing their login credentials for corporate email accounts, or performing brute-force attacks to guess email account passwords.
Once they have credentials in hand, through a network of VPN servers, APT28 operators connect to the compromised accounts using the stolen passwords.
Here, APT28 either exfiltrate data they find of interest, or they use the compromised email accounts to send phishing email campaigns to other targets.
Since the emails come from real persons at legitimate companies, these phishing campaigns are believed to be more effective than most other phishing spam, supplying APT28 with new stolen credentials from new victim companies.
Trend Micro says the vast majority of companies that had email accounts compromised are based in the United Arab Emirates, and are operating in the defense sector.
Image: Trend Micro
Below is a list of some of the companies that had email accounts compromised (and later utilized to send out more phishing spam) by APT28 hackers between August and November 2019.
Image: Trend Micro
APT28’s new tactics show that this particular threat actor can’t be pigeonholed within a particular threat matrix and will most likely diversify its attack arsenal without limitations — having shown the skills and ingenuity needed to adapt to new tactics in the past.