Google was aware of Russian APT28 group years before others
16.2.2017 securityweek
APT

Lorenzo Bicchierai from MotherBoard shared an interesting private report about Russian cyber espionage operations conducted by APT28, the document was leaked online by Google.
The report dating 2014 includes information collected by Google on the hacking activities conducted by its hackers.

In October 2014, the security experts at FireEye linked cyber attacks against a number of Eastern European countries to a Russian nation-state actor dubbed ATP28.
The report published by FireEye revealed that the APT28 is behind long-running cyber espionage campaigns that targeted also US defense contractors, European security organizations and Eastern European government entities.

FireEye researchers collected evidence that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 report 2

The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

It was the beginning of the story, now we used different names to refers the nation state actor, including Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team.

Just a couple of days ago security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian cyberespionage group.

Before the publishing of the report in 2014, several companies were investigating the cyber attacks conducted by the threat actor, including Google of course.

Motherboard “penned a 40-page technical report” on the activities of the APT28 group, a precious document considering that it has never been published before.

“This sort of document, which Motherboard obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like.” wrote Lorenzo Bicchierai. “The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats: VirusTotal, a public malware repository that the internet giant acquired in 2012.”
The document explicitly refers a couple of malware, the Sofacy and X-Agent, that “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.”

This means that Google was informed about the threat years before its public disclosure. Google attributed the attacks to the ATP28 and linked them to the Russian Government much earlier of FireEye, ESET or CrowdStrike.

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”

The title of the document is explicit, “Peering into the Aquarium,” and refers the headquarters of the GRU military intelligence agency, popularly known as “The Aquarium.”

According to the report, the submission share ratio of X-Agent Sofacy in VirusTotaI by country shows that Georgia, Romania, Russia, and Denmark had the highest ratio.


The experts from Google tried to profile the APT28, they noticed that the group used the sophisticated X-Agent only to compromise “high-priority targets.” The nation-state actor made a large use of the Sofacy malware for its wide range campaigns, it has been estimated that Sofacy was three times more common than X-Agent in the wild.

“As a first~stage tool, Sofacy is used relatively indiscriminately against potential targets. X-Agent is reserved for high?priority targets. This is borne out by the data. VirusTotai submissions show that Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples in the data set.” states the report.

The report includes technical details about APT28 operations, it is interesting to note that the security team at Google was able to identify the threat years before others security firms.