Читать книгу The Grizzly Steppe Report (Unmasking the Russian Cyber Activity) - Federal Bureau of Investigation - Страница 4
Description
ОглавлениеThe U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Figure 1: The tactics and techniques used by APT29 and APT 28 to conduct cyber intrusions against target systems
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
Figure 2: APT28's Use of Spearphishing and Stolen Credentials
Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election.
| Alternate Names |
| APT28 |
| APT29 |
| Agent.btz |
| BlackEnergy V3 |
| BlackEnergy2 APT |
| CakeDuke |
| Carberp |
| CHOPSTICK |
| CloudDuke |
| CORESHELL |
| CosmicDuke |
| COZYBEAR |
| COZYCAR |
| COZYDUKE |
| Crouching Yeti |
| DIONIS |
| Dragonfly |
| Energetic Bear |
| EVILTOSS |
| Fancy Bear |
| GeminiDuke |
| GREY CLOUD |
| HammerDuke |
| HAMMERTOSS |
| Havex |
| MiniDionis |
| MiniDuke |
| OLDBAIT |
| OnionDuke |
| Operation Pawn Storm |
| PinchDuke |
| Powershell backdoor |
| Quedagh |
| Sandworm |
| SEADADDY |
| Seaduke |
| SEDKIT |
| SEDNIT |
| Skipper |
| Sofacy |
| SOURFACE |
| SYNful Knock |
| Tiny Baron |
| Tsar Team |
| twain_64.dll (64-bit X-Agent implant) |
| VmUpgradeHelper.exe (X-Tunnel implant) |
| Waterbug |
| X-Agent |
