Kremlin Hacking Crew Take A 'Roman Holiday'

Uploaded on 2018-07-23 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, GOVERNMENT-Defence, FREE TO VIEW

Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.

Security researchers from the Z-Lab at CSE Cybsec spent a recent weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28, known as Fancy Bear.

The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.

One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “marina-info.net”. This is a reference to the Italian Military naval arm, Marina Militare, according to the researchers.

"The dll that connects to 'marina-info.net' might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges," claimed to the researchers.

The Russian state-backed hackers may be targeting specific organisations including the Italian Marina Militare and its subcontractors, the researchers conclude. The targeting of Italian organisations during the summertime led the researchers to nickname the campaign "Roman Holiday".

Researchers from Z-Lab worked with independent researcher Drunk Binary (@DrunkBinary) on malware samples spotted in the wild and uploaded them to VirusTotal as they put together their analysis.

Further details on the malware samples analysed by CSE Cybsec, including the indications of compromise, are available in a report published by researchers at ZLAb here (pdf).

The APT28 hacking crew has been active since at least 2007, since when it has targeted governments, militaries, and other organisations worldwide.

The group - identified by Western intel agencies as a unit of Russian military intelligence, the GRU - has also been alleged to be behind attacks on the German Bundestag, French TV station TV5Monde and (most notoriously) a hack and leak campaign that targeted the US Democrats during the 2016 US presidential election.

More recently, in the second half of 2017, the group turned their attention away from NATO countries and Ukraine with attacks against countries included China, Mongolia, South Korea and Malaysia.

Researchers from Palo Alto Networks spotted attacks against the various Asian countries that made use of the SPLM and the Zebrocy tools previously linked to the group.

A dozen individuals who are alleged to be GRU intelligence operatives were indicted last week over a string of attacks that targeted 2016 US Presidential election.

The Register

You Might Also Read: 

Meet The Fancy Bears:

Nation State Cyber Attacks Are An Act Of War:

 

« UK Launches Consultation To Develop Cybersecurity Profession
NZ Cyber Security Challenge Simulates Drone Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ID-SIRTII/CC

ID-SIRTII/CC

Security Incident Response Team for Internet Infrastructure in Indonesia.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Bangladesh Association of Software & Information Services (BASIS)

Bangladesh Association of Software & Information Services (BASIS)

BASIS is the national trade body for Software & IT Enabled Service industry of Bangladesh.

Specops Software

Specops Software

Specops Software is a leading password management and authentication solution vendor.

BAI Security

BAI Security

BAI Security is a Nationally Recognized Leader in IT Security. Keeping your data safe and your business compliant is our singular focus.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Infinite Ranges

Infinite Ranges

Infinite Ranges delivers secure, comprehensive digital solutions by connecting experts with the best products and services for the digital age.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

RecoLabs (Reco)

RecoLabs (Reco)

Reco empowers organizations to discover their SaaS applications, identities, and data, control access and prevent the risk of exposure.

Ekco

Ekco

Ekco is one of Europe’s leading managed cloud providers. With a network of infrastructure and security specialists across Europe, we’ve perfected our approach to supporting digital transformation.

ThreatFabric

ThreatFabric

ThreatFabric integrates industry-leading threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Vambrace Cybersecurity

Vambrace Cybersecurity

Vambrace is an experienced cybersecurity consultancy and operations outsourcer helping you to secure your business in an increasingly-hostile cyber environment.

ThoughtSol

ThoughtSol

Thoughtsol help brands grow through Digital Transformation enabling them to leverage the power of IT for an all-embracing impact on their businesses.

Andesite

Andesite

Andesite is delivering sustained advantage to cyber defense teams through technology and community.