Russian Hackers Are Using Brexit To Leverage Cyber Attacks

A hacking group widely believed to work on behalf of the Russian state is using Brexit as a lure for conducting cyber operations with the aim of delivering malware to targets across Europe.

The UK's departure from the European Union appears to be the latest in a line of current affairs topics which Russian hacking group Fancy Bear, also known as APT28, Sofacy and a variety of other names, is using in an effort to trick targets into opening emails and downloading malware.

Earlier this month, the hacking operation, which is thought to have strong links to the Kremlin, was seen using phishing lures relating the recent Lion Air crash off the Indonesian coast. But now cyber security researchers at Accenture have seen the group that they refer to as SNAKEMACKEREL exploiting Brexit in a campaign designed to deliver Trojan malware.

It's believed that the campaign has actively targeted government departments, particularly ministries of foreign affairs, political think-tanks, and defence organisations across Europe.

"The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit," said Michael Yip, security principal at Accenture Security's iDefense Threat Intelligence, 

Targets are sent an email with an attachment named Brexit 15.11.2018.docx. If they open it, they're met with jumbled-up text and a claim of an error relating to the document being created in an earlier version of Microsoft Word. Users are urged to 'enable content' to see what the document claims to contain, but if they follow through with this request, it enables macros and allows malicious-macro-enabled content to retrieve and deliver malware. 

The malicious payload is Zeboracy, a Trojan that has previously been observed being deployed as part of cyber espionage campaigns working out of Russia.

Analysis of the of the malicious attachment also provides clues pointing towards the origin of the attacks: the document is said to be last modified by a user called 'Joohn', a name that has appeared in the file information of previous Fancy Bear campaigns. Researchers also note that the document was compiled by a company named Grizli777.

The group has been particularly active since October and Accenture has "high confidence" that the campaign still remains highly active. Given how quickly the attackers react to current affairs, it's likely only a matter of time before they use a new news event as a lure to conduct attacks.

"The speed in which fresh news headlines are used for document lures in attacks particularly highlights the group's knowledge of foreign affairs and provides strong indications of their targeting remit," said Yip.

Fancy Bear has been linked to a number of high-profile cyber campaigns in recent years, including the cyber-attacks and disinformation as a means of interference around the US Presidential election. It's also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.

ZDNet

You Might Also Read:

Russian Hackers Have New Weapons:

« Marriott Hack- 500m Data Records Exposed
GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Akin Gump Strauss Hauer & Feld

Akin Gump Strauss Hauer & Feld

Akin is a leading global law firm providing innovative legal services and business solutions to individuals and institutions. Practice areas include Cybersecurity, Privacy and Data Protection.

Bloombase

Bloombase

Bloombase is the leading innovator in Next-Generation Data Security solutions for Global 2000-scale organizations

Oxford BioChronometrics

Oxford BioChronometrics

By building profiles based on electronically Defined Natural Attributes, or e-DNA, Oxford BioChronometrics protects digital networks, communities, individuals and other online assets from fraud.

Trustelem

Trustelem

Trustelem offers European and global companies a ready-to-use access management service that respects the principles of sovereignty, territoriality and privacy.

ICS Cyber Security Conference

ICS Cyber Security Conference

SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

NOW Insurance

NOW Insurance

NOW Insurance provides small business owners and other professional classes with a seamless purchasing experience for general liability, professional liability, and cybersecurity insurance coverage.

ImpactQA

ImpactQA

ImpactQA is a global leading software testing & QA consulting company. Ten years of excellence. Delivering unmatched services & digital transformation to SMEs & Fortune 500 companies.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Celera Networks

Celera Networks

Celera Networks is a managed services provider specializing in cybersecurity, cloud and managed IT services.

Cyber Proud

Cyber Proud

Cyber proud is leading a talent revolution to promote and create an inclusive skilled cyber workforce.

Teleskope

Teleskope

Teleskope are on a mission to empower businesses to protect sensitive data by default.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.