Russian Hackers Are Using Brexit To Leverage Cyber Attacks

A hacking group widely believed to work on behalf of the Russian state is using Brexit as a lure for conducting cyber operations with the aim of delivering malware to targets across Europe.

The UK's departure from the European Union appears to be the latest in a line of current affairs topics which Russian hacking group Fancy Bear, also known as APT28, Sofacy and a variety of other names, is using in an effort to trick targets into opening emails and downloading malware.

Earlier this month, the hacking operation, which is thought to have strong links to the Kremlin, was seen using phishing lures relating the recent Lion Air crash off the Indonesian coast. But now cyber security researchers at Accenture have seen the group that they refer to as SNAKEMACKEREL exploiting Brexit in a campaign designed to deliver Trojan malware.

It's believed that the campaign has actively targeted government departments, particularly ministries of foreign affairs, political think-tanks, and defence organisations across Europe.

"The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit," said Michael Yip, security principal at Accenture Security's iDefense Threat Intelligence, 

Targets are sent an email with an attachment named Brexit 15.11.2018.docx. If they open it, they're met with jumbled-up text and a claim of an error relating to the document being created in an earlier version of Microsoft Word. Users are urged to 'enable content' to see what the document claims to contain, but if they follow through with this request, it enables macros and allows malicious-macro-enabled content to retrieve and deliver malware. 

The malicious payload is Zeboracy, a Trojan that has previously been observed being deployed as part of cyber espionage campaigns working out of Russia.

Analysis of the of the malicious attachment also provides clues pointing towards the origin of the attacks: the document is said to be last modified by a user called 'Joohn', a name that has appeared in the file information of previous Fancy Bear campaigns. Researchers also note that the document was compiled by a company named Grizli777.

The group has been particularly active since October and Accenture has "high confidence" that the campaign still remains highly active. Given how quickly the attackers react to current affairs, it's likely only a matter of time before they use a new news event as a lure to conduct attacks.

"The speed in which fresh news headlines are used for document lures in attacks particularly highlights the group's knowledge of foreign affairs and provides strong indications of their targeting remit," said Yip.

Fancy Bear has been linked to a number of high-profile cyber campaigns in recent years, including the cyber-attacks and disinformation as a means of interference around the US Presidential election. It's also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.

ZDNet

You Might Also Read:

Russian Hackers Have New Weapons:

« Marriott Hack- 500m Data Records Exposed
GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Vertical Structure

Vertical Structure

Vertical Structure services include Security & Penetration Testing, Information Assurance, Bespoke Training Programs and Secure Hosting.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Foundation Futuristic Technologies (FFT)

Foundation Futuristic Technologies (FFT)

FFT is a global leader in computer forensics and digital investigation solutions.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Haystax Technology

Haystax Technology

Haystax’s security analytics platform applies artificial intelligence techniques to identify and prioritize threats in real time.

Celestya

Celestya

Celestya is dedicated to providing the most advanced and cost effective systems for human behavior education on cybersecurity awareness training.

Qubitekk

Qubitekk

Qubitekk has developed quantum cryptography solutions for the machine-to-machine (M2M) communications market.

Clavis Information Security

Clavis Information Security

Clavis is an Information Security company offering a complete portfolio of solutions from Pentesting and Security Assessments to Managed Security Services and Training.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

Scarlett Cybersecurity

Scarlett Cybersecurity

Scarlett Cybersecurity provide cybersecurity services to US private and public organizations with specific emphasis on compliance and cybersecurity incident prevention, detection, and response.

Drawbridge

Drawbridge

Drawbridge is a premier provider of cybersecurity software and solutions to the alternative investment industry.

Infiot

Infiot

Infiot is a pioneer in enabling secure, reliable access with zero trust security, network optimization, edge-intelligence and AI driven operations for all remote users, devices, sites and cloud.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

Sendmarc

Sendmarc

Sendmarc automates the process of protecting your domain from being used in email impersonation and phishing attacks.