Kremlin Hacking Crew Take A 'Roman Holiday'

Uploaded on 2018-07-23 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, GOVERNMENT-Defence, FREE TO VIEW

Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.

Security researchers from the Z-Lab at CSE Cybsec spent a recent weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28, known as Fancy Bear.

The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.

One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “marina-info.net”. This is a reference to the Italian Military naval arm, Marina Militare, according to the researchers.

"The dll that connects to 'marina-info.net' might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges," claimed to the researchers.

The Russian state-backed hackers may be targeting specific organisations including the Italian Marina Militare and its subcontractors, the researchers conclude. The targeting of Italian organisations during the summertime led the researchers to nickname the campaign "Roman Holiday".

Researchers from Z-Lab worked with independent researcher Drunk Binary (@DrunkBinary) on malware samples spotted in the wild and uploaded them to VirusTotal as they put together their analysis.

Further details on the malware samples analysed by CSE Cybsec, including the indications of compromise, are available in a report published by researchers at ZLAb here (pdf).

The APT28 hacking crew has been active since at least 2007, since when it has targeted governments, militaries, and other organisations worldwide.

The group - identified by Western intel agencies as a unit of Russian military intelligence, the GRU - has also been alleged to be behind attacks on the German Bundestag, French TV station TV5Monde and (most notoriously) a hack and leak campaign that targeted the US Democrats during the 2016 US presidential election.

More recently, in the second half of 2017, the group turned their attention away from NATO countries and Ukraine with attacks against countries included China, Mongolia, South Korea and Malaysia.

Researchers from Palo Alto Networks spotted attacks against the various Asian countries that made use of the SPLM and the Zebrocy tools previously linked to the group.

A dozen individuals who are alleged to be GRU intelligence operatives were indicted last week over a string of attacks that targeted 2016 US Presidential election.

The Register

You Might Also Read: 

Meet The Fancy Bears:

Nation State Cyber Attacks Are An Act Of War:

 

« UK Launches Consultation To Develop Cybersecurity Profession
NZ Cyber Security Challenge Simulates Drone Attacks »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Verisec International

Verisec International

Verisec International AB is a Swedish Tech company focused since inception in enabling Trust in Digital Transactions, through the development of proprietary cutting-edge technologies and services.

Cyber Security Expo

Cyber Security Expo

Cyber Security EXPO is a unique one day recruitment event for the cyber security industry.

SecureKey Technologies

SecureKey Technologies

SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications.

National Cyber Summit (NCS)

National Cyber Summit (NCS)

The National Cyber Summit is the preeminent event for cyber training, education and workforce development aimed at protecting our nation's infrastructure from the ever-evolving cyber threat.

OEDIV SecuSys

OEDIV SecuSys

OEDIV SecuSys (formerly iSM Secu-Sys) develops high-quality IT software solutions, setting standards as a technology leader in the area of identity and access management.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

Uleska

Uleska

Uleska is a scalable platform that provides automated and continuous software security testing whilst translating cyber risk.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Zerify

Zerify

Zerify offers the industry’s only video conferencing platform built with a zero-trust architecture to keep your meetings secure, private and business compliant.

US Department of State - Bureau of Cyberspace & Digital Policy

US Department of State - Bureau of Cyberspace & Digital Policy

The Bureau of Cyberspace and Digital Policy leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.

Camelot Secure

Camelot Secure

Camelot Secure Secure360 platform is a holistic redefinition of what world-class cybersecurity strategies can be. Prepare. Protect. Deploy.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.