Kremlin Hacking Crew Take A 'Roman Holiday'

Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.

Security researchers from the Z-Lab at CSE Cybsec spent a recent weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28, known as Fancy Bear.

The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.

One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “marina-info.net”. This is a reference to the Italian Military naval arm, Marina Militare, according to the researchers.

"The dll that connects to 'marina-info.net' might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges," claimed to the researchers.

The Russian state-backed hackers may be targeting specific organisations including the Italian Marina Militare and its subcontractors, the researchers conclude. The targeting of Italian organisations during the summertime led the researchers to nickname the campaign "Roman Holiday".

Researchers from Z-Lab worked with independent researcher Drunk Binary (@DrunkBinary) on malware samples spotted in the wild and uploaded them to VirusTotal as they put together their analysis.

Further details on the malware samples analysed by CSE Cybsec, including the indications of compromise, are available in a report published by researchers at ZLAb here (pdf).

The APT28 hacking crew has been active since at least 2007, since when it has targeted governments, militaries, and other organisations worldwide.

The group - identified by Western intel agencies as a unit of Russian military intelligence, the GRU - has also been alleged to be behind attacks on the German Bundestag, French TV station TV5Monde and (most notoriously) a hack and leak campaign that targeted the US Democrats during the 2016 US presidential election.

More recently, in the second half of 2017, the group turned their attention away from NATO countries and Ukraine with attacks against countries included China, Mongolia, South Korea and Malaysia.

Researchers from Palo Alto Networks spotted attacks against the various Asian countries that made use of the SPLM and the Zebrocy tools previously linked to the group.

A dozen individuals who are alleged to be GRU intelligence operatives were indicted last week over a string of attacks that targeted 2016 US Presidential election.

The Register

You Might Also Read: 

Meet The Fancy Bears:

Nation State Cyber Attacks Are An Act Of War:

 

« UK Launches Consultation To Develop Cybersecurity Profession
NZ Cyber Security Challenge Simulates Drone Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cloud Industry Forum (CIF)

Cloud Industry Forum (CIF)

Cloud Industry Forum is a non-profit industry body that champions and advocates the adoption and use of Cloud-based services by businesses and individuals.

Internet Security Alliance (ISA)

Internet Security Alliance (ISA)

ISA is an international trade association providing thought leadership in advancing a sustainable system of cyber security.

Gurucul

Gurucul

Gurucul predictive security analytics protects against insider threats, account compromise and data exfiltration on-premises and in the cloud.

LiveVault

LiveVault

LiveVault delivers fully automated, turnkey, backup over the Internet or a private network connection for uninterrupted remote data protection.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

Protergo

Protergo

Protergo is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

Project Moore

Project Moore

Project Moore is an Amsterdam law firm specialising in IT-law and privacy.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Sure Valley Ventures

Sure Valley Ventures

Sure Valley Ventures is an entrepreneur led venture capital fund focused on helping software entrepreneurs grow and scale businesses that will have a global impact.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

DIGISOC

DIGISOC

DIGISOC, a leader in Latin America in Cybersecurity solutions, combines machine learning with human intelligence to be effective in detecting cyber threats.