Russian Hackers Are Using Brexit To Leverage Cyber Attacks

A hacking group widely believed to work on behalf of the Russian state is using Brexit as a lure for conducting cyber operations with the aim of delivering malware to targets across Europe.

The UK's departure from the European Union appears to be the latest in a line of current affairs topics which Russian hacking group Fancy Bear, also known as APT28, Sofacy and a variety of other names, is using in an effort to trick targets into opening emails and downloading malware.

Earlier this month, the hacking operation, which is thought to have strong links to the Kremlin, was seen using phishing lures relating the recent Lion Air crash off the Indonesian coast. But now cyber security researchers at Accenture have seen the group that they refer to as SNAKEMACKEREL exploiting Brexit in a campaign designed to deliver Trojan malware.

It's believed that the campaign has actively targeted government departments, particularly ministries of foreign affairs, political think-tanks, and defence organisations across Europe.

"The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit," said Michael Yip, security principal at Accenture Security's iDefense Threat Intelligence, 

Targets are sent an email with an attachment named Brexit 15.11.2018.docx. If they open it, they're met with jumbled-up text and a claim of an error relating to the document being created in an earlier version of Microsoft Word. Users are urged to 'enable content' to see what the document claims to contain, but if they follow through with this request, it enables macros and allows malicious-macro-enabled content to retrieve and deliver malware. 

The malicious payload is Zeboracy, a Trojan that has previously been observed being deployed as part of cyber espionage campaigns working out of Russia.

Analysis of the of the malicious attachment also provides clues pointing towards the origin of the attacks: the document is said to be last modified by a user called 'Joohn', a name that has appeared in the file information of previous Fancy Bear campaigns. Researchers also note that the document was compiled by a company named Grizli777.

The group has been particularly active since October and Accenture has "high confidence" that the campaign still remains highly active. Given how quickly the attackers react to current affairs, it's likely only a matter of time before they use a new news event as a lure to conduct attacks.

"The speed in which fresh news headlines are used for document lures in attacks particularly highlights the group's knowledge of foreign affairs and provides strong indications of their targeting remit," said Yip.

Fancy Bear has been linked to a number of high-profile cyber campaigns in recent years, including the cyber-attacks and disinformation as a means of interference around the US Presidential election. It's also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.

ZDNet

You Might Also Read:

Russian Hackers Have New Weapons:

« Marriott Hack- 500m Data Records Exposed
GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Protective Intelligence

Protective Intelligence

Protective Intelligence brings together a group of information security specialists with a passion for delivering high-quality solutions.

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

Grid32

Grid32

Grid32 provides independent computer system and physical security audit services to government and corporate clients of all sizes.

Siepel

Siepel

Siepel manufactures high quality shielded rooms and anechoic chambers dedicated to TEMPEST, NEMP & HIRF.

National Cyber Security Directorate (DNSC) - Romania

National Cyber Security Directorate (DNSC) - Romania

DNSC (formerly CERT-RO) is the Romanian national cyber security and incident response team.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

techUK

techUK

techUK represents companies operating in the tech sector in the UK. Focus areas cover all aspects of ICT including cyber security.

GreatHorn

GreatHorn

GreatHorn offers the only cloud-native security platform that stops targeted social engineering and phishing attacks on communication tools like O365, G Suite, and Slack.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

Nextcloud

Nextcloud

Nextcloud offers offers solutions to the combined need of security and ubiquitous access to data and collaboration technology.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

NETRIO

NETRIO

If you are looking for a highly mature, exceptionally competent Managed Service Provider, NETRIO has solutions to keep your business running at warp speed with zero disruptions.

Spamhaus

Spamhaus

Spamhaus is the world leader in supplying realtime highly accurate threat intelligence to the Internet's major networks.

Netstar

Netstar

Netstar is an IT Support company based in Central London providing fully managed IT Support, Cyber Security and Technology Consulting services.

Birch Cline Cybersecurity

Birch Cline Cybersecurity

Birch Cline specializes in helping Local Government and Education agencies, as well as mid-market organizations, build and maintain successful cybersecurity programs.

Cybercentry

Cybercentry

Cybercentry is a specialist information security, data protection and cyber security consultancy.