United States Cyber Command has blamed Russian hacking groups for two major malware strains to warn organizations about cyberattacks.
In late October, Cyber Command, part of the Department of Defense, attributed the Zebrocy malware to the APT28 hacking group and the ComRAT malware to the Turla hacking group. While other cybersecurity experts have previously attributed the two malware families to Russian hacking groups, the Cyber Command warnings appear to be an effort to help organizations defend against the malware.
Hacking teams from different parts of the globe have their preferred ways of designing malware, said Pieter VanIperen, a veteran software architect and security expert.
“Knowing where malicious packages originate helps security teams better know how to defend against them,” said Vanlperen, founder and managing partner of PWV Consultants, specializing in digital tech and security consulting. “Every hacker has their own signature, which helps security teams set protections. It’s also helpful for security teams to know what to keep their eyes open for.”
The attributions point defenders to the attackers’ modus operandi, added Heather Stratford, CEO of cybersecurity firm Stronger International.
“Knowing the malware architects, and where they are coming from, helps you know who you are defending against,” she told the Washington Examiner. “This is a war, and all the pieces of information are valuable.”
APT28, also known as Fancy Bear, is blamed for attacks on the Democratic National Committee, the German Parliament, NATO, and other high-profile organizations.
Meanwhile, Turla is also known as Venomous Bear and is suspected of targeting former East bloc nations and embassies in Ukraine, China, Kazakhstan, Armenia, Poland, and Germany.
ComRAT is mainly used for stealing confidential documents and information exfiltration, Vanlperen told the Washington Examiner. It opens a back door through an injected library in the system browser and then exfiltrates data via backdoor commands. It will also siphon information used to evade detection.
Zebrocy is an evolved version of a 2017 malware package, he said. Two Windows executable files open a back door, and then, a remote user can perform various functions on the infected machine. The executables discovered are designed to encrypt future communication, hide files, and create scheduled tasks for an attack on a specific system or network.
“These two malware packages are incredibly sophisticated and complex,” Vanlperen said. “They showcase the group’s intention to infiltrate a machine and stay on it for a long time.”
The two malware packages are often distributed through spear-phishing attacks and, therefore, are not always picked up by anti-malware tools, added Stelios Valavanis, CEO and founder of onShore Security.
The reason to attribute these malware packages to Russian hackers is mostly political, although they are “helpful details that allow for tuning of defenses,” Valavanis told the Washington Examiner.
As foreign attackers get more “brazen,” the U.S. is stepping up its naming-and-shaming efforts, he added. Cybersecurity experts noted that APT28 was the hacking group blamed for infiltrating the Democratic National Committee before the last U.S. presidential election.
“This is related to the 2016 election as retaliation, too,” Valavanis said. “It applies international pressure on Russia.”
Stronger International’s Stratford called on government agencies and private companies to continue to share information. “Cybersecurity and defense is not a solo sport. It’s a team event in many ways, and sharing information and strategies is helpful to all,” she said.
Better cybersecurity training is also needed, she added.
“The way it is being done today, frankly, sucks,” she said. “It is commoditized, antiquated, and static. Despite the money spent in this area, the training is not up to the level of sophistication that the criminals are escalating to, and the current market is trying to make training a one-size-fits-all.”
