Less than a week after the EU Council adopted a new protocol to enable Europol and other law enforcement agencies in responding to major cross-border cyber-attacks, news has arrived that two Russian hacker groups have been targeting European governments with spear-phishing attacks ahead of parliamentary elections due to be held in May.
According to a new report from security firm FireEye, two well-known hacker groups named APT 28 (Fancy Bear) and Sandworm, who the firm believes are both sponsored by the Russian state, are targeting European government organisations with spear-phishing attacks in order to gain access to their login credentials and passwords.
Hackers using fake websites & sender names in spear-phishing campaign
Explaining the way the two hacker groups have been operating recently, FireEye researchers said that the groups are sending emails to government employees and prompting them to click a malicious link or attachment which redirects the victims to a fake login site used to steal passwords.
To increase their chances of success, hackers belonging to these groups are registering and using Internet domains similar to those which are familiar and trusted by the recipients. This involves them domain-spoofing real government websites and using names of senders that are familiar to targeted victims.
“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, Senior Manager of Cyber Espionage Analysis at FireEye.
“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers,” he added.
According to FireEye, even though the two hacker groups are backed by the same sponsor, they are using different methods to achieve their malafide aims. While Sandworm hackers are using publicly available tools to breach their targets, APT28 hackers are using custom costly tools and have deployed zero-day exploits.
“The attacks on the EU elections are yet another example of phishing being used as a method to obtain sensitive government information and attack high value targets. As a result, it is vital that all EU government employees are empowered to mitigate these scams,” said Anjola Adeniyi, technical manager for EMEA at Securonix.
“Hackers will carry out reconnaissance on their targets to make their scams look legitimate, so even if employees are confident that an email is genuine, it is better to practice caution and be safe, rather than sorry. Impersonating a given domain is a common method used for phishing and other malicious activities – DMARC protects against this type of phishing attack, which the European government should consider if it hasn’t already done so,” he added.
Russian hackers aiming to influence the foreign policy environment
The recent spear-phishing attacks on European governments by Russian hackers isn’t much different from their conduct ahead of the U.S Presidential elections in 2016. Soon after the elections took place, security experts discovered that a series of phishing e-mails which were sent to US think tanks, non-governmental organisations as well as people involved in national security, defence, international affairs, public policy and European and Asian studies.
The phishing e-mails were sent from hacked accounts at Harvard’s Faculty of Arts and Sciences. They promised to reveal the “truth” behind the US elections and contained PDF and .zip attachments that led to malware installer scripts.
“As we learned from the last U.S. presidential election, there are treasure troves of sensitive information online on candidates, the opposition and foreign leaders. In addition, if countries can glean information about military strategy, doctrine, weapons systems deployment, etc, etc., rest assured the networks where the information resides will be attacked,” says Israel Barak, chief information security officer at Cybereason.
“Fundamentally, Russia and its agents typically don’t care about elections or political parties, but rather they are focused on using non kinetic means to change their foreign policy environment. Simply put, cyber intrusions, psychological operations, and propaganda to change the narrative about Russia and sow discord to prevent unified action is most important,” he adds.