14 DAY TRIAL // Recently discovered activity of a cyber-espionage group believed to be connected with Russian intelligence shows that the hackers are preparing cyber attacks against financial organizations across the world.
Among the organizations targeted by the hackers are Bank of America, Commercial Bank International (United Arab Emirates), Toronto Dominion Canada Trust, United Nations Children’s Fund, United Bank for Africa and Regions Banks.
Hackers spent 11 months laying the groundwork
Dubbed APT28 or Pawn Storm by security researchers, the hacker group operates since at least 2007 and has been involved in attacks against military, governmental and media organizations, leveraging a set of malicious tools known as Sofacy/Sednit.
Security company Root9B discovered the hackers’ endeavor towards the end of April, while carrying out a routine security check on a client’s computer network for signs of suspicious activity potentially leading to new and emerging threats.
The red flag was raised when the researchers encountered a domain that seemed to be part of a spear phishing campaign targeting a financial institution, although the server hosting it was associated with cyber-espionage activity.
As the investigation ran deeper, they found new pieces of malware bearing the Sofacy group signature and a trove of malicious domains, some of them registered in June 2014, while others as recent as April 29, 2015.
Most of them have names resembling those for the websites of the aforementioned financial organizations.
Two units with different objectives may be part of the same group
A report from Root9B released on Tuesday reveals that the researchers were able to glean details about the group by exploiting a mistake the hackers made when registering the nefarious domains, suggesting that it has two distinct divisions at work.
“The first seemed to focus on military, diplomatic, and media targets, and relied on the cover of proxies and private domain registrations,” the report states.
The other group has a different objective and “used deliberately falsified personalities, all of which claimed to be American citizens, and focused on financial and banking targets.”
Root9B found a pattern in the domain registration information, which consisted in similar addresses, phone numbers and house numbers used for the registrant.
The discovery of the security researchers that the APT28 cyber-espionage collective also carries out financially motivated attacks strengthens the belief that hackers associated with nation state campaigns have their own agenda and rely on the same tools and tactics to fulfill it.