14 DAY TRIAL // Earlier this week, Montenegro officially joined the North Atlantic Treaty Organization (NATO), something that Russia has expressed a strong opposition to, threatening to retaliate if it went through with this decision. The attacks, however, seem to have been going on for months, as hackers linked to Russia launched cyberattacks on the country's government.
According to security firm FireEye, the attacks aimed at the Montenegro government were spotted earlier this year and involved malware and exploits that were linked to the threat group APT28, also known as Fancy Bear, Tsar Team, Pawn Storm and many other names, Security Week reports.
The latest attacks observed by researchers used spear-phishing emails to deliver malicious documents pertaining to a NATO secretary meeting, as well as a visit by a European army unit to the area.
It is believed that the latter document may have been stolen and weaponized by the attackers. The malware attached to these documents is called GAMEFISH by FireEye and it has been exclusively connected to APT28. Other security companies have been tracking this backdoor under names such as Sednit or Sofacy.
FireEye has refused to give too many details about this exploit, although it has informed its customers about the malware's delivery framework.
How does it work?
SecurityWeek was told by FireEye that the malicious documents profile the targeted systems in an effort to determine which version of Flash Player is present, before a command and control (C&C) server is contacted and the appropriate Flash exploit is downloaded. The exploit is then used to deliver the malware.
It is unclear at this point if the attacks were successful or not, but it is known that APT28 continuously targets NATO member states and NATO itself, so the attacks are likely to continue regardless.
The group has also been involved in the US presidential election last fall, as well as the French elections last month.