14 DAY TRIAL // After hacking the Democratic National Committee last fall and being accused of also hacking newly-elected French President Manuel Macron, Fancy Bear is now looking into Romania's Foreign Ministry of Affairs.
According to Cyberscoop, the elite hacking group that has been quite busy in the past few months, used an email that appeared to come from a NATO representative to send a series of phishing emails to members of the Romanian Foreign Ministry of Affairs.
The email carried an attachment leveraging two recently disclosed Microsoft Word vulnerabilities, while also spoofing a NATO email address to make it all seem authentic.
The document sent to Foreign Ministry of Affairs employees contained an attachment named "Trump's_Attack_on_Syria_English.docx," which included a news article copy-pasted in Microsoft Word. If the attachment is opened on a vulnerable system, it covertly downloads a remote access trojan (RAT).
Cybersecurity firm FireEye made the connection between the email officials received and the APT 28 hacking group, also known as Fancy Bear. The group is believed to have strong ties to the Russian government.
The RAT is known as GameFish, and it allows the attackers to exfiltrate sensitive data. It also acts as a gateway for other computer viruses that can be remotely deployed on infected devices.
The attack, confirmed
"We are aware that such attacks include the use of spoofed NATO email addresses. As is common practice, whenever we detect spoofed email addresses, NATO alerts the responsible authorities in Allied countries to prevent attacks from spreading. The hacker group APT 28 - which is also called Fancy Bear or Pawn Storm - is well known to the cyber defense community and we track its activities closely," a NATO official told CyberScoop.
The Romanian Intelligence Service also issued a statement, admitting the problem. "We have identified an attempted cyber attack targeting a governmental Romanian institution," they said. "Thanks to the efficient cooperation between institutions, the attack was blocked, avoiding any damage."
They also added that, while this is a notable attack, it's not anything new as Romanian institutions are targeted by thousands of cyber attacks each day.