Min menu


Russian hackers strike American networks again

Backed by Russian hackers backed by the Russian Military Intelligence Agency (GRU), the American networks are back, in a series of interventions targeting organizations ranging from government agencies to critical infrastructure.

Previously, the Russian Military Intelligence Agency (GRU) had carried out numerous acts of piracy, including a massive piracy operation designed to influence the results of the 2016 US presidential election.

Russian hackers known as (APT28) or (Fancy Bear) - of the Russian Military Intelligence Agency (GRU) - carried out a massive piracy campaign against American targets from December 2018 until at least May of this year.

According to a FBI alert sent to victims of violations in May, Russian hackers attempted to break into victim mail servers, (Microsoft Office 365), email accounts, and VPN servers.

The goals included a wide range of U.S.-based organizations, state agencies, the federal government, and educational institutions.

The technical data in the alert reveals that (APT28) hackers have also targeted the US energy sector.

The issue of uncovering a new Russian piracy wave targeting the United States is of particular concern in light of previous operations by the Russian Military Intelligence Agency (GRU), which has often gone beyond mere espionage to include email leaks or disruptive cyber attacks.

Hackers (APT28) have been the subject of US indictments alleging breaches of the 2016 US elections and the World Anti-Doping Agency.

The latest attack was in retaliation for the International Olympic Committee, which banned Russia from the 2018 Olympics for using steroids to improve performance.

"Although the motives are not clear, we can make judgments based on the nature of the target, as it appears through previous indictments," the FBI spokesman wrote in a statement on the alert for victims of penetration (APT28).

The FBI also says: the crackdown, backed by the Russian Military Intelligence Agency (GRU), has likely continued in recent months, and there is an expectation that activity will continue.

According to the alert, hackers (APT28) have been able to access networks via phishing emails that are sent to personal email accounts and business accounts.

The hackers also used various attacks, such as testing common passwords across multiple accounts, as well as password guessing attacks for one account or a small number of accounts.

Within days of sending the alert from the FBI to the victims in early May, the National Security Agency issued general advice that Sandworm, a separate hacking group closely linked to the Russian Military Intelligence Agency (GRU), was exploiting a vulnerability in mail servers (Exim) to target victims.

An employee of an affected organization said: The IT personnel saw no sign of a successful phishing attack, but they found that the hackers had accessed the email server, and as soon as they reached the server, they stole entire mailboxes.

The FBI declined to say how many victims the APT28 campaign might have targeted, or the number of those successful attempts.

But the security company (FireEye) says: There is a group of organizations that have been hacked through hackers who use the same Internet Protocol (IP) addresses listed as used by (APT28) in the FBI alert.

It appears that the hackers did not infect the systems with malware, rather they used stolen login data to navigate the corporate network as employees do.

At least one of the group’s goals appears to be working in the US energy industry, and the Energy Department warned in January that a person last year examined the login pages of a US energy entity that had previously used an APT28.

The FBI listed the same IP address among the addresses used by APT28 hackers until May, confirming that the APT28 was most likely behind the accident.

Interventions in the energy sector represent a shift in targeting (APT28), and while it appears to be a new project for the APT28 group, the Russian Military Intelligence Agency (GRU) has a history of penetrating critical infrastructure.

The hacker group Sandworm installed malware within US electrical utility networks in 2014, and implemented the first blackouts due to cyber attacks in Ukraine in 2015 and 2016.