The same suspected state-sponsored hacking group linked to meddling in the 2016 U.S. presidential race is actively targeting foreign affairs agencies and ministries in North America and Europe, security researchers warned Wednesday.
Known by names including Fancy Bear, APT28 and Sofacy, among others, the hackers started sending emails this month to North American and European diplomats containing malware capable of giving attackers complete control over their victims’ computers, said researchers for Palo Alto Networks’ Unit 42 threat intelligence team.
The hackers began sending phishing emails to targets in early February masqueraded as messages from Jane’s, a British publishing company that specializes in the topics of aerospace, defense and security.
The malicious emails each contained the subject line “Upcoming Defense events February 2018,” and the body of the messages referred recipients to an attached Microsoft Excel spreadsheet, the researchers wrote.
“Attached you can find Upcoming Defense, Military and Intelligence event calendar,” the emails said. “Note: If you have trouble viewing the document you can try to enable content to resolve the issue.”
The notice advising recipients to enable content is the “key to the attack,” wrote Christopher Budd, a senior threat communications manager for the California-based security firm. Individuals who open the Excel document will indeed be asked to click an “Enable Content” button, he wrote, but doing so will bypass Microsoft’s security protections and install malware on the machines, according to Palo Alto Networks.
“It’s really running a program that silently installs a program on the system,” Mr. Budd explained. “This program gives the attackers complete control over the computer and can enable them to copy documents, usernames, passwords, account information and even take screenshots.”
Researchers declined from stating the specific targets affected, aside from identifying them as “foreign affairs agencies and ministries in North America and Europe, including a European embassy in Moscow.”
German media reported earlier Wednesday, meanwhile, that the same hacking group recently breached a government computer network there and successful stole data from its Foreign and Defense Ministries.
“The attack was isolated and brought under control within the federal administration,” said a spokesman for the German Interior Ministry afterwards. He declined to comment on the possible source or scope of the attack, Reuters reported.
Security researchers have previously linked the Fancy Bear hackers to attacks that have been widely attributed to Russia military intelligence, including the campaigns in 2016 against the Democratic National Committee and the party’s nominee for president, Hillary Clinton.
More recently the group waged an attack that involved mimicking the U.S. Senate’s Active Directory Federation Services (ADFS), the chamber’s internal email system, according to a report released last month by Trend Micro, a Japanese security firm.
“The Sofacy group should no longer be an unfamiliar threat at this stage,” Palo Alto Networks warned Wednesday. “They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain.”
“Given the significant activity attributed to Sofacy, and the new evidence directly targeting the diplomatic community, Palo Alto Networks wants to ensure that foreign affairs agencies around the world understand how the attacks are carried out, and what agencies and personnel can do to protect themselves,” the researchers warned.
Russia has repeatedly denied hacking U.S. targets.
Please read our comment policy before commenting.