Sofacy Group

from Wikipedia, the free encyclopedia

The sofacy group is to estimate a Western intelligence as hackers collectively occurring unit of the Russian military intelligence GRU to attack prominent targets designated 26165, which specializes in and steal confidential information. The group has been active since around 2004.

Attacks on Democrats' computers in connection with the 2016 presidential election in the United States were assigned to this group by the US secret services NSA and Homeland Security and made the government of the Russian Federation responsible for them (see Russian influence on the 2016 US election campaign ) . Dutch authorities identified four Russian agents as members of the group. The men had diplomatic IDs and in 2018 carried out a hacker attack in The Hague on the facility of the Organization for the Prohibition of Chemical Weapons (OPCW), which analyzed weapons samples from the attack on Sergei Skripal and a poison gas attack in the Syrian Duma .

Numerous names are in circulation for the Sofacy Group, for example because of subsequent attribution of attacks. Examples are Advanced Persistent Threat 28 ( APT28 ), Fancy Bear , Pawn Storm and Strontium .

background

The vast majority of IT security experts and Western secret services have long assumed that the Sofacy Group is part of the Russian military secret service. The scope of the attacks, the resources available and, above all, the targets indicated a political interest in the interests of the Russian governments. In 2016, independent security experts pointed out that although there were some arguments in favor of the group's membership in Russian intelligence services, this was not adequately documented. It was not until 2018, after several agents were exposed, that official bodies from the USA, Great Britain and the Netherlands classified the group as part of the GRU.

The group operated under several names. The abbreviation “APT 28” goes back to the report by the security company FireEye from February 2013, which was entitled “APT28 - A Window Into Russia's Cyber ​​Espionage Operations?” . Other names of the hacker group, besides Fancy Bear , are Pawn Storm , Sed-nit (or Sednit Gang ) and Tsar Team .

The company collected a number of technical characteristics in the logs of the attacks that it used to identify APT28. For more than six years, for example, Russian-language command lines were repeatedly found in the logs.

Attacks

According to FireEye , a US network security company, the group also attacked European arms shows. These included the EuroNaval 2014 , the EUROSATORY 2014 and the Counter Terror Expo as well as the Farnborough Airshow 2014 . FireEye stated, however, that in its report on APT28 it only mentioned targets of the group that suggest proximity to government agencies and did not consider other attacks. According to reports from PricewaterhouseCoopers and Bitdefender , web providers and telecommunications and energy companies were also among the targets.

In 2015, after information from an English company, malware was found on two computers belonging to the left in the Bundestag . An investigative technical analysis by IT security researcher Claudio Guarnieri came to the conclusion that Sofacy is probably behind the malware on faction computers. Guarnieri writes that the assignment of malware attacks is never easy, but in the course of the investigation he found indications that the attacker could be related to the Sofacy Group.

In spring 2015 Sofacy allegedly hijacked a total of 14 servers of the German Bundestag and stolen data with a volume of 16 gigabytes ( cyber attack on the Bundestag ).

In February 2015, APT28 sent drone messages to families of American soldiers on behalf of the Islamic State (IS) hacker group "CyberCaliphate" . The news sparked a lot of media interest and a public debate about the reach of IS on the Internet. The covert operation by the Russian hackers was allegedly intended to heighten a sense of threat from Islamic terrorism in American society. Contacts between “CyberCaliphate” and APT28 were previously documented and the two groups are considered to be closely related. In April 2015, the French broadcaster TV5 Monde was the victim of a hacker attack in which the “CyberCaliphate” logo was displayed on the broadcaster's website. In the summer of that year, French investigators from the Agence nationale de la sécurité des systèmes d'information finally revealed that the hacking attack had no Islamist background, but rather originated in Moscow.

In 2016 the hacker Guccifer 2.0 managed to break into the computer systems of the Democratic Party and gain possession of data from the upcoming US presidential election campaign in 2016. Information from the Wikileaks disclosure platform was leaked from this data set several times . According to security firms, behind the attacks was a group of hackers, which various security experts named it, including Sofacy. The security companies assumed an attack controlled from Russia, which the US Department of Homeland Security and the Director of National Intelligence - who heads the merger of all US intelligence services - adopted and accused the heads of the Russian government to be responsible for the attacks be. Russia denied the allegations. Even Julian Assange pointed in a statement that "at Senator McCarthy reminding" allegations of cooperation with Russia back. Wikileaks published the information because it was important for the formation of opinion in the USA and was covered by the First Amendment . Wikileaks did not have comparable information about internal matters of other presidential candidates. Whether Guccifer 2.0 was actually used by the Russian secret service against the Democratic Party of the USA or whether an unknown group or person used characteristic parts of the known programming for the attack cannot yet be proven beyond doubt according to observers.

According to CrowdStrike, the Fancy Bear software used in the attack on the Democratic Party was found in a modified form on mobile devices with an Android system , which the Ukrainian Army had been using in the war in Ukraine since 2014 . In order to infect the devices, the attackers offered an app in Ukrainian in Internet forums , which should facilitate the fire control of Ukrainian artillery (faster calculation of target data). Although this manipulated version of the original Ukrainian program pretended to function authentically, it did not bring any military advantages and allowed the hackers to read the location data and communications of the respective users, which unknowingly revealed the positions of the Ukrainian artillery.

In 2018, four Russian agents from the Dutch Militaire Inlichtingen- en Veiligheidsdienst were exposed while trying to break into the OPCW's Wi-Fi network. They had parked a vehicle in a neighboring parking lot in The Hague, in the trunk of which a WiFi antenna and a laptop were hidden, which were used to gain access to the OPCW network. The four Russian agents, two software specialists and two support agents, had diplomatic passports, so the Dutch could not arrest them but only expel them. The equipment was confiscated. After evaluating the data, the authorities announced in October 2018 that the laptop had previously been used in Malaysia, Switzerland and Brazil. Representatives of the Russian Federation denied the allegations.

Attack period Affected Type of attack Effect / background Assigning person / institution
2008 Several ministries of Georgia Caucasus War , Russian forces advanced into Georgian territory on August 8, 2008 u. a. netzpolitik.org
2009 Kavkaz Center Jihadist center in Chechnya FireEye
2014 Defense ministries of Bulgaria , Poland , Hungary and Albania . Systematic infiltration Data flow The time
2015-2016 Danish Ministry of Defense and

Danish Ministry of Foreign Affairs

Hacking email communications and servers allegedly no classified information leaked The Danish Parliament's Cyber ​​Security Center
2015 German Bundestag Attack and hack from MPs computers Data leakage of email communication and documents of unknown extent, attack etc. a. to members of the parliamentary control body for the secret services and members of the Bundestag with a connection to Russia Federal Office for the Protection of the Constitution
2016 Ukrainian armed forces in action Fake app Попр-Д30.apk Ukrainian artillery officer Yaroslav Sherstuk developed an app for Ukrainian soldiers to accelerate target acquisition for the widespread Soviet D-30 howitzer in the Ukraine conflict. The Sofacy Group developed and launched a replica app that sends target data and position of the gun to the Russian side. Crowd Strike Security Group
2016 World Anti-Doping Agency Hack
2016 Democratic National Convention

US Democratic Party

Russian hacker attacks A hack of the Democratic Party's communications infrastructure and false reports disrupted the 2016 US presidential campaign. In late 2016, the United States intelligence community announced that Russia had carried out an operation on the Grizzly Steppe . FBI u. a.
2017 Federal administration data network - Berlin-Bonn information network Malware Not yet in sight Federation
2018 Chemical Weapons Prohibition Organization Wi-Fi network Malware GRU unit was arrested and deported OPCW, GRU, MVID

Methods

Sofacy is known to frequently use phishing attacks . This causes the attacked to enter their login data into a realistic-looking replica of internal systems such as webmail. This technique was used, for example, in the well-known attacks against the Georgian Interior Ministry that preceded the fighting in Georgia in the 2008 Caucasus War.

In March 2016, the Federal Ministry for Digital Infrastructure warned against numerous Internet addresses that had been set up by the Sofacy Group to spread malware.

See also

Individual evidence

  1. a b c d e "Russia cyber-plots: US, UK and Netherlands allege hacking" BBC of October 4, 2018
  2. The Russian Attack Campaign APT 28 - Current Developments. Federal Office for the Protection of the Constitution, accessed on February 28, 2018 .
  3. a b US officially accuses Russia of hacking DNC and interfering with election , Spencer Ackerman, Sam Thielman, The Guardian, October 8, 2016
  4. Microsoft Says Russian Hackers Targeted European Think Tanks - Bloomberg. In: bloomberg.com. Retrieved February 21, 2019 .
  5. a b Jannis Brühl, Hakan Tanriverdi: What you need to know about the hacker attack on the government network , sueddeutsche.de , March 1, 2018
  6. a b c The DNC Breach and the Hijacking of Common Sense , Jeffrey Carr, medium.com, June 19, 2016
  7. a b Here’s the Public Evidence Russia Hacked the DNC - It's Not Enough , Sam Biddle, The Intercept , December 14, 2016
  8. APT28: A Window Into Russia's Cyber ​​Espionage Operations? FireEye, Inc., accessed May 17, 2017 .
  9. The Russian Attack Campaign APT 28 - Current Developments . Federal Office for the Protection of the Constitution, accessed on May 16, 2018.
  10. Indicators of Compromise for Malware used by APT28 . National Cyber ​​Security Center - a part of GCHQ, accessed October 10, 2018.
  11. APT28 Russian hackers exploited two zero-day flaws in the wild Security Affairs
  12. Cyber ​​Threat Operations: Tactical Intelligence Bulletin / Sofacy Phishing (PDF) In: PricewaterhouseCoopers , October 22, 2014 ( PDF , English).
  13. Fabian A. Scherschel: Bundestag hack: attack with common methods and open source tools. In: heise online , March 7, 2016.
  14. Sonja Álvarez, Frank Jansen : What happened, who is behind it, what customers can do . In: Der Tagesspiegel . November 28, 2016.
  15. Russian hackers posed as IS to threaten military wives . In: Associated Press , May 8, 2018.
  16. Russian hackers pose as IS - and threaten the families of US soldiers . In: Yahoo News , May 8, 2018.
  17. ^ Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security ( Memento of December 31, 2016 in the Internet Archive ), Office of the Director of National Intelligence, October 7, 2016, wording of the statement
  18. Assange Statement on the US Election , Wikileaks, November 8, 2016
  19. Statement by Julian Assange on US Presidential Election , Julian Assange, Newsweek , November 8, 2016
  20. a b Dustin Volz: Russian hackers tracked Ukrainian artillery units using Android implant: report . Reuters, September 22, 2016
  21. a b Digital attack on the Bundestag: Investigative report on the hack of the IT infrastructure of the left-wing faction - netzpolitik.org
  22. Neil Macfarquhar: Denmark Says 'Key Elements' of Russian Government Hacked Defense Ministry . In: The New York Times . April 24, 2017, ISSN  0362-4331 ( nytimes.com [accessed May 15, 2017]).
  23. Patrick Beuth, Kai Biermann, Martin Klingst, Holger Stark: Bundestag hack: Merkel and the chic bear . In: The time . May 11, 2017, ISSN  0044-2070 ( zeit.de [accessed May 15, 2017]).
  24. ^ Join Our Team, Revolutionize Cyber ​​Security with CrowdStrike . ( crowdstrike.com [accessed May 15, 2017]).
  25. Whose bear? ( novayagazeta.ru [accessed October 7, 2018] Russian: Чей медведь? ).
  26. Security circles : Russian hackers penetrate the German government network. Retrieved on February 28, 2018 (German).
  27. Attacks from the Internet . ( Memento from January 29, 2011 in the Internet Archive ) Tagesschau , ARD, January 26, 2011; accessed on October 5, 2018
  28. Frank Jansen : The Office for the Protection of the Constitution warns of Internet attacks from Russia. In: Der Tagesspiegel , March 12, 2016.