Russian Hackers Use Zero-Days to Try to Get Sanctions Data

Updated on
FireEye Logo
The hacking group, which FireEye calls Advanced Persistent Threat 28, or APT28, is known for advanced cyber-attacks and its use of malware known as Sofacy. In this case, it took the unusual step of using two so-called zero-day exploits to try to infiltrate the computer systems of its victim in a highly sophisticated attack, FireEye said. Photographer: Arno Burgi/picture-alliance/dpa/AP Images

Hackers linked to the Russian government used previously unknown flaws in Microsoft Corp.’s Windows and Adobe Systems Inc.’s Flash to try to infiltrate discussions on sanctions policy, a person familiar with the attack said.

The spying scheme was detected on April 13 by U.S. cybersecurity firm FireEye Inc. and targeted an agency of an overseas government that was in discussions with the U.S. about sanctions policy. The attack was halted before the group extracted any data, the company said in a blog post Saturday.

The hacking group, which FireEye calls Advanced Persistent Threat 28, or APT28, is known for advanced cyber-attacks and its use of malware known as Sofacy. In this case, it took the unusual step of using two so-called zero-day exploits to try to infiltrate the computer systems of its victim in a highly sophisticated attack, FireEye said.

“While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous,” FireEye said in a blog post.

Adobe has created a fix for the vulnerability while Microsoft is working on a patch, FireEye said. The flaw does not apply to Windows 8 and later versions.

“We believe the overall risk for customers is limited, as an adversary would need to find, and exploit, an additional vulnerability to achieve privilege escalation,” Phillip Misner from Microsoft’s security unit said by e-mail.

Cynthia Fetty, of Edelman, a spokeswoman for Adobe, didn’t immediately respond to a voicemail message left on her mobile phone.

Attack’s Detection

FireEye researchers detected the attack because the intended victim was a company customer, according to the person who asked for anonymity because the information isn’t public.

FireEye identified APT28 in a report last October, saying then that it was most likely sponsored by Russia’s government.

Russian President Vladimir Putin’s spokesman, Dmitry Peskov, dismissed the report’s findings at the time. Peskov didn’t answer after-hours calls Saturday to two phone numbers.

Zero-day vulnerabilities are highly sought after by hackers because they are weaknesses that haven’t been previously detected and so there is no immediate defense.

ATP28’s targets have included the North Atlantic Treaty Organization’s special operations headquarters, the governments of Poland and Hungary, and the ministries of defense and internal affairs in Georgia, which fought a war with Russia in 2008, FireEye’s October report said.

A spokesman for the U.S. State Department declined to comment on the attack FireEye reported on Saturday. He referred instead to a March 9 briefing by Jen Psaki, now White House communications director. At that briefing Psaki said that the department dealt with thousands of cyber-attacks every day.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE