The UK’s departure from the European Union appears to be the latest in a line of current affairs topics which Russian hacking group Fancy Bear — also known as APT28, Sofacy and a variety of other names — is using in an effort to trick targets into opening emails and downloading malware.
Earlier this month, the hacking operation — which is thought to have strong links to the Kremlin — was seen using phishing lures relating the recent Lion Air crash just off the coast of Indonesia. But now cyber security researchers at Accenturehave seen the group that they refer to as SNAKEMACKEREL exploiting Brexit in a campaign designed to deliver trojan malware.
It’s believed that the campaign has actively targeted government departments — particularly ministries of foreign affairs, political think-tanks, and defence organisations across Europe.
“The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit,” Michael Yip, security principal at Accenture Security’s iDefense Threat Intelligence, told ZDNet.
Targets are sent an email with an attachment named Brexit 15.11.2018.docx. If they open it, they’re met with jumbled-up text and a claim of an error relating to the document being created in an earlier version of Microsoft Word.
Users are urged to ‘enable content’ to see what the document claims to contain — but if they follow through with this request, it enables macros and allows malicious-macro-enabled content to retrieve and deliver malware.The malicious payload is Zeboracy, a trojan that has previously been observed being deployed as part of cyber espionage campaigns working out of Russia.
“The use of malware families such as Seduploader, Zekapab (Zebrocy), X-Agent and X-tunnel are all key hallmarks of attacks by SNAKEMACKEREL, and the use of news headline themes for document lures are trademarks of SNAKEMACKEREL’s modus operandi,” said Yip.
Analysis of the of the malicious attachment also provides clues pointing towards the origin of the attacks: the document is said to be last modified by a user called ‘Joohn’ — a name that has appeared in the file information of previous Fancy Bear campaigns. Researchers also note that the document was compiled by a company named Grizli777.
The group has been particularly active since October and Accenture has “high confidence” that the campaign still remains highly active. Given how quickly the attackers react to current affairs, it’s likely only a matter of time before they use a new news event as a lure to conduct attacks.
“The speed in which fresh news headlines are used for document lures in attacks particularly highlights the group’s knowledge of foreign affairs and provides strong indications of their targeting remit,” said Yip.
Fancy Bear has been linked to a number of high-profile cyber campaigns in recent years, including the cyber attacks and disinformation as a means of interference around the US Presidential election.
It’s also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.