Cyber Crime Group Allegedly Linked To Russia, Attacks Romanian Government
A notorious hacking group that is allegedly related to the Russian government has attempted to hack Romania's Ministry of Foreign Affairs by impersonating a NATO representative. The story was first reported by CyberScoop, who also noted that the threat actors were using a fake NATO email address to make the emails look more realistic.
The elite hacker group most commonly known as APT 28 or Fancy Bear has been quite busy in the past couple of months, despite it being active for at least ten years now. The latest series of phishing emails connected to Fancy Bear were sent to the Romanian Foreign Ministry of Affairs, claiming to be coming from US Navy Captain Alistair Borchert.
The emails come with attachments that leverage a couple of recently disclosed Microsoft Word vulnerabilities, while also using a fake NATO email address to make them seem authentic. The emails contained an attachment named "Trump's_Attack_on_Syria_English.docx," that contains a copied and pasted news article. If any of the employees that the email was sent to make the mistake of opening the attachment on a vulnerable system, it would proceed to download a remote access trojan (RAT) covertly.
The RAT that the malicious documents install on the compromised system is called GameFish, and it's used by hackers to locate and exfiltrate sensitive data. It can also be used as a gateway for other malicious programs that can be remotely installed on infected devices. Cyber security company FireEye has given the name to this RAT after previously finding it in other campaigns carried out by APT28.
A NATO official has commented the incident, telling CyberScoop: "We are aware that such attacks include the use of spoofed NATO email addresses. As is common practice, whenever we detect spoofed email addresses, NATO alerts the responsible authorities in Allied countries to prevent attacks from spreading." He also added: "The hacker group APT 28 - which is also called Fancy Bear or Pawn Storm - is well known to the cyber defense community and we track its activities closely."
The statement issued by the Romanian Intelligence Service, acknowledged the attack, saying: "We have identified an attempted cyber attack targeting a governmental Romanian institution. Thanks to the efficient cooperation between institutions, the attack was blocked, avoiding any damage."
The elite hacking team goes by several names, including APT28, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127. There is the suspicion that this notorious group has Russia's Main Intelligence Agency (GRU) as its parent organization.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.