BERLIN -- German media is reporting the German government discovered in December that its Foreign and Defense ministries were penetrated by APT 28, the cyberespionage group attached to the Foreign Intelligence Agency of the Main Intelligence Directorate of the Russian Armed Forces, or GRU.
Details are expected to be forthcoming. Meanwhile, here is what we know about APT 28.
- APT 28, and its sister organization, APT 29 of the Russian FSB, were responsible for the hacking of the Democratic National Committee in 2015 and 2016. Information exfiltrated by these two groups were curated and then later leaked through Wikileaks and a site the Russians themselves created, DCLeaks[.]com.
- The group is believed to be the same one responsible for a sustained attack on the German Parliament in 2014.
- Previous attacks on foreign computer systems by APT 28 have been followed by leaks designed to damage the target in the media, including at the World Anti-Doping Agency, France's TV5 Monde, and the Ukranian Central Election Commission. Not all successful hacks by APT 28 are followed by such leaks.
- The German reporting indicates a malware exploit was involved. A common approach used by APT 28 is to send a spearphishing e-mail containing a malicious link or document exploit which in turn triggers a downloader which pulls down a second stage of malware which serves as a remote access tool, allowing the hackers to maintain their access to the compromised system.
Here are two slides documenting the APT 28 methodology and known APT 28 malware tools.
As a branch of Russia's military intelligence complex, APT 28 frequently targets NATO countries and their defense sectors. Here is a list of previously identified document attachments known to contain APT 28-generated malware.
The American cybersecurity firm FireEye developed two reports on APT 28. If you are interested in this topic I recommend reviewing them both. They can be accessed here.