Malicious software designed to steal sensitive information from businesses and foreign governments is made in Russia and supported by the Russian government, a security research firm reported Tuesday.
The group behind the malicious software, or malware, has been identified as APT28 and has links to a “government sponsor based in Moscow,” Dan McWhorter, FireEye vice president of Threat Intelligence, wrote in a blog post discussing the report. APT28 has been targeting “privileged information related to governments, militaries and security organizations,” for at least seven years, he wrote.
Malware and computer viruses have been a problem since the earliest days of the personal computer, but government-sponsored malware is still rare. One of the best-known malware from a government is Stuxnet, which the US used to attack Iranian nuclear enrichment facilities.
Maintaining the kind of sustained attack from APT28 that FireEye describes is no easy feat, explained Kenneth Geers, former FireEye analyst and current ambassador for a NATO group tasked with improving international cooperation in combating cyberthreats. “Only nation-states can afford this kind of long-term, mission-oriented, organizational approach to hacking,” he told CNET. “Target selection,” he said, meaning who the malware is aimed at, “betrays the perpetrators. Cyber defense must include geopolitical contextual analysis.”
Mikko Hypponen, a security analyst at F-Secure with decades of experience, said in February that government-sponsored malware is unusual and few countries are actively making malware. This isn’t the first time Russia has been accused of using malware to infiltrate foreign governments or businesses for intelligence-gathering. German security firm GData said in February that the Russian government was responsible for the .
The Russian consulate in San Francisco did not return a request for comment.
While FireEye’s malware analysis has provided a view into Russia’s cyber-espionage tactics, it also found no direct evidence of Russia’s involvement. However, the circumstantial evidence is strong, McWhorter said.
The code behind the malware, FireEye said, proved that its developers speak Russian and work on the malware during the “business hours” of the time zones of major Russian cities such as Moscow and St. Petersburg. There is also evidence that the malware has been developed with an eye toward flexibility, long-term use, and obfuscating reverse-engineering efforts which could be used to disable it or trace its origins, McWhorter said.
Organizations targeted by the malware group include NATO, the Polish government and a journalist covering the Caucasus region.
Update, 2:39 p.m. PT: Adds comment from Kenneth Geers.