New Zebrocy Campaign Suggests Russia Continues Attacks on NATO
QuoINT security researchers have identified a new Zebrocy campaign targeting countries associated with the North Atlantic Treaty Organization (NATO).
Detailed for the first time in 2018, Zebrocy has been associated with the Russia-linked state-sponsored threat actor APT28 (also known as Fancy Bear, Pawn Storm, Sednit, and Strontium), which has been active since at least 2007.
While some security researchers see Zebrocy as a separate adversary, others have shown connections between various threat actors operating out of Russia, including a link between GreyEnergy and Zebrocy attacks.
The recently observed campaign, which likely started on August 5, employed the Delphi version of the Zebrocy malware and a command and control (C&C) infrastructure hosted in France, QuoINT’s security researchers reveal.
Lures employed in these attacks had a NATO-related theme, a recurring motif in APT28 campaigns — the adversary used a similar theme in attacks in 2017. The intended victim in the new attacks was a specific government body in Azerbaijan, but other NATO members or countries involved in NATO exercises might have been targeted as well.
The attackers distributed what appeared to be a JPEG image that, instead, turned out to be a ZIP archive concatenated to evade detection. The file drops the Zebrocy executable and a corrupted Excel file, likely in an attempt to lure the intended victim into executing the malware.
Once executed, the malware creates a scheduled task to regularly attempt to send stolen data to a remote domain. On machines that the C&C server appears to find uninteresting, the connection is terminated by the server.
“QuoINT concludes with medium-high confidence that the campaign targeted a specific government body, at least in Azerbaijan. Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic organizations and participates in NATO exercises. Further, the same campaign very likely targeted other NATO members or countries cooperating with NATO exercises,” QuoINT says.
The security researchers also note that this APT28 attack shows striking similarities with a ReconHellcat/ BlackWater attack uncovered last month: the compressed Zebrocy malware and the lure in the BlackWater attack were both uploaded on August 5 by the same user in Azerbaijan (highly likely by the same organization), the attacks happened simultaneously, and victimology is similar in both attacks.
Furthermore, the researchers point out that APT28 previously targeted both NATO and the Organization for Security and Co-operation in Europe (OSCE) — the ReconHellcat campaign was employing OSCE-themed lures — but that there’s no “strong causation link […] or solid technical link between the two attacks.”
“We assessed ReconHellcat as a high-capability APT group, like APT28,” QuoINT concludes.