Russian Malware Uncovered By FireEye With Hint Of Government Backing

FireEye has found an advanced persistent threat [APT] group that it thinks is sponsored by the Russian government and has been collecting information from defence and geopolitical intelligence targets in Europe.

“Despite rumours of the Russian government’s alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence. “FireEye’s latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”

The report, entitled “APT28: A Windows into Russia’s Cyber Espionage Operations?”, found that the group of Russian developers and operators has been trying to collect information from the Republic of Georgia, various governments and militaries in Eastern Europe, and European security organisations.

FireEye links the malware of APT28 to a government sponsor in Moscow that would suggest the Russian government is backing its focused operations and could eventually benefit from the information.

It goes on to state that APT28 doesn’t conduct intellectual property theft for monetary gain and instead focuses on pilfering intelligence that would be useful for a government.

The malware sample collected by FireEye suggests the developers speak Russian and work during business hours consistent with time zones in Russia’s major cities including Moscow and St. Petersburg.

Earlier this year GData also identified a new piece of malware known as “Uroburos” that it claimed had something to do with Russia due to its complex nature, the presence of Cyrillic language and various other factors.

Image Credit: Flickr (Egor Federov)