APT28, also known as the “Fancy bear” or “Strontium” threat group, is reportedly backed by the Russian military intelligence agency GRU and has been active since at least 2007. APT28 is famously known to target political entities for carrying out cyberespionage campaigns. One of the most highlighted episodes of their operations came back in 2016 when they hacked the U.S. Democratic National Committee’s (DNC) computer network, which resulted in an online leak of several confidential documents. However, back then the threat actors depended heavily on the spear-phishing attack vector to target their victims, but now they have evolved and added Office 365 password-cracking and credential-harvesting techniques to bust their adversary.
Tom Burt, Microsoft’s Corporate VP for Customer Security & Trust, in a blog said that the company detected a considerable spike in cyberattacks targeted towards people and organizations involved in the upcoming 2020 presidential election, which includes both Trump and Biden campaigns. Burt specifically made a mention of three threat actors that sound more like the elements of the periodic table – Strontium, Zirconium and Phosphorus.
Based on the chemical properties, Strontium is a highly reactive chemical, and the APT28 group resembles similar traits in the cyberspace. According to researchers at Microsoft’s Threat Intelligence Center (MSTIC), the Russia-based threat group has become hyperactive and already “attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants.” Their most noted primary targets include:
- U.S.-based consultants serving Republicans and Democrats.
- Think-tanks such as the German Marshall Fund of the United States and advocacy organizations.
- National and state party organizations in the U.S.
- The European People’s Party and other political parties in the U.K.
Change in Tactics
Notably, since the early days, APT28 advocated the phishing and spear-phishing technique to target its victims. However, MSTIC logged a change in tactics by the threat group in their recent campaigns. It said, “APT28 has now engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. They also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service.”
In fact, deeper insights into the ongoing campaigns suggested that between August 18 and September 3, 2020, APT28 targeted 6,912 accounts belonging to 28 organizations of which none were successfully compromised. That is not all. The group has reportedly also evolved its infrastructure over time by adding and removing about 20 IPs per day to further mask its activity. This makes it even difficult to keep track of their malicious activities for a longer period.
The Other Two Elements
As per Burt’s blog, the other two threat groups Zirconium and Phosphorous are also targeting multiple institutions and enterprises worldwide.
Zirconium: This China-based threat group attacked high-profile individuals associated with the election campaign that includes people associated with Joe Biden’s presidential campaign and prominent leaders in the international affairs community.
Phosphorus: The Iran-based operating group continues to attack the personal accounts of people associated with Donald Trump’s presidential campaign.