APT28 targeted Montenegro’s government before it joined NATO, researchers say

As Montenegro preprepared to join NATO amid growing tensions in the region driven by Russia’s incursion into Ukraine, a hacking group linked to Russian intelligence was actively engaged in a cyber-espionage campaign against Montenegrin government officials, according to U.S. cybersecurity firm FireEye.

The findings underscore Russia’s ongoing efforts to impact the political process in foreign countries through the use of a hacking group better known as APT28 or Fancy Bear. The Office of the Director of National Intelligence produced an unclassified report in January linking APT28 to the Russian government.

Analyst Ben Read told CyberScoop that FireEye had found two different malicious Microsoft Word document attachments between January and February that carried signs of APT28 authorship and were specifically designed to be combined with phishing emails sent to the Montenegro government. The titles of the weaponized documents described a “schedule for a european military transfer program” and the “schedule for a NATO secretary meeting,” Read said.

When opened, the booby-trapped attachments called back to a command-and-control infrastructure to load a flash exploit framework — first identified and dubbed DealersChoice.B by security researchers at Palo Alto Networks — which is commonly associated with APT28. No other group is believed to have access to either DealersChoice.B or the malware it uploaded in this specific Montenegro case, which is called GameFish. GameFish is a “stage one” trojan that offers the hacker wide access to a targeted computer, including data exfiltration, key logging and other surveillance capabilities, said Read.

The Adobe Flash exploit framework deployed in this operation, as well as GameFish, have both been used by APT28 against other European governments in recent months, Read said.

Read could not confirm whether these email-based attacks were in fact successful.

The Montenegro Ministry of Foreign Affairs did not respond to a request for comment. NATO declined to address the aforementioned operation, but acknowledged that cyberattacks aimed at the alliance are “becoming more frequent, intense and sophisticated.” Montenegro is NATO’s 29th member.

Read said FireEye was able to attribute APT28 to the recent Montenegro phishing scheme with “high confidence.” APT28 is perhaps best known for hacking into the Democratic National Committee in 2016.

“NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro’s bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro,” Tony Cole, vice president and chief technology officer for Global Government at FireEye, told reporters Tuesday during a media briefing from Brussels, Belgium. “It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself.”

He added, “Russia has strongly opposed Montenegro’s NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro’s smooth integration into the alliance. Montenegro’s accession could increase cyber threat activity directed toward NATO, and provide additional avenues for adversaries like Russia to illicitly access NATO information.”

In May, CyberScoop first reported that APT28 had effectively spoofed a NATO email address to send phishing emails to the Romanian Ministry of Foreign affairs. The ministry later confirmed the attacks, claiming it had successfully stopped associated computer viruses from infecting local computers.

The Russian government promised “retaliatory actions” after NATO sent Montenegro an informal invite to join the alliance in December, according to The Guardian. Montenegro official joined NATO on Monday.

FireEye’s newly released research underscores a period of heightened tensions between Montenegro and Russia.

Earlier this year, Montenegrin Prime Minister Dusko Markovic denounced domestic opposition parties, some of which seek improved relations with Russia, who disagreed with the country’s NATO accession. Following those comments by Markovic, several of the country’s government organizations and media outlets were targeted with intermittent distributed denial-of-service attacks. Attribution for those DDoS attacks remains unclear.

In addition, Montenegro’s justice system remains actively involved in an investigation into an attempted Oct. 16 coup during the country’s most recent elections, which allegedly included participation from Russian intelligence agents.

A statement sent to CyberScoop from a NATO spokesperson reads: “With regard to Montenegro, any outside attempts to interfere with democratic elections — whether through hacking, propaganda, or otherwise, are completely unacceptable. Montenegro is still in the process of conducting an investigation into the events surrounding last October’s election. It is for the Montenegrin authorities to announce their findings. And we have full confidence in them.”