A hacking group heavily linked to the Russian government is attempting to steal U.S. Senate email login credentials and also appears to be preparing to disrupt the 2018 Winter Olympics in South Korea, according to new research by cybersecurity firms TrendMicro and ThreatConnect.
Researchers found that the group, known as “APT28,” “Fancy Bear” or “Pawn Storm,” had recently registered numerous malicious domains — some of which mimic legitimate properties related to the 2018 Olympic Games — and sent spearphishing emails to several professional winter sporting organizations, including the International Ski Federation, International Ice Hockey Federation, International Luge Federation, International Bobsleigh & Skeleton Federation and global governing body for biathlon competitions.
Experts say this activity shows that APT28 is laying the ground work for future operations.
In addition to TrendMicro and ThreatConnect, another cybersecurity company, FireEye, noticed APT28 making similar preparations.
“FireEye has observed a broad, likely cyber espionage operation leveraging a Winter Olympics-themed lure document against more than 100 recipients in South Korean public and private sectors as well as Olympic sporting organizations,” said Cristiana Kittner, a principal analyst with FireEye. “Given the high profile of the Olympic games and past cyber espionage campaigns which have exploited the Olympics, this activity likely represents what could be the beginning of operations.”
The news comes during a period of heightened tension between Moscow and the International Olympic Committee, after a doping scandal saw 43 Russian athletes and several other national athletics officials banned for life from the Olympics.
“As common with any Olympic Games, there has been an increase in attacks targeting related organizations and phishing campaigns using Olympic-themed hooks,” said Mark Nunnikhoven, vice president of cloud research with Trend Micro. “The research team has seen various targets (listed below) attacked with a methodology consistent with Pawn Storm. These attacks echo Pawn Storm’s efforts targeting the World Anti-Doping Agency (WADA) in 2016.”
On Wednesday, a mysterious Twitter account touting the Fancy Bear nickname began publishing what appeared to be internal Olympics and doping-related emails belonging to the International Olympic Committee (IOC) and the World Anti-Doping Agency (WADA). The leaks were covered extensively by Russian state media.
In addition, analysts noted that throughout the latter half of 2017 and well into 2018, APT28 remained interested in hacking individuals involved with the U.S. Senate.
A report by TrendMicro released Friday also describes how APT28 registered a variety of rogue U.S. Senate websites that at first glance appear related to the legislative body. This includes a bogus email login page designed to lure staffers and lawmakers into handing over their credentials. The actual Senate email login is only accessible to users already connected to the Senate’s internal network.
“The U.S. Senate was targeted via phishing sites that were setup to look like the single-sign on services for the U.S. Senate (Microsoft’s ADFS),” said Nunnikhoven. “This is an escalation in techniques for Pawn Storm, as the ADFS system is a protected internal system. The attackers mimicked the site externally in an attempt to harvest credentials from unsuspecting staffers given the identical look of the systems.
The fraudulent Senate website scheme began in June 2017, Nunnikhoven said. The tactic is still being used.