After adapting their code, a group of Russian-government-linked hackers last month launched a phishing campaign against embassies and foreign affairs ministries of countries in Eastern Europe and Central Asia, researchers said Tuesday.
The hackers, dubbed Sednit by Slovakian cybersecurity company ESET, haven’t been too discreet in their attempts to breach the diplomatic organizations: No less than six malicious packages of code are dropped on the target computer before the payload is executed, ESET researchers said in a blog post. Each of those bursts of activity is an opportunity for the target organization to detect the hackers.
The malware takes screenshots of target desktop computers. The end goal is dropping a malicious “backdoor” on the computer that allows the attackers persistent access.
The hackers seem to be implementing their malicious code in various programming languages to try to avoid being detected, according to ESET. “It’s probably easier that way and it means they do not need to change their entire [tactics, techniques, and procedures],” the researchers wrote.
ESET researchers did not say how successful the hackers were in breaching their targets. The researchers could not be reached for comment by press time.
“[It] seems like the group has to fulfill their ROI, metrics, and targets for Q4,” Vitali Kremez, an independent security researcher, told CyberScoop. “[It] makes sense to see them” active again, he added.
Sednit is, of course, one of multiple Moscow-linked hacking groups to aggressively go after government targets. Last October, cybersecurity company Symantec revealed that Fancy Bear, a group reportedly backed by Russia’s GRU military intelligence agency, had targeted government organizations in Europe and South America. And Turla, a group reportedly under the umbrella of the Russia’s Federal Security Service (FSB), is known for its dedicated focus on diplomatic and military organizations.
Sednit, also known as Zebrocy, has been referred to as “profiling and access specialists” by researchers from cybersecurity company Kaspersky. In other words, they are responsible for gaining initial access to a target and then handing off that access to another team of Russia hackers.
But collaboration between the Kremlin’s hacking teams often only goes so far. A new study from Check Point Software Technologies and Intezer of 2,000 malware samples used by suspected Russian state-sponsored hackers found that the Russian groups do not share code “the vast majority of times.”
“By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations, preventing a sensitive house of cards from collapsing,” the Check Point researchers hypothesized.