The cyber gang called Sednit, also known by the names Fancy Bear, APT28, Pawn Storm and Sofacy, allegedly believed to be behind the controversial Democratic National Committee DNC hack, has been found to have targeted over a 1,000 high-profile individuals across the globe. Security researchers have also uncovered that the hacker group, which in the past has been linked to cyberattacks on the German parliament and a French TV network, has also targeted Nato officials, Ukrainian leaders and Russian dissidents, among others.
Researchers at cybersecurity firm ESET uncovered in part 1 of their research into the threat group in a paper titled "En Route with Sednit: Approaching the Target", that Sednit, which has been active since 2004, has targeted nearly 1,888 individuals between 16 March and 14 September 2015.
The researchers also noted that most of Sednit's attacks occurred on Mondays or Fridays. The level of sophistication observed in the group's campaigns have led the researchers to agree with previous theories, which held that Fancy Bear is likely a state-sponsored hacking group.
The ESET researchers also uncovered that Sednit members appeared to be active during a specific time of day, coinciding with normal office hours. "Interestingly, the distribution of the hours matches the working hours from 9 am to 5 pm in UTC+3 time zone, with sometimes some activity in the evening," the researchers said.
Sednit used phishing emails, malware-infected fake websites and more
Sednit was found to be using phishing emails to steal targets' credentials. Targets were sent phishing emails, which would redirect them to fake login pages, wherein potential victims would be duped into entering their usernames and passwords. Sednit's phishing campaigns also made use of social engineering techniques to trick targets into thinking that the email they received required urgent action in the hope of getting the potential victims to hastily click on a malicious link, without considering security protocols.
The ESET researchers highlighted one particular instance of Sednit sending out an email containing a malicious attachment to an unspecified target. The mail was designed to pose as coming from the Ukrainian Academic Union and claimed to contain information about "relations between Russia and the EU". The malicious RTF attachment file came with the ability to exploit a vulnerability, which would function as a malware dropper, further infecting the target's computer.
Sednit was also found to have created fake malware-laced websites, specifically designed to lure victims to click on malicious links by displaying "headlines of legitimate news articles". Moreover, in 2015 alone, Sednit exploited nearly six zero day vulnerabilities in Windows, Adobe Flash and Java.
Who has Sednit targeted?
The ESET researchers found that most of Sednit's targets appeared to be individuals, the majority of whom had Gmail addresses. However, researchers also found that Sednit targeted embassies belonging to numerous countries across the globe, including those belogning to Algeria, Brazil, Colombia, Djibouti, India, Iraq, North Korea, Kyrgyzstan, Lebanon, Myanmar, Pakistan, South Africa, Turkmenistan, United Arab Emirates, Uzbekistan and Zambia.
The ministries of defence in Argentina, Bangladesh, South Korea, Turkey and Ukraine were also targeted by the threat actors.
Among Sednit's individual targets were political leaders and police chiefs of Ukraine, high-profile members of Nato institutions and members of Russia's People's Freedom Party.
"Shaltay Boltai", an anonymous Russian group known for releasing private emails of Russian politicians, Russian political dissidents, Eastern European-based journalists, Chechen institutions and international academics visiting Russian universities, was also among those targeted by Sednit.
ESET's upcoming additional two-part detailed analysis of the threat group is slated to discuss Sednit's various custom malicious programs, backdoors and rootkits, all designed to enhance the group's cyberspying abilities.