Threat Intelligence

Russian APT Groups Continue Their Stealthy Operations

Pierluigi Paganini
September 8, 2017 by
Pierluigi Paganini

Russian APT groups continue their cyber espionage activities against governments and organizations worldwide, in this post I have grouped the details related the operations conducted by two of the principal Russian state-sponsored groups, Turla and APT28.

The timeline demonstrates the intense activity of both group, and unfortunately, it is just the tip of the iceberg because in many cases their campaigns go undetected for a long time.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Date Event

February 2017

BitDefender found the first MAC OS version of the X-Agent used by the APT28

February 2017

Russian cyber espionage group Turla leverages on a new JavaScript Malware

March 2017

Top German official said Germany blocked Russian APT28 cyber-attacks in 2016

March 2017

Turla hacking group continues to improve its Carbon backdoor

April 2017

Denmark blamed Russia APT28 group for cyber intrusions in Defense Ministry Emails

April 2017

Russian APT28 group also targeted French Presidential candidate Emmanuel Macron

June 2017

Russia-linked hacker group APT28 continues to target Montenegro

June 2017

Turla APT malware now retrieves C&C address from Instagram comments

August 2017

APT28 hackers are leveraging NSA Hacking tool to spy on Hotels guests

August 2017

Turla APT group adapts KopiLuwak backdoor for use in G20-themed attack


The APT 28 group (aka Pawn Storm, Sednit, SofacyFancy Bear and Tsar Team) is a Russian nation-state actor that conducted numerous cyber espionage campaigns over the years; it made the headlines last year for the cyber-attacks against the U.S. Democratic National Committee and the interference with the 2016 Presidential election.

The U.S. intelligence agencies warned in early this year that Russia was likely to target other European states in the next months, especially France and Germany that are holding major elections.

While security experts and intelligence analysts were working to uncover operations of Russian state-sponsored hackers fearing interference with forthcoming elections in several European states, security experts at BitDefender discovered a MAC OS malware.

The researchers speculated the malware was developed by the APT28 group and is a new variant of the malicious code called Sofacy or X-Agent that was used by the nation-state actor in several espionage campaigns.

The experts observed several versions of the X-Agent that were developed by the group to compromise Windows, Linux, iOS and Android OSs.

The version observed by BitDefender is the first version of the X-Agent that was developed to compromise MAC OS systems.

"APT 28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac." reads the analysis published by Bitdefender.

The X-Agent is a backdoor with a modular structure that was most likely planted on the target machines via the Komplex downloader.

The X-Agent can load additional modules; it could be used as backdoor or to perform reconnaissance activities on the target system by gathering information of hardware and software components of the target host.

In September 2016, Palo Alto researcher Ryan Olson discovered that Fancy Bear used the Komplex trojan to target organizations in the aerospace sector that were using the MacKeeper anti-virus software.

Researchers observed that Komplex code has numerous similarities with the Carberp Trojan, but it was improved to gain access to PC and OS X systems and use the same command-and-control server.

The Komplex's C2 domain appleupdate[.]org was not used in the past by the group, while both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to the activity of the APT 28.

"The new MAC OS X-Agent leverages domain names similar to the one used by Komplex Trojan; they only differ for the TLD. The researchers noticed identical project path strings inside both the Komplex and X-Agent samples, a circumstance that suggests the involvement of the same development team.

"Other indicators show that today's sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan, minus the TLD (apple-[*******].net for Komplex vs apple-[*******].org for Xagent)." states Bitdefender.

Summarizing, the Komplex component discovered in September 2016 has been exclusively used as a downloader and installer for the X-Agent binary.

The activity of the APT28 group appears incessant, in March 2017 a top German official told Reuters that during 2016 Germany warded off two cyber-attacks launched by the Russian APT28 group.

Arne Schoenbohm, president of the Federal Office for Information Security (BSI), revealed that the first attack occurred in May 2016, when the hackers attempted to create an Internet domain for Chancellor Angela Merkel's Christian Democratic Union (CDU) party in the Baltic region.

A second attack was spotted months later when the threat actors launched a spear-phishing campaign against German parties in the lower house of parliament, the Bundestag. Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians.

"Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians." reported the Reuters agency.

"Germany remains in danger in the cyber arena since we are highly digitized," Schoenbohm told Reuters in an interview. "The more we digitize, the more dependent we become on networks, the greater the risk of attack."

Schoenbohm revealed that the German Government has spent a significant effort to make its networks more resilient to cyber-attacks. The Government is conducting an awareness campaign to educate politicians and parties about how to protect their networks.

"We give them advice and help them with certain measures. However, in the end, what each party does is its own responsibility," Schoenbohm said.

The official also added that Germany is sharing information on cyber-attacks with other governments targeted by the APT28 group, including the United States and France.

In 2015, the APT28 group stole 16 gigabytes of data from the German parliament. In December the APT28 group also targeted the Organization for Security and Cooperation in Europe (OSCE) in December, the organization is a security and human rights watchdog, the attack is part of a cyber espionage operation.

"Schoenbohm said neither of the 2016 attacks targeting Germany – or a string of others he did not detail – was successful, but it was unclear to what extent political parties might have experienced security breaches." continues the Reuters.

In April 2017, another European state blames Russian hackers for a cyber intrusion; the Danish Government officially blamed the Kremlin for cyber-attacks against its Defense Ministry. Denmark reported a cyber intrusion in several Defense Ministry's email accounts; the accusation went public after the publishing by the Centre for Cyber Security on Sunday of a report that accuses a Russian APT group of a security breach that affected emails of defense ministry employees in 2015 and 2016.

"This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia," Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.

According to the Ministry, the hackers did not access classified information or military secrets:

"The hacked emails don't contain military secrets, but it is of course serious,"

According to the report, hackers belonging to the notorious APT28 group (also known as Pawn Storm, Sednit, SofacyFancy Bear and Tsar Team), were behind the attack that was part of an ongoing cyber espionage campaign that targeted the Danish Defense Ministry.

In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained "very high."

In April, security experts warned of possible interferences with the French presidential elections, in particular, they blamed the APT28 group for targeting the candidate Emmanuel Macron and staff.

The Russian cyber espionage APT28 group launched spear phishing attacks against the campaign of the French Presidential candidate Emmanuel Macron.

The APT28 group's attacks against the Emmanuel Macron 's staff used replicas of legitimate URLs and exploited the attack technique dubbed 'tabnabbing.'

"Tabnabbing is a term that was originally introduced by researcher Aza Raskin.14 He describes the attack as follows: a URL in an open tab of the browser is changed to a phishing site when simple JavaScript detects that the user has moved on to another tab or is inactive for some time. When the target believes that the phishing site is the real login site of the internet service he was using, he might re-enter his credentials on the phishing site." reads the analysis shared by Trend Micro.

Figure 1 - APT28 Targeted French Presidential Elections

The technique was used to swap inactive open tabs with an illegitimate site, in this way attackers tricked victims into providing sensitive information while thinking to visit a legitimate website.

"Pawn Storm has been using a variant of tabnabbing.15 In this attack scenario, the target gets an email supposedly coming from a website he might be interested in—maybe from a conference he is likely to visit or a news site he has subscribed to. The email has a link to a URL that looks very legitimate. When the target reads his email and clicks on the link, it will open in a new tab. This new tab will show the legitimate website of a conference or news provider after being redirected from a site under the attackers' control. The target is likely to spend some time browsing this legitimate site. Distracted, he probably did not notice that just before the redirection, a simple script was run, changing the original webmail tab to a phishing site. When the target has finished reading the news article or conference information on the legitimate site, he returns to the tab of his webmail. He is informed that his session has expired and the site needs his credentials again. He is then likely to reenter his password and give his credentials away to the attackers." states the analysis.

According to the Reuters, The National Cybersecurity Agency of France (ANSSI) confirmed the cyber-attacks against the Macron's staff but did not provide information on their source.

The Wall Street Journal reported people involved in the Macron's campaign confirmed that staffers received phishing emails, but claimed the attacks had failed.

"Mounir Mahjoubi, digital director of Mr. Macron's campaign, confirmed the attempted hacking, saying that several staffers had received emails leading to the fake websites. The phishing emails were quickly identified and blocked, and it was unlikely others went undetected, Mr. Mahjoubi said." reported the WSJ.

"We can't be 100% sure," he said, "but as soon as we saw the intrusion attempts, we took measures to block access."

A representative of En Marche! has accused Russian nation-state actors of interfering with the elections to help pro-Moscow candidates.

"On March 15, someone used the name Johny Pinch and a fake Paris street address to register the name, according to public internet records. On April 12, someone using the same information registered, the records show." continues the WSJ.

"Those addresses were both hosted on internet protocol address blocks associated with Pawn Storm, Trend Micro's Mr. Hacquebord said."

According to researchers at Trend Micro, attackers set up a fake En Marche phishing site in mid-March 2017; the researchers also spotted a phishing domain apparently set up to target the Konrad-Adenauer-Stiftung (KAS) political foundation in Germany.

On June 5 Montenegro, officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.

In February, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy BearPawn StormStrontiumSofacySednit, and Tsar Team).

Another massive attack hit the country's institutions during October elections, amid speculation that the Russian Government was involved.

In the last string of attacks, hackers targeted Montenegro with spear phishing attacks; the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

The hackers delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware that was used only by the APT28 group in past attacks.

According to the experts from FireEye, the documents delivered the backdoor via a Flash exploit framework dubbed DealersChoice.

"NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro's bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro," Tony Cole, vice president and chief technology officer for global government at FireEye, told journalists today." reported El Reg.

"It's likely that this activity is a part of APT28's continued focus on targeting various NATO member states, as well as the organization itself. Russia has strongly opposed Montenegro's NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro's smooth integration into the alliance,"

Hackers used weaponized documents to gather information about the targets to determine which version of Flash Player it is running on the machine; then the embedded malicious code connects the C&C server to receive the appropriate Flash exploit. The exploits used in the attacks include the code to trigger the CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.

A few days ago, researchers from security firm FireEye shared findings of it investigation related an ongoing cyber espionage campaign targeting hotels in several European countries.

Also in this case experts blamed the APT28 group, they observed several attacks targeting the networks of hotels to gain access the devices of government and business travelers via the guest Wi-Fi.

The hackers targeted several companies in the hospitality sector, including hotels in seven European countries and at least one in the Middle Eastern country.

The attack chain starts with a spear phishing email sent to a hotel employee; the messages use weaponized document named "Hotel_Reservation_Form.doc." The embedded macros decode a dropper that delivers the GameFish malware. Experts noticed that the backdoor is the same used by the APT28 in a recent campaign that targeted Montenegro after the state officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.

Once the hackers accessed the target network, they used the NSA-linked EternalBlue SMB exploit for lateral movements. According to the malware researchers at FireEye, this is the first time APT28 hackers had used this NSA exploit.

"APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim's network via credentials likely stolen from a hotel Wi-Fi network." reads the analysis published by FireEye.

The APT28 hackers also used the open source penetration testing tool Responder for NetBIOS Name Service (NBT-NS) poisoning.

"Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning.

This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network," continues FireEye.

The researchers reported details about an intrusion occurred in 2016, a user connected to a hotel's Wi-Fi and 12 hours later APT28 hackers used stolen credentials to access his network and his Outlook Web Access (OWA) account.

This isn't the first time hackers targeted travelers, the most important case is represented by the DarkHotel APT. The APT group targeted European hotels hosting participants in Iranian nuclear negotiations, and according to some reports, hackers spied on high-profile people visiting Russia and China.

"Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations," FireEye said. "Business and government personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad."

Turla APT

Turla is the name of a Russian cyber espionage ATP group (also known as Waterbug, Venomous Bear, and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and also includes the Swiss defense firm RUAG and the US Central Command.

The Turla's arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

In February, malware researchers at Kaspersky Lab discovered a new piece of JavaScript malware linked to the Turla APT group that was used in targeted attacks against organizations in Greece, Qatar, and Romania.

In November 2016, both Kaspersky Lab and Microsoft discovered a new JavaScript payload designed mainly to avoid detection.

The new JavaScript malware dubbed KopiLuwak was delivered to at least one victim leveraging a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus.

Figure 2 - Turla Weaponized Document

The malicious document had been sent by the Qatar ambassador's secretary, researchers from Kaspersky speculate the cyber spies may have breached the diplomatic organization's network.

"Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador's Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador's secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar's diplomatic network." states the report published by Kaspersky.

The KopiLuwak leverages on multiple JavaScript layers to avoid detection; the malicious code gains persistence on the targeted machine by creating a registry key. Once infected a system, the malicious code is able executes a series of commands to collect information and exfiltrate data. Stolen data are temporarily stored in a file that is deleted after it's encrypted and stored in memory.

The KopiLuwak JavaScript malware is controlled through a collection of compromised websites, the IP address of those websites are hardcoded into the malicious code.

"The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and allowing the actors to run arbitrary commands via Wscript." continues the analysis.

The C&C can send arbitrary commands to the infected system using

Kaspersky Lab analyzed the malware by using the "sinkholing technique," the researchers used as a sinkhole one of the C&C domains that had expired. In this way, the experts were able to analyze the traffic from infected systems that were contacting the C&C infrastructure. With this technique, the experts discovered that one of the victims used an IP address associated with the Greek Parliament.

In March, the Russian APT group continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack; it involves malware such as Tavdig.

Carbon, aka Pfinet, is described by the researchers from security firm ESET as a lite version of Uroburos.

The malware has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process and dispatch the tasks received via the C&C library to other bots that are located on the network.

Figure 3 - TURLA Carbon Backdoor

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

"The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spear phishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack." reads the analysis shared by ESET.

"After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems."

Turla hackers use to modify their tools every time they are detected by security researchers, in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.

"Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

  • TCPdump.exe
  • windump.exe
  • ethereal.exe
  • wireshark.exe
  • ettercap.exe
  • snoop.exe
  • dsniff.exe"

In June, security firm ESET discovered a new piece of malware used by Turla APT  in cyber-attacks that leverages comments posted to Instagram to obtain the address of its command and control (C&C) servers.

Turla APT recently targeted the websites of ministries, embassies and other organizations worldwide, in its last campaign hackers leverage social media to control their malware.

The APT has powered watering hole attacks compromising websites that are likely to be visited by targets of interest; the cyber spies injected malicious code on the websites in an effort of redirecting their visitors to a server that delivered a JavaScript tool designed for track a profile of the victim's machine.

In one case, hackers used a Firefox extension that worked as a backdoor; something similar was spotted by malware researchers at Bitdefender while analyzing the Pacifier Operation.

"Through our monitoring of these watering hole campaigns, we happened upon a very interesting sample. Some of you may remember the Pacifier APT report by BitDefender describing a spear phishing campaign with a malicious Microsoft Word document sent to several institutions worldwide. These malicious documents would then drop a backdoor. We now know that this report describes Skipper, a first stage backdoor used by the Turla gang." reads the analysis published by ESET. "That report also contains a description of a Firefox extension dropped by the same type of malicious document. It turns out we have found what most likely is an update of this Firefox extension. It is a JavaScript backdoor, different in terms of implementation to the one described in the Pacifier APT report, but with similar functionalities."

The Firefox extension used in this last campaign was spread through the website of a Swiss security company's website. The backdoor gathers information on the infected system, and it allows attackers to perform ordinary spyware actions.

The peculiarity of the backdoor is the way it obtains the address of its C&C server; it looks at a specific comment posted to a photo on Britney Spears' Instagram account.

The comment reads

"#2hot make loved to her, uupss #Hot #X,"

Figure 4 - Turla APT leverages comments on social media accounts to control their malware

Parsing the comment with a regular expression, it is possible to obtain a URL that represents the backdoor's C&C server.

The extension determines the comment to parse by computing a custom hash value that must match 183.

"The extension will look at each photo's comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment to obtain the path of the URL:

(?:u200d(?:#|@)(w)" continues the analysis.

Parsing the comment through the regex experts got the following URL:


"Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character 200d. This character is actually a nonprintable character called 'Zero Width Joiner,' normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the URL:

smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X

When resolving this shortened link, it leads to static[.] , which was used in the past as a watering hole C&C by the Turla crew." states ESET.

Experts noticed that this above URL was only accessed 17 times, which could indicate that hackers were testing the technique.

Fortunately, the APIs used by the malicious extension will no longer work in future Firefox releases, for this reason, upcoming versions of the backdoor will have to be implemented differently.

A few weeks ago, security experts at Proofpoint discovered a new espionage campaign conducted by the Turla APT that leveraged a new dropper for the KopiLuwak backdoor.

The APT group appears to be actively targeting G20 participants and those interested in its activities including politicians, member nations, and journalists.

"In this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the "Digital Economy." The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany." states  Proofpoint. "The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers."

Researchers at Proofpoint discovered the dropper on a public malware repository; hackers are delivering it to targets via spear phishing emails that use weaponized attachment titled "Save The Date" invitation to the October G20 taskforce meeting.

The invitation is an executable Program Information File (PIG) that appears as a PDF document; it includes a set of instructions for delivering KupiLuwak. When the victim double-clicks on the PDF icon, the PIF opens the decoy document normally while in the background it delivers the backdoor.

Once installed on a system, KupiLuwak allows the attackers to control it fully.

The experts believe the decoy document is a genuine invitation to the G20 task force meeting and was likely stolen.

"As far as we are aware, this document is not publicly available and so may indicate that an entity with access to the invitation was already compromised. Alternatively, the document may have been legitimately obtained from a recipient." continues Proofpoint.

"Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated."

The subject of the weaponized documents used by the hackers suggests the Turla APT is gathering information related to G20 event and its participants.

Anyway, we have to consider that the samples analyzed by Proofpoint were obtained from a public malware repository and were not observed in the wild, this means that it is quite impossible to estimate the full scope and impact of the attack.

The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching. We have notified CERT-Bund of this activity.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.