Czech Republic Blames Russia for Yearlong Email Breach

The Czech government’s Security Information Service (BIS) revealed in a report that hackers associated with the Russian government are responsible for an email breach, compromising the email system of the country’s Ministry of Foreign Affairs (MFA) and reading sensitive communications for more than a year.

According to the new report, which covers the agency’s activity last year, the email breach was discovered in early 2017, but the attackers had been active in the ministry’s system since at least the beginning of 2016.

“The MFA electronic communication system had been compromised at least since the beginning of 2016 when the attackers accessed more than 150 mailboxes of the MFA staff and copied emails, including attachments,” the agency said. “They thus obtained data that may be used for future attacks, as well as a list of potential targets in virtually all the important state institutions.”

The attackers focused on accessing the mailboxes of top ministry representatives, accessing them repeatedly over a long period of time. A second email breach, dating from December 2016, also targeted hundreds of mailboxes from the same ministry by using brute-force password guessing techniques.

The BSI believes the two email breach attacks were not directly related but is confident that Turla and APT28/Sofacy were behind them. These two groups are associated with Russia’s FSB and GRU intelligence services.

The agency also detected attacks from APT28 that compromised mailboxes belonging to people linked to the Czech Ministry of Defense and the country’s army. One system belonging to the Ministry of Defense was infected with X-Agent, APT28’s main Trojan.

The APT28 attacks targeted mainly officials involved in military diplomacy deployed in Europe and was similar to a spear-phishing campaign that targeted European arms companies and the border security service of an EU nation.

The attackers didn’t manage to obtain classified data in the email breaches but did obtain personal and other sensitive information that could be used to launch further attacks, the agency said.

Microsoft Confirms Attack Against Think Tanks and Research Centers

Microsoft has confirmed that a recent phishing attack that impersonated individuals working for the U.S. Department of State targeted think tanks and research centers, along with educational institutions and companies from the oil and gas, chemical and hospitality industries.

The attack, observed in November by CrowdStrike and FireEye and reported by Reuters, was originally attributed to APT29, a cyberespionage group believed to be associated with the Russian Foreign Intelligence Service (SVR).

“Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM,” Microsoft said in a new report. “While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.”

The company, however, revealed that the phishing attacks masqueraded as file-sharing notifications from its OneDrive service. The targets were spread globally, but the majority of them were located in the United States, particularly in and around Washington, D.C.

The emails distributed a ZIP archive with a malicious LNK file inside, which, when opened, executed a PowerShell command. The command extracted a second PowerShell script in the form of an obfuscated payload from the LNK file and executed it. This second script extracted additional resources from the LNK file, namely a decoy PDF file and a first-stage malware implant called cyzfc.dat.

The multi-stage attack continued with additional payloads, one of which was an instance of Cobalt Strike, a commercially available penetration testing tool that has also been abused by cybercrime groups in the past.

“CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware,” the Microsoft researchers said in their report, which details the infection chain.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin