Fancy Bear shows interest in the US energy sector.
WIRED reports that APT28 (also known as Fancy Bear), a unit of Russia's GRU military intelligence agency, has been running "a broad hacking campaign against US targets" from December 2018 until at least May 2020. An FBI notification obtained by WIRED stated that the threat actor has been targeting "a wide range of US based organizations, state and federal government agencies, and educational institutions." The FBI didn't disclose which entities were targeted, but researchers at Dragos observed that one of APT28's IP addresses listed in the alert also appeared in a Department of Energy advisory issued earlier this year. That advisory said the IP address had been used to probe login portals belonging to a US energy entity on Christmas Eve last year.
WIRED notes that, while another GRU unit (tracked as "Sandworm") has historically been very active against the energy sector, APT28 hasn't previously focused on this area. Dragos's Joe Slowik told the publication, "Just given what we understand about how APT28 operates and its typical victimology, identifying that group interacting with the US energy sector would be substantially different from how this group has behaved previously." He added, "This is a concerning data point. It’s the first time in a while that this group has targeted US critical infrastructure."
Lazarus Group refines its capabilities.
Researchers at Kaspersky say North Korea's Lazarus Group has put "significant resources" into improving its toolset over the past two years, CyberScoop reports. The security firm analyzed an "advanced malware framework," dubbed "MATA," which the Lazarus Group has used against various industries in Poland, Germany, Turkey, South Korea, Japan, and India. Specific targets have included "a software development company, an e-commerce company, and an internet service provider." The group has been using MATA since at least April 2018.
MATA is designed to run on Windows, macOS, and Linux. The malware seems to be primarily used for exfiltrating databases, but in at least one case it was observed delivering the VHD ransomware to a victim's network, suggesting that the attackers are using the tool for both espionage and financial gain.
Kaspersky researcher Seongsu Park told CyberScoop, "This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted — particularly in hunting for both money and data. Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on."