Symantec uncovers new activity from APT28
Symantec research reveals the espionage group APT28 has returned to covert intelligence operations designed to stay in
the shadows. The group is associated with the 2016 election and WADA cyber-attacks and was previously linked to the
Russian government by the FBI and DHS.
Symantec has observed APT28 targeting a range of military groups and governments across the globe since 2017 and into
2018 to gather intelligence. The organisations include a well-known international organisation, military targets and
governments in Europe, a government of a South American country, and an embassy belonging to an Eastern European
country.
Additional key findings include:
•Possible links to other espionage attack groups: Symantec observed some overlap between the C infrastructure used by ATP28 and the C infrastructure used by Earworm, an attack group also known as Zebrocy involved in intelligence gathering operations
against military targets in Europe, Central Asia and Eastern Asia. Earworm uses spear-phishing emails to compromise its
targets and infect them with two malware tools: Trojan.Zekapab and Backdoor.Zekapab.
•Primary malware is Sofacy: APT28 uses Trojan.Sofacy to perform basic reconnaissance on an infected computer and to download further malware.
Backdoor.SofacyX is a second stage piece of malware, capable of stealing information from the infected computer.
For more information, visit Symantec’s blog. Let me know if you have any questions or are interested in speaking with a Symantec expert to learn more.