Hackers behind the US Democratic National Committee (DNC) breach and several other profile cyberattacks had at least six zero-day exploits on hand and a custom-made exploit kit.
Confusingly, security researchers have several names for the same group of hackers behind the DNC hacks, including Sednit, APT28, Pawn Storm, Fancy Bear and Sofacy. This group, believed to be a hacking unit within Russian intelligence, counts among its trophies a devastating 2015 attack on French TV network TV5Monde, the recent WADA leaks, the DNC hacks, and a breach of the German Parliament.
The attacks on DNC and subsequent leaks to WikiLeaks prompted the US Government earlier to publicly attribute specific hacking activity to the Russian Government and accuse it of attempting to influence the current election.
Researchers at Slovakian security firm ESET today published a profile of the group’s activities and attack methods in multiple campaigns over the past two years that have affected thousands of high value targets, often by phishing the user’s Gmail account.
These targets also included political figures and police from the Ukraine, members of NATO, Russian activists, journalists, and academics, as well as the embassies of Algeria, Brazil, Colombia, Djibouti, India, Iraq, North Korea, Kyrgyzstan, Lebanon, Myanmar, Pakistan, South Africa, Turkmenistan, United Arab Emirates, Uzbekistan and Zambia.
The Sednit hackers, as ESET calls them, created fake Google login pages and would send targets phishing email with a shortened Bitly URL.
According to ESET, the target list was discoverable due to one of the Bitly accounts that used to generate the links having been left open or set to “public”. This allowed anyone to see all 4,400 URLs shortened by that account and each URL that was shorted also contained the email address and name of the target.
Researchers at Dell’s SecureWorks, using the same Bitly account setting error, recently reported the group had also targeted Hillary Clinton’s campaign staff using the same techniques.
Sednit hackers had at least six zero-day exploits affecting Windows, Flash and Java at their disposal, which they could use unimpeded until each bug was patched by Microsoft, Oracle and Adobe over the course of 2015. Such a cache of zero-day exploits indicates the group was skilled and well resourced, though this isn’t surprising given the supposed links to Russian intelligence.
Not surprisingly, Sednit had also used malicious attachments in email, which included two previous zero-day exploits for Microsoft Word and Microsoft Office.
However, unusually for government hackers, they also developed an exploit kit, an automated web-attack tool that is more commonly associated with cybercriminals. ESET notes that in 2014, several websites of one Polish bank were hijacked to send visitors to a page hosting the exploit kit, which had exploits for bugs in Internet Explorer, MacKeeper, Java, Flash, and Firefox.