sb-as logo
Story image

'Iron Twilight' hacker group might be part of the Russian Government

03 Apr 2017

SecureWorks Counter Threat Unit researchers have made a 'breakthrough' linking the notorious Iron Twilight hacking group to the Russian Government.

Iron Twilight, known as APT28, Fancy Bear, Pawn Storm, Sofacy, Strontium and Tsar Team, has been behind a number of cyber attacks against governments, militaries, NGOs, journalists, political organisations and other targets since 2009.

According to SecureWorks, the group uses spearphishing emails with malicious document attachments or links to a custom exploit kit. It targets all operating systems across PC and mobile. It also uses targeted phishing campaigns to steal webmail credentials. 

The researchers have released information on the group, which reportedly links it directly to Gmail phishing attacks, Malaysian Airlines flight MH17, and recently the DNC/Hillary Clinton campaign breach.

In the case of Malaysian Airlines flight MH17, SecureWorks researchers say that Iron Twilight targeted the Dutch Safety Board with a phishing campaign that was designed to steal email credentials.  

Another campaign targeted Bellingcat, a UK citizen journalist group that said the missile used to shoot the plane down was moved into Ukraine from Russia.

“In both incidents, the threat group’s goal appeared to be acquiring intelligence that could be potentially embarrassing to the Russian government,” the researchers claim.

Researchers also claim that Iron Twilight used phishing emails towards DNC accounts, 108 Hillary Clinton presidential campaign accounts and 26 personal accounts belonging to active members in politics. 

In June 2016, DNC confirmed it had been attacked by Iron Twilight. Researchers suspect that the group then released information from DNC under the guise of a ‘lone hacker’ to divert attention away from the actual origin.

SecureWorks researchers also mentioned that in June 2015, Iron Twilight conducted a phishing campaign on Gmail accounts. Thousands of users were targeted, including those in Russia, former Soviet states, military and government personnel. across the US and Europe, as well as authors and journalists with an interest in Russia.

In another incident, Wikileaks posted emails stolen from John Podesta, then-chairman of Hillary Clinton’s presidential campaign.

Researchers say it is likely that Iron Twilight provided this information after hacking Podesta’s account in March 2016.

Some researchers speculate that Iron Twilight is part of Russia’s Main Intelligence Directorate, the GRU. While there is no direct evidence, the group’s strategy does support this claim.

“Although IRON TWILIGHT became known for political targeting in 2016, evidence strongly indicates its main focus has always been gathering military intelligence to support current Russian military operations and acquiring intelligence of strategic threats. For example, documents used in a spearphishing campaign in late 2016 target NATO military personnel (see Figure 7). Russia considers NATO a strategic threat. IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU,” the researchers claim.

Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
New wormable Android malware discovered through auto-replies in WhatsApp
Check Point Research has discovered new malware on Google’s Play Store that could spread through WhatsApp messages. More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More