SecureWorks Counter Threat Unit researchers have made a 'breakthrough' linking the notorious Iron Twilight hacking group to the Russian Government.
Iron Twilight, known as APT28, Fancy Bear, Pawn Storm, Sofacy, Strontium and Tsar Team, has been behind a number of cyber attacks against governments, militaries, NGOs, journalists, political organisations and other targets since 2009.
According to SecureWorks, the group uses spearphishing emails with malicious document attachments or links to a custom exploit kit. It targets all operating systems across PC and mobile. It also uses targeted phishing campaigns to steal webmail credentials.
The researchers have released information on the group, which reportedly links it directly to Gmail phishing attacks, Malaysian Airlines flight MH17, and recently the DNC/Hillary Clinton campaign breach.
In the case of Malaysian Airlines flight MH17, SecureWorks researchers say that Iron Twilight targeted the Dutch Safety Board with a phishing campaign that was designed to steal email credentials.
Another campaign targeted Bellingcat, a UK citizen journalist group that said the missile used to shoot the plane down was moved into Ukraine from Russia.
“In both incidents, the threat group’s goal appeared to be acquiring intelligence that could be potentially embarrassing to the Russian government,” the researchers claim.
Researchers also claim that Iron Twilight used phishing emails towards DNC accounts, 108 Hillary Clinton presidential campaign accounts and 26 personal accounts belonging to active members in politics.
In June 2016, DNC confirmed it had been attacked by Iron Twilight. Researchers suspect that the group then released information from DNC under the guise of a ‘lone hacker’ to divert attention away from the actual origin.
SecureWorks researchers also mentioned that in June 2015, Iron Twilight conducted a phishing campaign on Gmail accounts. Thousands of users were targeted, including those in Russia, former Soviet states, military and government personnel. across the US and Europe, as well as authors and journalists with an interest in Russia.
In another incident, Wikileaks posted emails stolen from John Podesta, then-chairman of Hillary Clinton’s presidential campaign.
Researchers say it is likely that Iron Twilight provided this information after hacking Podesta’s account in March 2016.
Some researchers speculate that Iron Twilight is part of Russia’s Main Intelligence Directorate, the GRU. While there is no direct evidence, the group’s strategy does support this claim.
“Although IRON TWILIGHT became known for political targeting in 2016, evidence strongly indicates its main focus has always been gathering military intelligence to support current Russian military operations and acquiring intelligence of strategic threats. For example, documents used in a spearphishing campaign in late 2016 target NATO military personnel (see Figure 7). Russia considers NATO a strategic threat. IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU,” the researchers claim.