Story image

'Iron Twilight' hacker group might be part of the Russian Government

03 Apr 2017

SecureWorks Counter Threat Unit researchers have made a 'breakthrough' linking the notorious Iron Twilight hacking group to the Russian Government.

Iron Twilight, known as APT28, Fancy Bear, Pawn Storm, Sofacy, Strontium and Tsar Team, has been behind a number of cyber attacks against governments, militaries, NGOs, journalists, political organisations and other targets since 2009.

According to SecureWorks, the group uses spearphishing emails with malicious document attachments or links to a custom exploit kit. It targets all operating systems across PC and mobile. It also uses targeted phishing campaigns to steal webmail credentials. 

The researchers have released information on the group, which reportedly links it directly to Gmail phishing attacks, Malaysian Airlines flight MH17, and recently the DNC/Hillary Clinton campaign breach.

In the case of Malaysian Airlines flight MH17, SecureWorks researchers say that Iron Twilight targeted the Dutch Safety Board with a phishing campaign that was designed to steal email credentials.  

Another campaign targeted Bellingcat, a UK citizen journalist group that said the missile used to shoot the plane down was moved into Ukraine from Russia.

“In both incidents, the threat group’s goal appeared to be acquiring intelligence that could be potentially embarrassing to the Russian government,” the researchers claim.

Researchers also claim that Iron Twilight used phishing emails towards DNC accounts, 108 Hillary Clinton presidential campaign accounts and 26 personal accounts belonging to active members in politics. 

In June 2016, DNC confirmed it had been attacked by Iron Twilight. Researchers suspect that the group then released information from DNC under the guise of a ‘lone hacker’ to divert attention away from the actual origin.

SecureWorks researchers also mentioned that in June 2015, Iron Twilight conducted a phishing campaign on Gmail accounts. Thousands of users were targeted, including those in Russia, former Soviet states, military and government personnel. across the US and Europe, as well as authors and journalists with an interest in Russia.

In another incident, Wikileaks posted emails stolen from John Podesta, then-chairman of Hillary Clinton’s presidential campaign.

Researchers say it is likely that Iron Twilight provided this information after hacking Podesta’s account in March 2016.

Some researchers speculate that Iron Twilight is part of Russia’s Main Intelligence Directorate, the GRU. While there is no direct evidence, the group’s strategy does support this claim.

“Although IRON TWILIGHT became known for political targeting in 2016, evidence strongly indicates its main focus has always been gathering military intelligence to support current Russian military operations and acquiring intelligence of strategic threats. For example, documents used in a spearphishing campaign in late 2016 target NATO military personnel (see Figure 7). Russia considers NATO a strategic threat. IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU,” the researchers claim.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.