APT28 Uses DealersChoice To Target European Government Entities
Target: UK Government & Defence linked Entities
Attack Vector: Phishing Campaign / DDoS
Threat Actor: APT28
Summary: On 12th and 14th March 2018, a European government agency was targeted by the Russian state sponsored
group APT28, aka @FancyBear and Sofacy, via a phishing e mail utilising an updated version of its DealersChoice attack technique.
The spear-phishing email contained the subject header “Defence & Security 2018 Conference Agenda” and contained a file named “Defence & Security 2018 Conference Agenda.docx”. This document detailed a genuine conference agenda which APT28 had simply copied from the Underwater Defence & Security 2018 Conference website in order to add authenticity to the e mail. This method was consistent with an earlier APT28 phishing attack against the 2017 CyCon conference in Washington DC in which the threat actors directly copied imagery from the organiser’s event webpage to create a similar illusion of authenticity.
Risk assessment summary: Given current political tensions, it is assessed that Russian state sponsored actors continue to present a 2b HIGH threat to UK organisations. Although the primary focus is likely to be government and defence sector targets, it is probable that telecommunications organisations which provide services to these sectors will be considered legitimate targets.
Although cyber espionage and the harvesting of data remains the most probable threat, escalation attacks against critical infrastructure such as power, transport and health cannot be ruled out, particularly if diplomatic relationships continue to deteriorate.
The overwhelming success of President Putin in the election will also have strengthened his hand internally, although his desire to ensure the forthcoming World Cup is a success may act as a restraining factor on him and the ‘patriotic hacker’ supporters. However, the DDoS attack against the CEC is likely to be met with some form of retaliatory response and the UK would seem the logical target for this.
Whilst the DealersChoice attack comes at a politically sensitive time, this could simply be coincidental as the nature of the attack is entirely consistent with ongoing Russian APT activity and could be unrelated to the Skripal poisoning incident. However, it does serve to illustrate how these actors present a sophisticated and adaptive threat, and it should still be assumed that APT28 / APT29 and affiliated actors will be focusing their main effort against the UK. All previous intelligence reporting and recommendations remain valid and monitoring of the threat environment will continue for further actionable intelligence.