APT28 FancyBear Targeted Germany’s Interior Ministry Throughout 2017
Target: German Interior Ministry Network
Attack Vector: Possible Phishing E mail
Threat Actor: FancyBear
Summary: It has been reported by German security sources that a serious cyber-attack has been carried out against the servers of the country’s Interior Ministry throughout 2017, which was only discovered in December of the same year. It is believed that large quantities of data may have been obtained by the actors and authorities have suggested that APT28 (aka FancyBear, Pawn Storm, Sednit, Tsar Team and Sofacy) may be responsible.
Risk assessment summary: It is currently assessed that state-sponsored Russian actors continue to present an ongoing 2c HIGH threat to a broad spectrum of sectors. Although specific technical details of the latest breach have not been released at present, investigators have positively identified the presence of an unspecified malware on the affected servers.
The fact that investigators have stated Russian actors may be responsible for the attack, suggests the malware concerned may be one of the tools commonly used by APT28. The targeting of German political and intelligence entities is entirely compatible with the group’s previous activity in the country. The ability to covertly obtain intelligence from such a major player in the EU and, by implication, the Ukraine conflict would be highly attractive to Moscow.
It is likely that the attack was initiated via a phishing email which may have contained a specifically tailored lure. Now that APT28 may be in possession of personal details of German interior ministry personnel means they might be able to refine future phishing campaigns to mimic subject lines copied from genuine email exchanges, increasing the likelihood of subsequent breaches.
The incident does serve to illustrate that the APT threat remains constant and that the tempo of such attacks is not necessarily bound to geopolitical effects on the ground. Although increased military or political tensions often act as a driver for the subsequent release of hacked data.
It is recommended that all organizations ensure that system users receive sufficient training in order to understand and identify phishing emails. Additionally, the timely implementation of updates and patches cannot be over-emphasized and should always be treated as a matter of urgency, irrespective of any threat level. Monitoring of the threat environment will continue in order to identify further actionable intelligence.