AS DANGEROUS AS they may be, the Kremlin-linked hacking group known as APT28, or Fancy Bear, gets points for topicality. Last year, the group hacked the Democratic National Committee and the Clinton campaign with shrewd, politically savvy timing. Now, those same hackers seem to be exploiting last week’s ISIS attack in New York City to advance their espionage tactics again, using a freshly exposed vulnerability in Microsoft’s software.
On Tuesday, researchers at McAfee revealed that they’ve been tracking a new phishing campaign from the Russia-linked hacker team. Security researchers have recently shown that a feature of Microsoft Office known as Dynamic Data Exchange can be exploited to install malware on a victim’s computer when they simply open any Office document. McAfee now says APT28 has used that DDE vulnerability since late October. And while the targets McAfee has detected so far are in Germany and France, the hackers have been fooling victims into clicking with file names that reference US-focused topics: both a US Army exercise in Eastern Europe known as SabreGuardian and last week’s ISIS truck attack that killed eight people on a Manhattan bike path.
Hacker groups using news events as lures is a well-worn tactic, says Raj Samani, chief scientist at McAfee. But he says that he’s struck by the prolific, state-sponsored hacker group’s combination of those news references with a just-released hacking technique. McAfee detected Fancy Bear’s use of Microsoft’s DDE feature going back to October 25th, a little over a week after the security research community first noted that it could be used to deliver malware.
“You’ve got an active group tracking the security industry and incorporating its findings into new campaigns; the time between the issue being reported and seeing this in the wild is pretty short,” Samani says. “It shows a group that’s keeping up to date with both current affairs and security research.”
Microsoft’s DDE feature is designed to allow Office files to include links to other remote files, like hyperlinks between documents. But it can also be used to pull malware onto a victim’s computer when they merely open a document, and then click through an innocuous prompt asking them if they “want to update this document with data from the linked files?”
The APT28 hackers appear to be using that technique to infect anyone who clicks on attachments with names like SabreGuard2017.docx and. In combination with the scripting tool PowerShell, they install a piece of reconnaissance malware called Seduploader on victims’ machines. They then use that initial malware to scope out their victim before deciding whether to install a more fully featured piece of spyware—one of two tools known as X-Agent and Sedreco.
According to McAfee, the malware samples, the domains of the command-and-control servers that malware connects to, and the targets of the campaign all point to APT28, a group believed to be working in the service of Russia’s military intelligence agency GRU. That brazen and politically attuned hacking team has been tied to everything from the intrusions into the DNC and Clinton Campaigns to the penetration of the World Anti-Doping Agency to Wi-Fi attacks that used a leaked NSA hacking tool to compromise high value guests across hotels in seven European capitals.
As APT28 exploits the latest Microsoft Office hacking technique in a new campaign, Microsoft itself has said that it has no plans to alter or patch its DDE function; it considers DDE a feature that’s working as intended, not a bug, according to a report from security news site Cyberscoop. When WIRED reached out to Microsoft Tuesday, the company noted that the DDE attack only works when WIndows’ Protected Mode setting is disabled, and only if the user clicks through the prompts that the attack requires. “As always, we encourage customers to use caution when opening suspicious email attachments,” a Microsoft spokesperson writes.1
McAfee’s Samani says that means the latest APT28 campaign serves as a reminder that even state-sponsored hacking teams don’t necessarily depend on or use only the “zero day” vulnerabilities—secret flaws in software that the product’s developers don’t yet know about—that are often hyped in the security industry. Instead, astute hackers can simply learn about new hacking techniques as they arise, along with the news hooks to lure victims into falling for them.
“They’re keeping up to date with the latest security research that comes out, and when they find these things, they incorporate them into their campaigns,” says Samani. And they’re not above incorporating the latest violent tragedy into their tricks, either.