The search engine tapped a public malware repository
by LORENZO FRANCESCHI-BICCHIERAI
In October of 2014, an American security company revealed that a group of hackers affiliated with the Russian government, dubbed APT28, had targeted Georgia and other Eastern European countries in a wide-ranging espionage campaign.
Two and a half years later, APT28 — also known as “Fancy Bear” or “Sofacy” — is a household name not just in the cybersecurity industry, but in the mainstream too, thanks to its attack on the U.S. Democratic party and the ensuing leaks of documents and emails.
Before that report by FireEye, APT28 was a well-kept secret within the cybersecurity industry. At the time, several companies were willing to share information about the hacking group. Even Google investigated the group, and penned a 40-page technical report on the hacking group that has never been published before.
This sort of document, which I obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like. The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats — VirusTotal, a public malware repository that the internet giant acquired in 2012.
Sofacy and X-Agent, the report read, referring to the malware used by APT28, “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members and other Western European countries.”
“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”
While Google security researchers don’t dwell into who’s really behind these operations, they do hint that they agree with the now widespread belief that APT28 works for the Russian government in a clever, indirect, way — in the very title of the report — “Peering Into the Aquarium.”
While that might seem like an obscure title, for those who follow Russian espionage activities, it’s a clear reference to the headquarters of the military intelligence agency known as GRU or Glavnoye Razvedyvatel’noye Upravleniye, which are popularly known as “The Aquarium.”
“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed,” Matt Suiche, a security researcher and the founder of Comae Technologies and the OPCDE conference, told Motherboard in an online chat after reviewing the report. “And also attributed Sofacy and X-Agent to Russia before it was publicly done by FireEye, ESET or CrowdStrike.”
In its report Google security researcher note that APT28 attacks a large number of targets with its first-stage malware Sofacy, but only uses the more tailored and sophisticated X-Agent, which was recently used against Ukraine’s military units, for “high-priority targets.”
“Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples,” Google’s report stated.
Asked for comment, a Google spokesperson said via email that the company’s “security teams are constantly monitoring potential threats to internet users, and regularly publish information to better protect them.”
The report noted that Georgia had the highest ratio of submissions of Sofacy malware, followed by Romania, Russia and Denmark.
While this report is now a bit dated, it shows that for all its sophistication, APT28 has been often caught in the act of hacking politically interesting targets, betraying the origin of the hackers behind the dry nickname.
It also reveals how much a company like Google, which doesn’t have software installed on thousands of customers computers that is specifically designed to detect malware, can still learn a lot about government hacking groups thanks to the other data it has access to.
Originally published at Vice Motherboard.