The Russian Bear, a symbol deeply ingrained in Russian culture, is often associated with the Eurasian brown bear. This majestic creature, known for its immense strength and solitary nature, embodies the vast and untamed landscapes of Russia. From the dense forests of Siberia to the remote wilderness of Kamchatka, the Russian Bear roams freely, captivating imaginations and evoking a sense of awe and respect.

APT28, also known as Fancy Bear, amongst other aliases, does not evoke the same sense of awe and respect, well not from a Cyber Defenders perspective. AP28 is a highly sophisticated cyber espionage group assessed to be linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit.

Estonian and British intelligence services have also associated APT28 with Russian military intelligence (GRU). The United States believes that GRU units 26165 and 74455 form part of this threat actor. APT28 has been active since at least 2004.

Targets and Objectives

APT28 primarily targets:

• Governments
• Military organisations
• Media outlets
• Research institutions
• Private sector companies

The group’s objectives include:

• Gathering intelligence
• Stealing sensitive information
• Disrupting systems
• Influencing political processes
• Criminal financial gain

Tactics, Techniques and Procedures (TTPs)

APT28 is known for its sophisticated and constantly evolving TTPs, which include:

• Spearphishing: They send targeted emails with malicious attachments or links, often disguised as legitimate communications, to trick victims into revealing their credentials or installing malware.
• Exploiting vulnerabilities: They exploit software vulnerabilities in operating systems, applications and network devices to gain unauthorised access to systems. These may include zero-day exploits, taking advantage of vulnerabilities before patches are available.
• Watering hole attacks: They compromise websites frequently visited by target organisations and inject malicious code to deliver malware to visitors.
• Credential harvesting: They create spoofed websites mimicking legitimate organisations to steal user credentials.
• Brute-force attacks: They use brute-force techniques, including password spraying, to gain access to accounts.
• Lateral movement: Once inside a network, they move laterally to other systems using techniques such as pass-the-hash and exploiting the EternalBlue vulnerability, expanding their access and searching for valuable data.
• Data exfiltration: They steal sensitive information such as intellectual property, trade secrets and personal data, often using encrypted channels to avoid detection.
• Command and control (C2) infrastructure: They utilise various protocols, including HTTP and DNS, to communicate with malware and exfiltrate data, making it difficult to detect and block their activities25. They may also leverage compromised infrastructure, including routers and network devices, to act as C2 servers.

Notable Malware and Tools

APT28 uses a range of custom-developed and publicly available malware and tools, including:

• Sednit/Sofacy: A modular suite of malware tools designed for surveillance, data theft and persistence.
• XAgent: A remote access trojan (RAT) that runs on iOS, Unix and Windows and currently protects communications with SSL/TLS. XAgent does key logging and file extraction.
• X-Tunnel: A network tunnelling tool used to create encrypted tunnels for secure data exfiltration.
• CompuTrace/Lojack: Legitimate software modified by APT28 to enable persistence.
• Responder: An open source tool used to facilitate NetBIOS Name Service (NBT-NS) poisoning and steal usernames and hashed passwords.
• EternalBlue: An exploit for a vulnerability in Microsoft’s SMB protocol, used for lateral movement.
• Empire: A post-exploitation framework, including PowerShell and Python versions, used for various malicious activities.

Notable Attacks

APT28 has been linked to several high-profile cyberattacks, including:

• Interference in the 2016 US presidential election: The group targeted the Democratic National Committee (DNC) and the Hillary Clinton campaign, stealing sensitive emails and other information that were later leaked to the public.
• Attack on the German parliament in 2015: This attack involved data theft and the disruption of email accounts belonging to German Members of Parliament (MPs) and the Vice Chancellor.
• Attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018: This attack was intended to disrupt independent analysis of chemical weapons used by the GRU in the UK.
• Compromising a satellite communications provider in 2023: This intrusion targeted a provider with critical infrastructure customers.
• Targeting the hospitality sector in 2017: APT28 targeted hotels throughout Europe and the Middle East, using techniques such as sniffing passwords from Wi-Fi traffic and spreading laterally via EternalBlue.

Mitigating the Threat

Organisations can take steps to mitigate the threat posed by APT28 and other advanced persistent threats:

• Implement strong password policies: Enforce strong, unique passwords for all accounts and implement multi-factor authentication where possible.
• Keep systems and software up to date: Regularly patch systems and applications to address known vulnerabilities.
• Educate employees on security best practices: Train employees on how to identify and avoid phishing attacks and other social engineering tactics.
• Network segmentation: Divide networks into smaller segments to limit the impact of a potential breach.
• Employ advanced security tools: Utilise intrusion detection systems, firewalls, endpoint protection solutions, and security information and event management (SIEM) systems to detect and respond to malicious activity.
• Develop and test incident response plans: Establish procedures for responding to security incidents and regularly test these plans.
• Threat intelligence sharing: Participate in information sharing with other organisations and industry groups to stay informed about the latest threats and TTPs.

I love the names Threat actors get or chose; some are strange but other come close to the way in which they operate. Enter Sidewinder!

First off we have the original, the snake.

Now this nasty gets its name from the way it moves. Most snakes get from A to B by bending their bodies into S-shapes and slithering forward headfirst. A few species, however — found in the deserts of North America, Africa and the Middle East — have an odder way of getting around. Known as “sidewinders,” these snakes lead with their mid-sections instead of their heads, slinking sideways across loose sand.

Finally we have Sidewinder Cyber Threat Actor, also known as Razor Tiger, Rattlesnake, and T-APT-04, is a sophisticated, state-sponsored cyber-espionage group believed to originate from India. Active since at least 2012, it’s considered one of the oldest nation-state threat actors. While initially known for targeting military infrastructure in Pakistan, recent research reveals a broader range of targets across Asia, Africa, the Middle East, and Europe. This article explores Sidewinder’s typical attack chain, the newly discovered StealerBot malware, and the group’s evolving tactics.

Typical Attack Chain:

A Deadly Venom: Sidewinder’s Attack Chain Like its namesake, the sidewinder snake, this APT group is known for its stealthy and targeted attacks.

Here’s a breakdown of their typical attack chain:

1. Spear-Phishing: Sidewinder begins by sending carefully crafted spear-phishing emails containing malicious attachments, often disguised as legitimate documents or files.
2. Social Engineering: These emails often leverage social engineering tactics to entice victims to open the attachments, such as using personalized information or exploiting current events.
3. Malware Delivery: Once opened, the attachments deliver malicious payloads, such as remote template injection files or exploit kits, that exploit vulnerabilities in Microsoft Office software.
4. Payload Execution: The malware payloads execute on the victim’s system, often bypassing security measures and establishing a backdoor for further attacks.
5. Data Exfiltration: Sidewinder uses this backdoor to steal sensitive data, including confidential documents, credentials, and intellectual property.

StealerBot: A Modular Arsenal of Espionage

Sidewinder’s arsenal includes a powerful modular implant known as StealerBot. This .NET-based tool is designed to evade detection and conduct a variety of espionage activities. StealerBot’s modules include:

• ModuleInstaller: Installs the Trojan that maintains a foothold on the compromised system.
• Orchestrator: Communicates with Sidewinder’s command-and-control (C2) server and manages other modules.
• Espionage Modules: Capture screenshots, log keystrokes, steal passwords and files, phish Windows credentials, and bypass User Account Control (UAC).

StealerBot is a .NET-based, modular implant designed for espionage. It deviates from typical malware by loading components into memory instead of the infected machine’s filesystem.

ModuleInstaller: This module acts as a backdoor loader, deploying the Trojan used to maintain a foothold on compromised systems. It drops files, including a legitimate application to sideload a malicious library, a configuration manifest, a malicious library, and an encrypted payload.

Orchestrator: This is the main module that communicates with Sidewinder’s command-and-control (C2) server and manages other malware plugins.

StealerBot Modules: The malware includes modules for various espionage activities: installing additional malware, capturing screenshots, logging keystrokes, stealing passwords and files, phishing Windows credentials, and bypassing User Account Control (UAC).

Evolving Tactics and Targets

While initially perceived as a low-skilled group, Sidewinder’s recent attacks show increasing sophistication and an expanding scope.

Polymorphism: Sidewinder uses polymorphism techniques to evade traditional antivirus detection by constantly changing the appearance of its malicious code. This makes analysis and detection challenging for security researchers.

Targeting Maritime Facilities: Recent campaigns have targeted maritime facilities in countries like Egypt and Sri Lanka. Sidewinder uses falsified documents related to ports, employing themes like job termination and salary reductions to lure victims.

Exploiting Older Vulnerabilities: Despite using sophisticated techniques, Sidewinder often exploits older vulnerabilities, such as the CVE-2017-0199 flaw in Microsoft Office dating back to 2017. This highlights the importance of patching systems, even for seemingly outdated vulnerabilities.

Expanding Geographic Reach: Sidewinder’s targets have expanded beyond traditional rivals to include countries in the Middle East, Africa, and even Europe. This shift suggests evolving geopolitical interests and a willingness to target a broader range of entities.

Final Thoughts

Sidewinder is a persistent and evolving threat that poses significant risks to governments, military organizations, and critical infrastructure worldwide. The group’s use of sophisticated tools like StealerBot, coupled with its evolving tactics and expanding targets, demands increased vigilance from security professionals. Understanding Sidewinder’s attack chain and staying informed about its latest activities is crucial for mitigating the threat it poses.