Logical Analysis Report

Key Focus

  • "They're a formidable actor, and they're still capable of getting access to sensitive areas," says Hultquist.
    APT28, before its more recent hack-and-leak operations of the last few years, has a long history of espionage operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.
    "It's certainly not surprising that Russian intelligence would be trying penetrate the US government
  • Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia's GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.
    "They're a formidable actor, and they're still capable of getting access to sensitive areas."
    The clues pointing to APT28 are based in part on a notification the FBI sent to targets of a hacking campaign in May of this year, which WIRED obtained
  • That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions described by the FBI was successful.
    "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this seems to be something very similar to.if not a part of.the campaign linked to APT28 earlier this year," says Slowik, the former head of from that FBI notification, Slowik also found a second infrastructure connection
  • WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment.
    Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified federal agency

To understand how to read this report, please click here

Knowledge Graph(Read more)

Complex Event Analysis(Read more)

Downloads

Download HLA/Excerpt table in CSV format

Download HLA relevancy table in CSV format

High Level Topics

  • APT28
  • CISA
  • FBI
  • AGENCY

    • High Level Abstractions

  • APT28(6, 0 Order)
  • ( APT28 )(6, 0 Order)  top
  • ( APT28, FBI )(4, 1st Order)  top
  • ( APT28, CISA )(3, 1st Order)  top
  • ( APT28, CAMPAIGN )(2, 1st Order)  top
  • ( APT28, SLOWIK )(2, 1st Order)  top
  • ( APT28, INTELLIGENCE )(3, 1st Order)  top
  • ( APT28, TARGETS )(2, 1st Order)  top
  • ( APT28, MILITARY )(2, 1st Order)  top
  • ( APT28, INTRUSIONS )(2, 1st Order)  top
  • ( APT28, INFRASTRUCTURE )(1, 1st Order)  top
  • ( APT28, HACK-AND-LEAK )(1, 1st Order)  top
  • ( APT28, FEDERAL )(2, 1st Order)  top
  • ( APT28, DRAGOS )(1, 1st Order)  top
  • CISA(6, 0 Order)
  • ( CISA )(6, 0 Order)  top
  • ( CISA, MALWARE )(2, 1st Order)  top
  • ( CISA, INFRASTRUCTURE )(2, 1st Order)  top
  • ( CISA, SLOWIK )(2, 1st Order)  top
  • ( CISA, FBI )(2, 1st Order)  top
  • ( CISA, AGENCY )(3, 1st Order)  top
  • ( CISA, SECURITY )(2, 1st Order)  top
  • ( CISA, FEDERAL )(2, 1st Order)  top
  • ( CISA, CAMPAIGN )(1, 1st Order)  top
  • ( CISA, VIRUSTOTAL )(1, 1st Order)  top
  • ( CISA, USERS )(1, 1st Order)  top
  • ( CISA, UNITED_ARAB_EMIRATES )(1, 1st Order)  top
  • FBI(4, 0 Order)
  • ( FBI )(4, 0 Order)  top
  • AGENCY(4, 0 Order)
  • ( AGENCY )(4, 0 Order)  top

    • References

    • ( APT28 )  top
    • ( APT28, FBI )  top
    • (Read more)   top Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia's GRU. Also...
    • (Read more)   top That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions described by the FBI was successful.
      "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this seems to be something...
    • (Read more)   top WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment.
      Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified...
    • (Read more)   top ... operations of the last few years, has a long history of espionage operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.
      "It's certainly not surprising that Russian intelligence would be trying penetrate...
    • ( APT28, CISA )  top
    • (Read more)   top Dragos researcher Joe Slowik noticed that one IP address identifying a server in Hungary used in that APT28 campaign matched an IP address listed in the CISA advisory. That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions described by the FBI was successful.
      "Based...
    • (Read more)   top WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment.
      Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion...
    • (Read more)   top
      But if APT28 is indeed the hacker group described in the CISA advisory, it's a reminder that they're also capable of more sophisticated and targeted spying operations, says John Hultquist, the director of intelligence at security firm FireEye, which didn't...
    • ( APT28, CAMPAIGN )  top
    • (Read more)   top ... team of hackers working for Russia's GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.
      "They're a formidable actor, and they're still capable of getting access to sensitive areas."
      The...
    • (Read more)   top Dragos researcher Joe Slowik noticed that one IP address identifying a server in Hungary used in that APT28 campaign matched an IP address listed in the CISA advisory. That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions...
    • ( APT28, SLOWIK )  top
    • (Read more)   top ... associated with the event, and the general timing and targeting of the US government, this seems to be something very similar to.if not a part of.the campaign linked to APT28 earlier this year," says Slowik, the former head of from that FBI notification, Slowik also found a second infrastructure connection
    • (Read more)   top... reminder that they're also capable of more sophisticated and targeted spying operations, says John Hultquist, the director of intelligence at security firm FireEye, which didn't independently confirm Slowik's findings linking the CISA report to APT28.
    • ( APT28, INTELLIGENCE )  top
    • (Read more)   top
      Russia's APT28 military intelligence hackers have been behind some of the biggest hacks of the last several years.
      A WARNING THAT unidentified hackers broke into an agency of the US federal government and stole its data is troubling...
    • (Read more)   top... is indeed the hacker group described in the CISA advisory, it's a reminder that they're also capable of more sophisticated and targeted spying operations, says John Hultquist, the director of intelligence at security firm FireEye, which didn't independently confirm Slowik's findings linking the CISA report to APT28
    • (Read more)   top
      "It's certainly not surprising that Russian intelligence would be trying penetrate the US government.
    • ( APT28, TARGETS )  top
    • (Read more)   top
      The clues pointing to APT28 are based in part on a notification the FBI sent to targets of a hacking campaign in May of this year, which WIRED obtained.
    • (Read more)   top
      APT28, before its more recent hack-and-leak operations of the last few years, has a long history of espionage operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.
      "It's certainly not surprising...
    • ( APT28, MILITARY )  top
    • (Read more)   top
      Russia's APT28 military intelligence hackers have been behind some of the biggest hacks of the last several years.
      A WARNING THAT unidentified hackers broke into an agency of the US federal government and stole its data...
    • (Read more)   top
      APT28, before its more recent hack-and-leak operations of the last few years, has a long history of espionage operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.
      "It's certainly not...
    • ( APT28, INTRUSIONS )  top
    • (Read more)   top ... for Russia's GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.
      "They're a formidable actor, and they're still capable of getting access to sensitive areas."
      The clues...
    • (Read more)   top That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions described by the FBI was successful.
      "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this...
    • ( APT28, INFRASTRUCTURE )  top
    • (Read more)   top
      "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this seems to be something very similar to.if not a part of.the campaign linked...
    • ( APT28, HACK-AND-LEAK )  top
    • (Read more)   top ... to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia's GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.
      "They're a formidable...
    • ( APT28, FEDERAL )  top
    • (Read more)   top
      A WARNING THAT unidentified hackers broke into an agency of the US federal government and stole its data is troubling enough.
    • (Read more)   top
      Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified federal agency.
    • ( APT28, DRAGOS )  top
    • (Read more)   top Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for...
    • ( CISA )  top
    • ( CISA, MALWARE )  top
    • (Read more)   top
      The intruders then used command line tools to move among the agency's machines, before downloading a piece of custom malware.
    • (Read more)   top They then used that malware to access the agency's file server and move collections of files to machines the hackers controlled, compressing them into .zip files they could more easily steal.
      While CISA didn't...
    • ( CISA, INFRASTRUCTURE )  top
    • (Read more)   topSee ( APT28 , INFRASTRUCTURE )
    • (Read more)   top But he suggests that means Russia's state-sponsored hackers are most likely reusing cybercriminal infrastructure, perhaps to create deniability. WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment.
      Although it doesn't name APT28, CISA's advisory does...
    • ( CISA, SLOWIK )  top
    • (Read more)   topSee ( APT28 , SLOWIK )
    • ( CISA, FBI )  top
    • (Read more)   topSee ( APT28 , FBI )
    • (Read more)   top But he suggests that means Russia's state-sponsored hackers are most likely reusing cybercriminal infrastructure, perhaps to create deniability. WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment.
      Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified...
    • ( CISA, AGENCY )  top
    • (Read more)   top
      Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified federal agency.
    • (Read more)   top
      The intruders then used command line tools to move among the agency's machines, before downloading a piece of custom malware.
    • (Read more)   top They then used that malware to access the agency's file server and move collections of files to machines the hackers controlled, compressing them into .zip files they could more easily steal.
      While CISA didn't make a sample of the hackers'custom...
    • ( CISA, SECURITY )  top
    • (Read more)   top
      While CISA didn't make a sample of the hackers'custom trojan available to researchers, security researcher Costin Raiu says that the attributes of the malware matched another sample uploaded to the malware research repository VirusTotal from somewhere in the United Arab Emirates
    • (Read more)   top... hacker group described in the CISA advisory, it's a reminder that they're also capable of more sophisticated and targeted spying operations, says John Hultquist, the director of intelligence at security firm FireEye, which didn't independently confirm Slowik's findings linking the CISA report to APT28
    • ( CISA, FEDERAL )  top
    • (Read more)   topSee ( APT28 , FEDERAL )
    • (Read more)   top... doesn't know how those credentials were obtained, but the report speculates that the attackers may have used a known vulnerability in Pulse Secure VPNs that CISA says has been exploited widely across the federal government.
      The intruders then used command line tools to move among the agency's machines, before downloading a piece of custom malware
    • ( CISA, CAMPAIGN )  top
    • (Read more)   topSee ( APT28 , CAMPAIGN )
    • ( CISA, VIRUSTOTAL )  top
    • (Read more)   top ... sample of the hackers'custom trojan available to researchers, security researcher Costin Raiu says that the attributes of the malware matched another sample uploaded to the malware research repository VirusTotal from somewhere in the United Arab Emirates.
    • ( CISA, USERS )  top
    • (Read more)   topAccording to Microsoft, the group has used a combination of password-spraying that tries common passwords across many users'accounts and password brute-forcing that tries many passwords against a single account.
      But if APT28 is indeed the hacker group described in the CISA advisory, it's a reminder that they're also...
    • ( CISA, UNITED_ARAB_EMIRATES )  top
    • (Read more)   top ... trojan available to researchers, security researcher Costin Raiu says that the attributes of the malware matched another sample uploaded to the malware research repository VirusTotal from somewhere in the United Arab Emirates.
    • ( FBI )  top
    • (Read more)   top ... the hackers'methods and their use of a new and unique form of malware in an operation that successfully stole target data. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia's GRU. Also...
    • (Read more)   top That would suggest that APT28 used the same Hungarian server in the intrusion described by CISA.and that at least one of the attempted intrusions described by the FBI was successful. "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this seems to be something...
    • (Read more)   top But he suggests that means Russia's state-sponsored hackers are most likely reusing cybercriminal infrastructure, perhaps to create deniability. WIRED reached out to CISA, as well as the FBI and DOE, but none responded to our request for comment. Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an...
    • (Read more)   top ... operations of the last few years, has a long history of espionage operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today. "It's certainly not surprising that Russian intelligence would be trying...
    • ( AGENCY )  top
    • (Read more)   top ... officials disclosed last week. Russia's APT28 military intelligence hackers have been behind some of the biggest hacks of the last several years. A WARNING THAT unidentified hackers broke into an agency of the US federal government and stole its data is troubling enough. But it becomes all the more disturbing when those unidentified intruders are identified.and appear likely to be part of a notorious...
    • (Read more)   top It identified neither the attackers nor the agency, but did detail the hackers'methods and their use of a new and unique form of malware in an operation that successfully stole target data
    • (Read more)   top ... responded to our request for comment. Although it doesn't name APT28, CISA's advisory does detail step-by-step how the hackers carried out their intrusion inside an unidentified federal agency. The hackers had somehow obtained working usernames and passwords for multiple employees, which they used to gain entry onto the network
    • (Read more)   top ... attackers may have used a known vulnerability in Pulse Secure VPNs that CISA says has been exploited widely across the federal government. The intruders then used command line tools to move among the agency's machines, before downloading a piece of custom malware. They then used that malware to access the agency's file server and move collections of files to machines the hackers controlled, compressing...