sb-au logo
Story image

'Iron Twilight' hacker group might be part of the Russian Government

03 Apr 2017

SecureWorks Counter Threat Unit researchers have made a 'breakthrough' linking the notorious Iron Twilight hacking group to the Russian Government.

Iron Twilight, known as APT28, Fancy Bear, Pawn Storm, Sofacy, Strontium and Tsar Team, has been behind a number of cyber attacks against governments, militaries, NGOs, journalists, political organisations and other targets since 2009.

According to SecureWorks, the group uses spearphishing emails with malicious document attachments or links to a custom exploit kit. It targets all operating systems across PC and mobile. It also uses targeted phishing campaigns to steal webmail credentials. 

The researchers have released information on the group, which reportedly links it directly to Gmail phishing attacks, Malaysian Airlines flight MH17, and recently the DNC/Hillary Clinton campaign breach.

In the case of Malaysian Airlines flight MH17, SecureWorks researchers say that Iron Twilight targeted the Dutch Safety Board with a phishing campaign that was designed to steal email credentials.  

Another campaign targeted Bellingcat, a UK citizen journalist group that said the missile used to shoot the plane down was moved into Ukraine from Russia.

“In both incidents, the threat group’s goal appeared to be acquiring intelligence that could be potentially embarrassing to the Russian government,” the researchers claim.

Researchers also claim that Iron Twilight used phishing emails towards DNC accounts, 108 Hillary Clinton presidential campaign accounts and 26 personal accounts belonging to active members in politics. 

In June 2016, DNC confirmed it had been attacked by Iron Twilight. Researchers suspect that the group then released information from DNC under the guise of a ‘lone hacker’ to divert attention away from the actual origin.

SecureWorks researchers also mentioned that in June 2015, Iron Twilight conducted a phishing campaign on Gmail accounts. Thousands of users were targeted, including those in Russia, former Soviet states, military and government personnel. across the US and Europe, as well as authors and journalists with an interest in Russia.

In another incident, Wikileaks posted emails stolen from John Podesta, then-chairman of Hillary Clinton’s presidential campaign.

Researchers say it is likely that Iron Twilight provided this information after hacking Podesta’s account in March 2016.

Some researchers speculate that Iron Twilight is part of Russia’s Main Intelligence Directorate, the GRU. While there is no direct evidence, the group’s strategy does support this claim.

“Although IRON TWILIGHT became known for political targeting in 2016, evidence strongly indicates its main focus has always been gathering military intelligence to support current Russian military operations and acquiring intelligence of strategic threats. For example, documents used in a spearphishing campaign in late 2016 target NATO military personnel (see Figure 7). Russia considers NATO a strategic threat. IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU,” the researchers claim.

Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More
Story image
ExtraHop brings SaaS network detection and response solution to market
"Reveal(x) 360 is the culmination of a multi-year R&D investment to secure data centre, remote sites, and cloud workloads with frictionless deployment and actionable insights that can be securely accessed from anywhere.”More
Story image
LogRhythm launches Remote Workforce Visibility with promotion
"We want to help teams get ahead of this situation and ensure they have the resources they need to be confident in their security abilities."More
Story image
76% of execs losing sleep over being the next high-profile breach
Headline-grabbing security breaches of high-profile enterprises are becoming more common, fuelling the anxieties of business leaders who hope they're not next. More
Story image
A winning proposition for critical infrastructure
When is a surveillance system more than a surveillance system? When it not only protects an organisation’s premises but also supports efficient, reliable operations, and health and safety.More
Download image
Why shifting workforce demographics requires updated management
Globalisation; a younger workforce; remote working trends - the landscape of the modern workplace has changed forever. And businesses could be in for a shock if they don't manage it properly.More