sb-au logo
Story image

'Iron Twilight' hacker group might be part of the Russian Government

03 Apr 2017

SecureWorks Counter Threat Unit researchers have made a 'breakthrough' linking the notorious Iron Twilight hacking group to the Russian Government.

Iron Twilight, known as APT28, Fancy Bear, Pawn Storm, Sofacy, Strontium and Tsar Team, has been behind a number of cyber attacks against governments, militaries, NGOs, journalists, political organisations and other targets since 2009.

According to SecureWorks, the group uses spearphishing emails with malicious document attachments or links to a custom exploit kit. It targets all operating systems across PC and mobile. It also uses targeted phishing campaigns to steal webmail credentials. 

The researchers have released information on the group, which reportedly links it directly to Gmail phishing attacks, Malaysian Airlines flight MH17, and recently the DNC/Hillary Clinton campaign breach.

In the case of Malaysian Airlines flight MH17, SecureWorks researchers say that Iron Twilight targeted the Dutch Safety Board with a phishing campaign that was designed to steal email credentials.  

Another campaign targeted Bellingcat, a UK citizen journalist group that said the missile used to shoot the plane down was moved into Ukraine from Russia.

“In both incidents, the threat group’s goal appeared to be acquiring intelligence that could be potentially embarrassing to the Russian government,” the researchers claim.

Researchers also claim that Iron Twilight used phishing emails towards DNC accounts, 108 Hillary Clinton presidential campaign accounts and 26 personal accounts belonging to active members in politics. 

In June 2016, DNC confirmed it had been attacked by Iron Twilight. Researchers suspect that the group then released information from DNC under the guise of a ‘lone hacker’ to divert attention away from the actual origin.

SecureWorks researchers also mentioned that in June 2015, Iron Twilight conducted a phishing campaign on Gmail accounts. Thousands of users were targeted, including those in Russia, former Soviet states, military and government personnel. across the US and Europe, as well as authors and journalists with an interest in Russia.

In another incident, Wikileaks posted emails stolen from John Podesta, then-chairman of Hillary Clinton’s presidential campaign.

Researchers say it is likely that Iron Twilight provided this information after hacking Podesta’s account in March 2016.

Some researchers speculate that Iron Twilight is part of Russia’s Main Intelligence Directorate, the GRU. While there is no direct evidence, the group’s strategy does support this claim.

“Although IRON TWILIGHT became known for political targeting in 2016, evidence strongly indicates its main focus has always been gathering military intelligence to support current Russian military operations and acquiring intelligence of strategic threats. For example, documents used in a spearphishing campaign in late 2016 target NATO military personnel (see Figure 7). Russia considers NATO a strategic threat. IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU,” the researchers claim.

Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Dicker Data scores One Identity distribution agreement for Australia
Dicker Data has entered into a distribution agreement with One Identity, a Quest Software company specialising in identity-centric security. The agreement was effective as of 1 March 2021.More
Story image
Women in tech: Equality journey not over
The idea of gender equality represents more than just physical bodies through doors. It is also the notion of perceptions, feelings, stereotypes and opportunity.More
Story image
Video: 10 Minute IT Jams - Who is Interactive?
Interactive is Australia’s largest privately owned IT company, providing cloud and managed services for data centre, business continuity and hardware maintenance.More
Story image
CSO Group scores AU$16m deal with NSW Government
The deal focuses on the refresh and uplift of cybersecurity capabilities and technologies for the cloud, endpoint and email, leveraging the recently launched CSO Managed Security Service.More
Story image
Kaspersky ranked number one in channel partner satisfaction
“Being recognised for the second consecutive year as the number one cybersecurity vendor for channel satisfaction, reflects the investment we have made in the Kaspersky United partner program over the past two years."More