Posted on April 23, 2019 at 7:55 PM
Russian hackers have been attacking various European embassies around the world, including embassies in countries as diverse as Italy, Nepal, and Kenya. The news was announced by Check Point Research via The Verge.
Targetted Finance Officials
The hackers, who also targetted embassies in Guyana, Liberia, Bermuda, and Lebanon among others, sent emails to government finance officials. The emails contained excel sheets that looked to the victim as if they had originated from the United States Stae Department and contained malicious macros in them. When a victim opened an excel file, the malicious macros would weaponize TeamViewer which is a popular remote access application.
The press release issued by Check Point says that they have difficulty telling if the moves are geopolitically connected. However, their best guess at this point in time is that the hackers were alone outfit as opposed to a state-sponsored crew. The victims came from all over the world and it is not possible to ascertain backers from such a seemingly random group of breaches.
Check Point does note that the finance officials were of primary interest to the hackers, going so far as to say that the methods used were extremely sophisticated. The victims were handpicked from several revenue authorities and that careful planning must have been involved. The choice of government officials in these attacks cannot be random as the method of attack (the excel document from the US State Department) was highly specific. Those excel documents were tailored specifically to the victim’s specific interests suggesting a very well thought out plan.
However, the other stages of the attack were not as carefully planned or executed. The attackers left personal information and browsing history exposed and did not bother to code in a way to clean that up. This allowed Check Point to find more cases that followed similar methods of attack. They found that there were Russian-speaking victims as well.
Russians did it, but not the government
Due to the varied geopolitical nature of the attack and in particular the targetting of finance officials, it seems that this attack was done for personal gain. While the hackers are Russian in origin, this attack bears no hallmarks of a state-sponsored event which is leaps and bounds more professional and targeted.
One perpetrator has already been identified as EvaPiks. EvaPiks detailed how to go about this method of attack on a notorious hacking and a carding forum. Since EvaPiks has a history of carding, this is what lead the researchers to believe that the attacks were solely motivated by money. It remains to be seen if the information will be sold on the dark web, or if it will be used for other attacks in the near future.
However, this action coming at this time is not a good look for the Russian government. After a few years of having “Russian Troll Factories” exposed by various news agencies, every additional attack that comes from Russia throws more fuel on the fire.
Russia is not alone in being known as a hotbed of hacking activity. A large proportion of the breaching done in the world comes from China. It has been estimated that at least 70% of the attacks in Asia are attributable to Chinese hackers – either state-sponsored or individual groups. These two nations have taken to cybersecurity and cyber espionage with a panache that has caught many in Europe and America off guard. While security companies in western markets are highly competent, they are few in relative number to the groups of hackers that keep popping up every other week.
This is an online war and with the amount of escalation seen year in, year out, it would take a very smart person indeed to figure out what could possibly be in store for us in the near future. Whatever it may be, it is certainly not something good.