Russian hackers target governments in Europe and South America

They're not just obsessed with elections and the Olympics.

Updated ·1 min read

Russia's Fancy Bear hacking team (aka APT28) isn't just focused on meddling with elections and retaliating against anti-doping agencies. Symantec has observed Fancy Bear conducting intelligence gathering hacks in Europe and South America, including governments, military targets, an embassy and a "well-known international organization." The group has been using a common set of tools to conduct the campaign, although it also recently expanded its repertoire to include hacks that are considerably harder to stop.

The Russian outfit primarily relies on a two-stage malware infection. A trojan nicknamed Sofacy (aka Seduploader) handles initial recon and downloads further malware, while a backdoor known as SofacyX (X-Agent) steals information from the computer. For more persistent attacks, there's a Lojax rootkit that targets the UEFI platform underlying many modern computers. As it sits in the flash memory aboard a computer's firmware, Lojax can survive even if you replace the hard drive or reinstall the operating system.

The cyberattack campaign may be larger than this. Another group, Earworm, has been using spear-phishing email campaigns against military targets in Asia and Europe with some overlap between its control system and that of Fancy Bear. Its operations are separate, though, suggesting it may be another Russian operation rather than an extension of Fancy Bear.

An ongoing global spying campaign wouldn't be surprising. It's not just that Russia has a vested interest in keeping tabs on its political rivals -- it's that it takes relatively few resources to conduct these campaigns in the first place. What little it spends recruiting dedicated hackers could pay huge dividends by gathering more intelligence and undermining institutions.