Tackling Strontium: a cyber-espionage group

• Microsoft said it had disrupted cyberattacks from a Russian nation-state hacking group.
• The group called ‘Strontium’ by the software company targeted Ukrainian firms, media organisations, government bodies, and think tanks in the U.S. and the EU.

What is Strontium?

• Strontium aka Fancy Bear, Tsar Team, Pawn Storm, Sofacy, Sednit or Advanced Persistent Threat 28 (APT28) group, is a highly active and prolific cyber-espionage group.
• It is one of the most active APT groups and operating since at least the mid-2000s, making it one of the world’s oldest cyber-spy groups.
• Highly sophisticated tools to conduct spy operations, and has been attacking targets in the U.S., Europe, Central Asia and West Asia.
• The group is said to be connected to the GRU, the Russian Armed Forces’ main military intelligence wing.
• GRU’s cyber units are believed to have been responsible for several cyberattacks over the years and its unit 26165 is identified as Fancy Bear.

How does it attack networks?

• Group deploys diverse malware and malicious tools to breach networks.
• In the past, it has used X-Tunnel, SPLM (or CHOPSTICK and X-Agent), GAMEFISH and Zebrocy to attack targets.
• These tools can be used as hooks in system drivers to access local passwords, and can track keystroke, mouse movements, and control webcam and USB drives.
• They can also search and replace local files and stay connected to the network, according to a report by the U.K. National Cyber Security Centre (NCSC).
• APT28 uses spear-phishing (targeted campaigns to gain access to an individual’s account) and zero-day exploits (taking advantage of unknown computer-software vulnerabilities) to target specific individuals and organisations.
• It has used spear-phishing and sometimes water-holing to steal information, such as account credentials, sensitive communications and documents.
• A watering hole attack compromises a site that a targeted victim visits to gain access to the victim's computer and network.
• For high volume attacks, it has used Zebrocy, which is also primarily deployed through spear-phishing emails.
• Fancy Bear has also used VPNFilter malware to target hundreds of thousands of routers and network-access storage devices worldwide.
• More recently, a cybersecurity advisory issued by NSA and the Federal Bureau of Investigation (FBI) noted that APT28 deployed a malware called Drovorub, designed for Linux systems.
• When deployed on a victim machine, it provides file download and upload capabilities; execution of arbitrary commands; and implements hiding techniques to evade detection.

Which organisations have been targeted?

• Democratic National Committee (DNC) hack during 2016 U.S. presidential election, the global television network TV5Monde cyberattack, the World Anti-Doping Agency (WADA) email leak, and several other high-profile breaches are said to be the work of APT28.
• DNC was allegedly hacked by Fancy Bear, and documents including emails that were stolen during the cyberattacks were published online
• In 2015, the German federal Parliament, Bundestag, was reportedly attacked by Fancy Bear.
• During the attack, data was stolen and the email accounts of several MPs, as well as then Chancellor Angela Merkel, were affected.
• Later, same group was supposedly responsible for accessing and stealing content from multiple email accounts belonging to a small U.K.-based TV station.

How have governments and security agencies reacted?

• In U.K., government would enforce asset freezes and travel bans against two Russian GRU officers and the GRU’s unit 26165, responsible for the 2015 cyberattacks on Germany’s Parliament.
• Besides, the country’s NCSC had issued a detailed technical advisory to assist in detecting the presence of malicious tools used by APT28 on platforms and networks, along with mitigation guidelines for protection against the group’s activities.