Threat Watch

Norway Says Russian Hacking Group APT28 is Behind August 2020 Parliament Hack

Norway’s cyber security agency issued a report detailing a cyber-attack on the Norwegian parliament (Stortinget), attributing the attack to Russian hacking group APT28. APT 28 is linked to Russia’s military intelligence service GRU. The group breached Stortinget email accounts that lacked multi-factor authentication and utilized weak passwords. The Norwegian government believes this attack to be part of a larger APT28 campaign in which they started using brute-force attacks to gain access to email accounts of more than 200 private and government organizations.

ANALYST NOTES

APT28, also known as the Sofacy Group, Pawn Storm, Fancy Bear and many others, has been operating since 2007. The group targets government organizations and has been connected to attacks against the Pentagon, NATO, the DNC, and several others. The group has used several different techniques over the years, most recently they have focused on credentials harvesting. They then expand access through cloud services and various network equipment, as opposed to their traditional endpoint infection operations. Multi-Factor Authentication (MFA) is necessary to protect any account, especially email accounts of employees or government officials who have access to sensitive information. Cyber threat actors often target email accounts because access to a victim’s email account allows them to reset passwords to many other online systems easily. Passwords alone are not enough to protect sensitive information, especially if employees choose the same or similar passwords for multiple sites—criminals and government-backed hackers alike often use lists of passwords leaked from other websites when they attempt to guess passwords for email accounts or remote access accounts. The Binary Defense Counterintelligence service monitors for leaked information, including passwords, associated with clients’ brand names and domain names.

Sources: https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/?&web_view=true