A Russian cyber-espionage group has tried to infect security researchers with malware via a spear-phishing campaign that can easily receive a Pwnie Awards nomination for one of the year's biggest epic fails.
This campaign was set in motion at the start of the month and targeted attendees of CyCon, a security conference organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) and the Army Cyber Institute at West Point.
Obviously, people who plan to participate in this conference are experts in cyber-security and well accustomed to basic spear-phishing campaigns, malware, and APT groups.
What did the Russian cyber-espionage group do in this case? Did it deploy an undetectable zero-day exploit that experts can't spot? No, of course not. It deployed spear-phishing emails containing Word documents laced with a basic macro script.
Remind you, security experts interested in attending CyCon are usually the people who will ramble for hours about never, ever enabling Word macros.
If there was ever a case to deploy a zero-day, this was it. Zero-days are expensive, and once you burn them, they’re exposed and will likely get patched in the near future. Instead, this same group — known as APT28 — deployed its precious zero-days in attacks earlier this year against government and political campaign workers, most of which have little to no security training.
When you deploy a zero-day you use it against a target who doesn't fall for silly tricks like Word macros.
Using zero-days against government workers and secretaries is like using the Death Star laser to give your dog a haircut. Deploying macro-malware against security experts is similar to flicking spitballs at the latest version of an Abrams tank.
Whoever orchestrated this campaign for APT28 needs to taken to a dark room and subjected to endless reruns of Cleveland Browns games and Baywatch episodes. APT28 has a reputation to live up to. For example, the group has been linked in the past to successful attacks on NATO, the Pentagon, the White House, the DNC, and the German Parliament. They're certainly not going to infect security researchers with macro-malware, that's for sure.
For this particular campaign, if security researchers could have stopped laughing for a few seconds and allowed the macros to execute (and you bet your sweet behind they did, inside a sandboxed environment), they would have spotted the document downloading and installing the Seduploader malware, one of APT28’s classic backdoor trojans, used mainly for reconnaissance operations.
Cisco Talos, the ones who spotted the campaign in action, have more details about Seduploader's capabilities and the spear-phishing campaign in a report here. The Talos team refers to APT28 as Group 74. Other codenames for APT28 include Fancy Bear, Sofacy, Sednit, Tsar Team, Pawn Storm, and Strontium.
CyCon organizers have also issued an alert regarding APT28's spear-phishing campaign.