Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Incident & Breach Response
Norway Says Russia-Linked APT28 Hacked ParliamentOfficials: Hackers Used Brute-Force Methods to Hack Email Accounts
The Norwegian parliament's investigation into the hacking of email accounts of some elected officials and government employees in August has concluded that a Russia-linked advanced persistent threat group is likely responsible, according to a report issued this week.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
"The investigation shows that it's likely that the operation was carried out by the cyber actor referred to APT28, or Fancy Bear, Norwegian Police Attorney Anne Karoline Bakken Staff noted in a statement this week issued by the country's parliament.
Analysts and security researchers have previously linked APT28 to Russia's Main Intelligence Directorate, commonly referred to as the GRU, which serves as the military intelligence division of Russia's armed forces.
APT28 is further associated with Russia's 85th Main Special Service Center, or GTsSS, which is also known as Military Unit 26165. The hacking group is known for complex operations that steal victims' credentials to enable surveillance or intrusion operations (see: EU Sanctions 2 Russians for German Parliament Hack).
Norway's Parliament, known as the Storting, notes that the investigation determined the threat actors used brute-force tactics to obtain valid email credentials.
"This technique has been used against a high number of user accounts at the Storting's e-mail systems and has resulted in the player being able to obtain a user password, which it could again use to log in to a smaller number of accounts," according to the report.
The investigation also revealed that the threat actors were successful in extracting sensitive content from some of the affected email accounts, the report says.
The threat actors also tried to move further into the Storting's computer systems but were unsuccessful, according to the Norwegian Police Security Service, the country's national security service that oversees counterintelligence operations and cybercrime, which conducted the investigation.
"It is not possible to go further into technical specifications and findings due to grading and sensitivity considerations. The investigation confirms that the Storting's own vulnerabilities, insecure passwords for accounts used in both work and private contexts, expose both individuals and the Storting as a parliamentary institution," the parliament report notes.
The report adds that simple steps, such as using multifactor authentication, could have helped prevent the attack.
While the report offers details and lays blame for the hacking with APT28, there was not enough evidence to bring an official criminal indictment.
In September, government officials said, the hackers were able to access a "small number" of email accounts of members of parliament and government employees and remove data, although the initial investigation did not determine what information was taken (see: Norway's Parliament Investigates Email Hacks ).
The Storting issued another statement in October, accusing Russia of being responsible for hacking the email system of the country's parliament. Norway Foreign Minister Ine Eriksen Søreide alleged that Russia orchestrated the hacking, but she did not provide any evidence at the time (see: Norway Alleges Russia Orchestrated Parliament Email Hack ).
Russia, though its Norwegian embassy, has denied any involvement.
APT28's Hacking Activities
Other European countries have also accused Russia of attempting to hack various organizations and institutions. For example, in 2015, Germany's lower house of parliament, known as the Bundestag, found that its PCs and servers were hacked using malware, and attackers gained administrative-level rights for the entire network and infrastructure.
In May, German prosecutors reportedly blamed the attack on a member of APT28 (see: Russian a Suspect in German Parliament Hack: Report).
Just before the U.S. elections in November, American intelligence agencies, along with security analysts, warned that APT28 would likely attempt to disrupt the vote or spread disinformation during the presidential campaign. China and Iran were also suspected of attempting to interfere in the vote (see: US Election Hack Attacks Traced to Russia, China, Iran).
In September, Microsoft alleged that APT28 had been attacking victims to obtain valid Office 365 credentials to enable future surveillance or intrusion operations (see: Russia-Backed Hackers Try to Harvest Office 365 Credentials).