A group of elite hackers, allegedly connected to the Russian government, has pretended to be a NATO representative in order to send a wave of phishing emails to diplomatic organizations in Europe, including the Romanian Foreign Ministry, documents presented by cyberscoop.com reveal.
The experts say it is unclear whether the attempt was successful, adding that this attack had a ‘fairly precise’ purpose, hotnews.ro reports.
The National Centre Cyberint, under the Romanian Intelligence Service (SRI) coordination, has succeeded in counteracting the cyber attack conducted, most probably, by the APT28/Fancy Bear group, SRI informs, adding that the operation was conducted upon the information coming from the Foreign Intelligence Service (SIE), realitatea.net informs.
SRI spokesman Ovidiu Marincea said “an attempt of cyber attack was identified against a government institution in Romania, conducted most probably by the actors associated with other previous such incidents. Due to the effective cooperation between institutions, the success of the operation and the damages were prevented and the targets were identified, as well as the attack methodology. Relevant, from the perspective of cyber security, is that this attempt is not a novelty. Daily, thousands of cyber attacks target institutions, entities and people in the virtual space, and Romania is no exception.”
According to hotnews.ro, Cyberscoop has obtained a copy of such an email that experts have attributed to groups known as APT28 or Fancy Bear.
The email, which contains a trap attachment that uses two newly revealed Microsoft Word vulnerabilities, shows that the hackers have imitated a NATO email address so that the message looks authentic.
The website posted a picture of the email which looks like it was sent by Captain Alistair Borchert from a NATO electronic address to a person with the Romanian Foreign Ministry.
An analyst with FireEye cyber security company has confirmed that the email is authentic and is related to the APT28 activity, which has been reported as the possible source of attacks on Emmanuel Macron’s electoral team.
NATO has not commented on this attack, but has said the hackers are constantly trying to penetrate the Alliance’s system.
One of the phishing mails sent to the MAE has an attachment called “Trump’s_Attack_on_Syria_English.docx”, which contains a press article, the experts say.
If the attachment is open on a vulnerable system, it secretly downloads a Trojan that provides remote control using two Word vulnerabilities.
Nicknamed ‘GameFish’, the Trojan in this case is known to be a tool for APT28 that offers the attackers a wide range of spying possibilities.