Russian Hackers Use Cyber Conflict Conference in Washington to Infect High Profile Targets in US Military & Intelligence
Hackers backed by the military intelligence agency of Russia are reportedly leveraging a warfare conference in Washington DC to target high profile NATO and US military cyber experts. The International Conference on Cyber Conflict US (CyCon) hosted by the US Army and NATO Cooperative Cyber Defence Centre of Excellence will begin next month and will be packed with NATO and US military cyber defenders. Kremlin-backed hackers have now been spotted running campaigns that are specifically targeting the attendees of this conference.
APT28 or Fancy Bear linked to Russia uses "decoy document in real cyber conflict"
In a report published over the weekend, security researchers at Cisco Talos revealed that APT28 aka Fancy Bear that was also responsible for the DNC hack last year, has weaponized a legitimate Word document titled "Conference_on_Cyber_Conflict.doc" with malware. Targeting potential attendees of this upcoming cybersecurity conference, researchers have said that the target list is highly lucrative to attackers since they could get a lot of sensitive information from this particular group.
"This conference has a lot of interesting attendees including current serving military members," Talos wrote. "The attack on these kinds of individuals could yield extremely sensitive information and this is most likely what the actors were hoping for in this instance."
Known as "Seduploader," the malware is hidden in a two-page document that has been taken from the official conference website itself. The document was first created by attackers on October 4 with the attacks peaking three days later, on October 7.
Researchers write that the Seduploader reconnaissance malware has long been used by this threat actor and composes of 2 files, including a dropper and payload. This malware doesn't leverage any zero day flaws and simply contains a malicious Visual Basic for Applications (VBA) macro within the Microsoft Office document. Talos suggests that the group hasn't used any security flaws "to ensure they remained viable for any other operations."
"Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors' weaponised platforms defunct."
The event will be attended by infosec experts and top cyber defenders in the country
The event boasts speakers that include the likes of former NSA chiefs and US Senators. Current commanding general of the US Army's Cyber Command, Paul Nakasone, former US National Security Agency director Keith Alexander, and Senator Martin Heinrich, who is currently on the Senate Intelligence Committee’s investigation into Russia's election meddling are only some of the high profile names that will be speaking at November's event.
"Due to the nature of the document, we assume that the targeted people are linked or interested by the cybersecurity landscape," the team wrote.
Sunday's report comes just days after Proofpoint's report had suggested that APT28 was actively leveraging a security exploit that was patched by Adobe last week in hopes to infect as many targets (in government departments and aerospace companies) as it could before its patch is mass deployed.
Previously, the Advanced Persistent Threat 28 (APT28) - also known as Tsar Team and Sofacy along with several other names - has been linked with the Russian military intelligence agency, GRU and has been alleged of breaching into the networks of the Democratic National Committee ahead of 2016 US Presidential election. The US government has also just released a directive that warned officials of persistent attempted attacks on "government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors" by another hacking group linked to Russia, known as Dragonfly and Energetic Bear.