A group of hackers believed to be associated with Russia’s Main Intelligence Directorate (GRU), better known as APT28 or Fancy Bear, was responsible for last week’s international ransomware attack dubbed “BadRabbit,” according to Ukraine’s top intelligence agency, the Security Service of Ukraine (SBU).In a letter sent to CyberScoop Wednesday, SBU officials laid blame on APT28 for launching the massive, coordinated attack that disrupted business operations within hundreds of organizations based in both Ukraine and Russia. Victims included multiple Russian news outlets, government organizations and Ukrainian transportation services.
An official with Ukraine’s state cyber police department announced Thursday, as part of an interview
with Reuters, that the hackers behind BadRabbit intended for the ransomware to effectively act as a smokescreen while they simultaneously sent highly targeted phishing emails to several organizations. The phishing emails were designed to gain access to “financial and confidential information.” The state cyber police declined to name the group responsible during their interview with Reuters.It’s not clear if APT28 also conducted the phishing component of this expansive, well-disguised espionage operation.
Cybersecurity firms FireEye, Cisco Talos and Kaspersky Lab all concluded that BadRabbit was spread through a collage of compromised websites which dispensed the malware to unsuspecting web visitors.
“Given the scale of the infrastructure created for the attack (more than 50 pre-compromised sites, a number of leased servers and domain names), high qualifications of the developers of malicious software and unbiased performers, as well as the lack of mercenary motives for the purpose of attack, the SBU has reason to suspect, that the group APT28 is behind these events,” the letter written by the SBU and translated by CyberScoop reads.
Three separate analysts translated the document, sent to CyberScoop as a JPEG, in order to verify the provided information.
The SBU did not provide further evidence to support this claim. A subsequent email requesting additional information had yet to be answered prior to this article’s publication.
Slovakian Cybersecurity firm ESET previously connected “BadRabbit” to a hacker group known within the security research community as “Telebots” or “Sandworm group.”
Two former U.S. intelligence officials, who spoke on condition of anonymity to broadly discuss the government’s understanding of the so-called Sandworm group, said that this entity can be understood as a subunit within APT28.
APT28 is best known for breaching the Democratic National Committee during the run up to the 2016 U.S. presidential election.
Cyberpolice Ukraine, the country’s police department dedicated to cybercrime, did not respond to a request for comment.
To accurately attribute a specific data breach to an individual group, country or hacker remains a notoriously difficult thing to accomplish. Experts say the organizations best equipped to do so include intelligence agency, however, because they are capable of collecting information from both human and machine-based sources.
The original letter sent to CyberScoop by the SBU can be seen below: