Russian-linked group behind DNC hack now conducting covert intel operations, firm says

Russian-linked group behind DNC hack now conducting covert intel operations, firm says
© Getty Images

A prominent Russian-linked hacking group that carried out a series of high-profile cyberattacks during the 2016 election has reverted to more covert intelligence gathering methods, a cybersecurity firm revealed Thursday.

Symantec's investigations team says that the espionage group known as APT28 or Fancy Bear has opted for more low-key operations the past two years after carrying out the cyberattack against the Democratic National Committee (DNC) and other high-profile attacks during the 2016 presidential election. 

From 2017 and into 2018, APT28 has carried out a range of intelligence gathering operations against military and government entities in both Europe and South America, Symantec found.


Researchers said the targeted organizations include military and government entities in Europe, the government of a South American country, an embassy belonging to an Eastern European country and an international organization.

The FBI and Department of Homeland Security (DHS) have linked APT28 to the Russian government. 

The more low-key operations come after APT28 was attributed with carrying out a series of high-profile cyberattacks during the 2016 presidential race, including sending spear-phishing emails to political targets like the DNC that allowed attackers to gain access to the national party's network and steal key data.

Special counsel Robert MuellerRobert (Bob) MuellerCNN's Toobin warns McCabe is in 'perilous condition' with emboldened Trump CNN anchor rips Trump over Stone while evoking Clinton-Lynch tarmac meeting The Hill's 12:30 Report: New Hampshire fallout MORE indicted 12 Russian intelligence officers earlier this year for their involvement in the 2016 DNC hack.

The special counsel's indictment did not directly name the hacking group but said the charged GRU officers used malware known as X-Agent. The command-and-control (C&C) infrastructure of this malware has been tied to APT28 by cyber firms like CrowdStrike. 

CrowdStrike has also previously reported that the profile of APT28 "closely mirrors the strategic interests of the Russian government, and may indicate affiliation with [the] GRU, Russia’s premier military intelligence service."

In 2016, the hacking group also released sensitive data on Olympic athletes stolen from the World Anti-Doping Agency (WADA).

That leak came after the organization recommended that Russian athletes be barred from the 2016 Olympic Games when an investigation uncovered evidence that Moscow was running a state-sponsored doping program.

Symantec says the hacking group is now operating in the shadows and the firm's findings suggest APT28 may also be connected to other espionage groups based off the group's C&C infrastructure.

Symantec said their structure looked similar to a group known both as Zebroacy or Earworm, which has also been involved in intelligence gathering operations in Europe, Central Asia and Eastern Asia. Both have used spearphishing email attacks to compromise the targets.