The Russian hacking collective APT28 has been on the radar of cybersecurity researchers for some time (activity dates back to at least 2007). Most of their attacks have focused on NATO nations and Eastern European countries, and this is important to keep in mind as their latest alleged attack is being reported. According to research from the Italian CSE Cybsec, specifically their Malware ZLab, APT28 has launched a cyberattack against the Italian Navy.
The attack, dubbed “Roman Holiday,” utilizes an upgraded version of their signature XAgent malware that is used for creating a backdoor. After analyzing the attack, CSE researchers were able to ascertain the following about its process:
The attack analyzed (by) CSE Cybsec is multistage. The experts discovered an initial dropper malware written in Delphi programming language (a language used by the APT28 group in other campaigns) [and] downloads a second stage payload from the Internet and executes it. The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates.
The Italian Navy was discovered as the target of this attack due to the analysis of a malicious DLL file that appears to add another layer of complexity to the attack. The DLL file communicates with a command-and-control titled “marina-info.net,” which then led researchers to realize this referred to the Italian Marina Militare. It is thought that DLL is used in what CSE described as a late-stage part of the attack, which is “triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges.”
It is not known at this time just how much the Roman Holiday attack successfully accessed in terms of data. Researchers haven’t ruled out the reality that APT28 has penetrated deep into the Italian Marina Militare’s network or possibly networks of affiliated contractors. There also remains the possibility, however slim, that this attack wasn’t APT28 as it is not uncommon for malware to get passed around the Dark Web. Regardless, this is a rather serious case of cyberespionage or cyberterrorism and should be treated as such.
Photo credit: Flickr / Andrew Malone