According to the security company Trend Micro, last year, one of the top state hacking her teams Ρωσίας deals with scanning the internet to detect vulnerable email servers. The company posted one yesterday report, which deals with its activities hacking group APT28, also known as Fancy Bear, Sednit and Pawn Storm.
This hacking team is said to be acting on its behalf Russian military service GRU information. It has been active since 2004 and is one of two Russian teams that have violated the email server of the DNC in 2016.
The APT28 is one of the most important but also the oldest state hacking teams. For this reason the researchers have managed to record and analyze in depth its activities. APT28 has been included in many security investigator reports.
According to these reports, the main weapon of APT28 over the past decade has been the use of spear-phishing methods. Via carefully processed emails that address selected goals and use zero-day exploits, APT28 has infected several victims malware, for the last 15 years.
Scan the Internet for vulnerabilities detection e-mail servers
According to Trend Micro's current report, the APT28 has changed slightly businesses and the methods she uses.
Spear-phishing attacks and malware remain, however, in the last year, and has been added scanning the internet for vulnerable emails servers (webmail and Microsoft Exchange Autodiscover servers on doors 445 and 1433).
Researchers don't know what APT28 is doing with its vulnerable email servers. They assume that hackers take control of the vulnerable system and they steal data ή use the server as a pawn for others attacks.
Έλεγχος email accounts for phishing attacks
In addition to scanning the internet, APT28 is involved in other activities, according to Trend Micro.
Through one network VPN servers, APT28 linked to abused emails accounts to legitimate corporate email servers.
Trend Micro believes that APT28 sends phishing emails to corporate employees and steals credentialsor corporate email accounts brute-force attacks to guess passwords.
Once it has obtained the credentials, it uses a network VPN servers and connects to accounts using stolen passwords.
APT28 can then steal data or use accounts to send Phishing emails to other victims.
These emails seem to come from real people, from legitimate companies, so they can more easily deceive new victims. In the meantime, APT28 may continue stealing news data etc.
Trend Micro reports that most companies affected by these new attacks are in United Arab Emirates and are active in defense.
APT28's new tactics show that the team is constantly changing the ways of attack to become even more effective and dangerous.