New Malware Attributed to Russian Hacking Group APT28

Late last year, the Computer Emergency Response Team of Ukraine (CERT-UA) released an advisory that reported cyberattacks targeting Ukrainian state organizations attributed to the Kremlin-backed nation-state group APT28, aka Fancy Bear/Sofacy. The advisory listed the use of a new backdoor named “OCEANMAP,” detailed in this whitepaper.  

What is OCEANMAP?

OCEANMAP is a backdoor is designed to execute remote commands. The activity targeted Ukrainian government entities and Polish organizations with email messages urging recipients to click on a link to view a document. The links redirected users to malicious web resources, which gave APT28 the ability to harvest web browser data. From there, the group was able to export it to a server in Base64-encoded format. 

APT28’s capabilities

According to The Hacker News, APT28 has also recently been linked to the exploitation of a now-patched critical security flaw in the Microsoft Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims’ accounts within Exchange servers.

Last spring, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint advisory to provide details of APT28’s tactics, techniques, and procedures (TTPs). The advisory referred to the group as a “highly skilled threat actor,” and warned governments and organizations worldwide to be on the lookout for distributed denial-of-service (DDoS) attacks, as well as attacks on critical infrastructure. 

The warning advised critical infrastructure organizations to take the following actions to immediately protect against Russian state-sponsored and criminal cyber threats:

• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Enforce multi-factor authentication.
• Secure and monitor Remote Desktop Protocol and other risky services.
• Provide end-user awareness and training.

Examining Russian threat actors 

More than two years after Russia’s invasion of Ukraine, threat actors working on behalf of the Kremlin show no signs of stopping. In fact, a recent report shows that Russian hackers were inside Ukrainian telecommunications giant Kyivstar’s system for at least six months in 2023. The hack was able to knock out the telecom’s services for several days in December—hampering the ability of 24 million users to communicate with one another. Intelligence indicates the Kyivstar attack was carried out by Sandworm, a Russian military intelligence cyberwarfare unit. 

These attacks originating from Russia underscore the growing number of attacks on critical infrastructure that have come from nation-states and their proxies in pursuit of geopolitical objectives. Russia’s attacks are not just limited to Ukraine; state-sponsored threat actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including healthcare, energy, telecommunications, and government services. 

Strengthening the digital supply chain

SecurityScorecard’s report with the Cyentia Institute found that 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. And our recent report on third-party cybersecurity breaches found that 75% targeted the software and technology supply chain. As a result, we can no longer rely on static analyses to provide a transparent look at  our cybersecurity ecosystems. 

As a result, organizations can no longer use static security assessments of their supply chain, and must continuously monitor cybersecurity risk across their vendor ecosystem. For organizations in the critical infrastructure sector to gain trust and improve resilience, they need a simple and straightforward way to measure risk and quantify the trustworthiness of any organization in the world. Security ratings are a recognized, trusted source of objective, data-driven metrics for cybersecurity performance. They also provide a common language with which to assess and mitigate risk. 

With this common language and level of insight, organizations can identify cyber risks posed by all suppliers (including third- and fourth-party vendors) and make informed decisions to help their partners strengthen their own cyber defenses.

For more information about APT28 and OCEANMAP, read the full whitepaper here.