Media: Russia-linked hackers use fake NATO email to hack Romania’s Foreign Ministry

12 May 2017

A Russia-linked hacking group allegedly tried to hack the Romanian Ministry of Foreign Affairs using a fake NATO email address.

The group, which is known as APT28 or Fancy Bear, pretended to be a NATO representative to send several phishing emails to diplomatic organizations in Europe, including the Romanian Ministry of Foreign Affairs, according to documents cited by Cyberscopp.com.

The email carries a booby-trapped attachment that uses two recently disclosed Microsoft Word vulnerabilities. According to Cyberscoop.com, the email showed that the hacking group imitated a NATO email address to make the message look authentic.

One of the emails sent to the Romanian Ministry apparently contained an attachment named “Trump’s_Attack_on_Syria_English.docx,” which served up a news article in Microsoft Word. If this attachment is opened on a vulnerable system it will also covertly download a remote access Trojan by exploiting two coding flaws in Word that until recently were considered zero day vulnerabilities.

NATO hasn’t made any comment on this specific attack but said that hackers target their system constantly. “We are aware that such attacks include the use of spoofed NATO email addresses,” a NATO official told CyberScoop.

Romania’s Foreign Ministry did not respond to CyberScoop’s request for comment.

The Romanian Intelligence Service (SRI) said in a statement released on Friday that it managed to counter a cyber attack attempt, which was most likely carried out by the entity associated with the cyber crime group APT28/Fancy Bear.

"A cyber attack was identified against a governmental institution in Romania, most likely carried out by actors previously associated with other incidents of this kind," reads the statement. "Due to effective cooperation between institutions, the materialization of the attack and the damage were prevented, the target and the attack methodology being identified."

However, according to SRI, this attack attempt is no novelty, as thousands of cyber attacks target institutions, entities and people in the virtual space every day, and Romania is no exception. Moreover, the technological level of these attacks is expected to increase significantly in the near future.

APT28 has been actively involved in political espionage operations across Europe for 10 years. Last year, the group, which is believed to be the work of Russian intelligence forces, gained publicity after hacking into the Democratic National Committee and email inbox of top Democratic political strategist John Podesta, reports CyberScoop.

SRI also announced on Friday that it would organize the first live national cyber security exercise next week, between May 15 and May 17. The event called CyDEx17 will take place in the cyber polygon of the Cyberint National Center, which was especially created and customized for this exercise.

The exercise is meant at testing and assessing the way cyber incidents are managed, what's the response to these incidents, and at optimizing the process of cooperation between institutions, in order to identify and limit the impact of such incidents. More than 60 public and private institutions are to attend the event.

Romanian Police warn of WhatsApp phishing scam

Irina Popescu, irina.popescu@romania-insider.com

Normal

Media: Russia-linked hackers use fake NATO email to hack Romania’s Foreign Ministry

12 May 2017

A Russia-linked hacking group allegedly tried to hack the Romanian Ministry of Foreign Affairs using a fake NATO email address.

The group, which is known as APT28 or Fancy Bear, pretended to be a NATO representative to send several phishing emails to diplomatic organizations in Europe, including the Romanian Ministry of Foreign Affairs, according to documents cited by Cyberscopp.com.

The email carries a booby-trapped attachment that uses two recently disclosed Microsoft Word vulnerabilities. According to Cyberscoop.com, the email showed that the hacking group imitated a NATO email address to make the message look authentic.

One of the emails sent to the Romanian Ministry apparently contained an attachment named “Trump’s_Attack_on_Syria_English.docx,” which served up a news article in Microsoft Word. If this attachment is opened on a vulnerable system it will also covertly download a remote access Trojan by exploiting two coding flaws in Word that until recently were considered zero day vulnerabilities.

NATO hasn’t made any comment on this specific attack but said that hackers target their system constantly. “We are aware that such attacks include the use of spoofed NATO email addresses,” a NATO official told CyberScoop.

Romania’s Foreign Ministry did not respond to CyberScoop’s request for comment.

The Romanian Intelligence Service (SRI) said in a statement released on Friday that it managed to counter a cyber attack attempt, which was most likely carried out by the entity associated with the cyber crime group APT28/Fancy Bear.

"A cyber attack was identified against a governmental institution in Romania, most likely carried out by actors previously associated with other incidents of this kind," reads the statement. "Due to effective cooperation between institutions, the materialization of the attack and the damage were prevented, the target and the attack methodology being identified."

However, according to SRI, this attack attempt is no novelty, as thousands of cyber attacks target institutions, entities and people in the virtual space every day, and Romania is no exception. Moreover, the technological level of these attacks is expected to increase significantly in the near future.

APT28 has been actively involved in political espionage operations across Europe for 10 years. Last year, the group, which is believed to be the work of Russian intelligence forces, gained publicity after hacking into the Democratic National Committee and email inbox of top Democratic political strategist John Podesta, reports CyberScoop.

SRI also announced on Friday that it would organize the first live national cyber security exercise next week, between May 15 and May 17. The event called CyDEx17 will take place in the cyber polygon of the Cyberint National Center, which was especially created and customized for this exercise.

The exercise is meant at testing and assessing the way cyber incidents are managed, what's the response to these incidents, and at optimizing the process of cooperation between institutions, in order to identify and limit the impact of such incidents. More than 60 public and private institutions are to attend the event.

Romanian Police warn of WhatsApp phishing scam

Irina Popescu, irina.popescu@romania-insider.com

Normal

Romania Insider Free Newsletters