The federal bureau of investigation issued an alert related the APT6 state-sponsored hacking group that has compromised the US Government networks for years.
The FBI revealed that “a group of malicious cyber actors have compromised and stolen sensitive information from various government and commercial networks” since at least 2011.
The alert was published online by AlenVault on the Open Threat Exchange platform.
“The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks. This group utilized the domains listed herein in furtherance of computer network exploitation (CNE) activities in the United States and abroad since at least 2011. Research and analysis indicate that these domains were associated with the command and control (C2) of customized malicious software. Furthermore, these domains have also been used to host malicious files – often through embedded links in spear phish emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement.” states the FBI CYWATCH A-000067-DM.
The nature of the attacks, the usage of custom-made hacking tools, and the targets of the threat actors suggests it is a group of state-sponsored hackers.
The alert includes a list of 59 Indicators of Compromise, it is a collection of websites used by hackers as command and control servers to carry spear phishing campaigns on target organizations. The domains used by the hackers were dismissed in late December 2015. The IoCs provided by the Feds could allow private actors to monitor their networks searching for the presence of the threat.
The group, identified as APT6 compromised the US government infrastructure for years exfiltrating sensitive data.
It wasn’t the first time that US Government networks are breached by foreign hackers, last year a group of nation-state attackers, likely Chinese hackers, breached the systems of the Office of Personnel Management.
The problem is there is no certainty that the US Government completely blocked these hackers, in fact some experts speculate they might still be within Government networks.
Lorenzo Bicchierai from Motherboard reached Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, for a comment on the APT6.
“This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” said Baumgartner.
Baumgartner hasn’t provided information regarding the origin of the threat, anyway experts believe that China and Russia have the necessary cyber capabilities to infiltrate the government networks.
Be Careful, APT6 is in the wild so report any suspicious activity linked to the IoCs included in the alert.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.