On June 5 Montenegro officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.
Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.
Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).
In the last string of attacks, hackers targeted Montenegro with spear phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.
The hackers delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT and Sofacy), a malware that was used only by the APT28 group in past attacks.
According to FireEye, the documents delivered the backdoor via a Flash exploit framework dubbed DealersChoice.
“NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro’s bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro,” Tony Cole, vice president and chief technology officer for global government at FireEye, told journalists today.” reportedEl Reg.
“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself. Russia has strongly opposed Montenegro’s NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro’s smooth integration into the alliance,”
The bait documents first gather information of the target system in an effort to determine which version of Flash Player it is running on the machine, then it connects the C&C server to receive the appropriate Flash exploit. The exploits used in the attacks include the code to trigger the CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.
At the time I’m writing there is no news about the specific targets of the campaign neither is the attacks were successful.
Clearly, APT28’s and other Russian linked APT will continue to target the country such as other NATO member states.
(Security Affairs – Montenegro, APT28)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.