It has been revealed that in early October the Russian hacking group, Fancy Bear launched a new operation targeting potential attendees of an upcoming US cybersecurity conference. Also known as APT28, the hackers weaponised a real Word document titled “Conference_on_Cyber_Conflict.doc” with a reconnaissance malware known as “Seduploader” to target delegates from Washington DC-based Cyber Conflict US, or CyCon. Josh Mayfield, Director at FireMon commented below.
Josh Mayfield, Director at FireMon:
“Reconnaissance malware is increasing. This gives cybercriminals the opportunity to monitor and observe what is happening within the infected target, rather than being a blunt instrument to harvest and steal what could beworthless data. Having a thorough understanding of the target’s behavior and tendencies gives an attacker valuable information for later exploit.
It is important to appreciate this tactical shift – it indicates more formalisation of cyber warfare. Algorithmic processes weigh the options of EXPLORE and EXPLOIT. Computational models have this pair running simultaneously to maximize effects and outcomes. We humans have this function in our neural system as well. Every time you’re deciding what to have for dinner, you are computing – exploring options, exploiting the knowledge to maximize the outcome.
Fancy Bear, with their Seduploader malware, is doing the same thing. Sedloader will gather information, be self-referential, and run through what it has explored for later use and exploitation. Historically, the attacker community would take advantage of widely applicable weaknesses and immediately went to exploitation. But Sedloader and other reconnaissance malwares take note of the information they receive from a specified target and tailors their exploits to that specific environment.
Why bother with CyCon delegates?
By exploring the strategies and tactics of these delegates, attackers gain invaluable information about what’s next for cybersecurity. It is like having the other team’s playbook well before the match. Secondly, having a successful attack for those dedicated to improving cybersecurity, gives attackers a real-world trophy for getting through some of the most conscious efforts to curtail their efforts. When you play against the best, you become better – win or lose.”