As government agencies and private companies rush to assess the damage from a worldwide cyber-attack with a sweeping list of victims, a prime suspect is no stranger to security experts.
APT 29, otherwise known as Cozy Bear or the Dukes, is a notorious group of hackers tied to the Russian government. It dates back to 2008 and has long targeted corporations and governments. More recently, it was one of two Russian hacking groups that breached the Democratic National Committee prior to the 2016 presidential race and, in July, was accused by the US and UK of targeting organizations involved in researching a vaccine for Covid-19.
APT 29 is “a cyber-espionage group, almost certainly part of the Russian intelligence services,” according to an attribution from authorities in the US, UK and Canada. The cybersecurity firm Crowdstrike Inc began tracking the group in 2014, and said it is known for casting “a wide net” of victims and for “changing tool sets frequently.”
A Kremlin spokesman, Dmitry Peskov, rejected allegations of Russian involvement. “If there were attacks over a period of months and the Americans couldn’t do anything about it, there’s no need to immediately blame the Russians for everything without basis,” he said.
The latest allegation is that suspected Russian hackers inserted a vulnerability into widely used software from Texas-based SolarWinds Inc, whose clients include top government agencies in the US and abroad, in addition to major corporations. The departments of Homeland Security, Treasury and Commerce were breached, according to Reuters. In addition, the global hacking campaign included the Dec. 8 hack of the cybersecurity firm FireEye Inc.
SolarWinds said in a statement Monday that as many as 18,000 customers may have received the malicious update. FireEye told clients on Sunday that it was aware of at least 25 entities hit by the attack, according to people briefed by the company.
Michael Daniel, who leads the Cyber Threat Alliance organization and formerly served as the cybersecurity coordinator in the Obama administration, said that Russia previously leveraged malicious software updates in the infamous 2017 NotPetya attack, which resulted hundred of millions of dollars in damages.
Unlike that attack, however, many believe that the recent hacking is more aligned with espionage goals. “If it is cyber espionage, it is one of the most effective cyber espionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye, the cybersecurity firm that found the breach.
Attributing cyber-attacks to specific hacking groups tied to foreign governments is an arduous task, in part because the attackers often cover their tracks or disguise themselves as their rivals.
So while the FBI is investigating whether APT 29 carried out the FireEye attack, it hasn’t ruled out other culprits like China, according to a person familiar with the investigation. A UK government official, speaking on the condition of anonymity, also said APT 29 is a potential suspect.
Asked about the hack in a radio interview on Monday, Secretary of State Mike Pompeo said, “I can’t say much other than it’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses.
“We see this even more strongly from the Chinese Communist Party, from the North Koreans as well,” he added.