Russian Hackers Using Flash, Windows Flaws To Attack Gov’t Networks

Updated on

On Saturday, April 18th FireEye Labs reported that Russian hackers have started an APT campaign exploiting zero-day vulnerabilities in Adobe Flash and Microsoft Windows. FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. FireEye correlated technical indicators and command and control infrastructure to determine that Russian hacker group APT28 is likely behind the attacks that seemed to be focused on various foreign governments.

Neither Adobe nor Microsoft have returned calls from the media requesting comment on the story.

More on Russian hackers attacking government networks

Back in October of last year, FireEye noted APT28 was apparently after information about governments and military and security organizations that would “likely benefit the Russian government.”

According to FireEye, the attack occurs when an unsuspecting user clicks on a link to an attacker-controlled website. The exploit works by taking advantage of a local privilege escalation vulnerability in the Windows kernel if it determines that it has limited privileges. The hack then uses the vulnerability to run code from userspace in the context of the kernel, which changes the attacker’s process token to have the same privileges as the System process. This means the attacker can get full system administrator privileges to access data or make other changes in the network.

Of note, Adobe has already issued a fix to the vulnerability the hackers exploited, and Microsoft is currently working on a solution. However, Reuters says the Microsoft problem is reportedly less dangerous because it involves “enhanced powers” on a computer that most users don’t have.

More on Russian hacking group APT28

According to various sources, APT28 is a group of high level Russian hackers that were first identified in 2007, and are believed to be government sponsored. Several sources note that APT28 was connected to a cybersecurity breach in the U.S. State Department a while back, and were supposedly trying to uncover information about President Obama’s upcoming travel schedule.

Leave a Comment