Does the Kremlin Have a New Way of Hacking the West?

A highly capable Russian hacker group with links to Russian intelligence and that is known for going after high-profile targets.


A highly capable Russian hacker group with links to Russian intelligence and that is known for going after high-profile foreign and corporate targets is deploying a powerful new data theft tool against Western systems, according to a new report by a prominent American cybersecurity firm.

The technical report by California-based FireEye Inc. analyzes the advanced piece of malware, called HAMMERTOSS, and connects the tool to a cyber-espionage gang known as APT29. Cybersecurity experts say the group is unusually well-disciplined and sophisticated, and the new malware — uncovered during a FireEye investigation at an unnamed organization targeted by the hackers — is said by the firm to be reserved for covertly stealing information from high-value targets.

“This tool is not widely deployed, so we believe that it’s used when other tactics won’t work,” Jen Weedon, manager of threat intelligence at FireEye, told Foreign Policy. “But we’ve found it in areas of critical intelligence value.” FireEye declined to name the specific targets of the Russian hackers, but said that the innovative data-theft tactic has hit Western governments, think tanks, defense contractors, and media organizations.

Believed to be operating in its current form since 2014, APT29 has set itself apart from other Russian hacking groups by repeatedly demonstrating the capability to adapt and evade detection, a skill level that FireEye researchers believe links the outfit to the Russian government. “Very few groups show the same discipline and consistency,” noted the report.

The Russian Embassy in Washington did not respond to a request for comment. A senior administration official, while declining to comment on the FireEye report, said that President Barack Obama “has repeatedly made clear that cyberthreats pose one of the gravest national security dangers that the United States faces.”

“These threats emanate from states — such as China, Russia, and North Korea — as well as from non-state actors, and we constantly track and defend against them,” the official added.

Defending against cyberattacks is sometimes easier than figuring out who launched them in the first place — and why. Russia is known for having sophisticated criminal hackers, as well as ones at least nominally controlled by Moscow. Though it could find no direct link to the Kremlin, FireEye said the intelligence sought by APT29 was consistent with Russian government interests rather than those of a typical criminal enterprise. “For a long time, this group has been stealing information that can’t be monetized. They go after this data because of its intelligence value,” Weedon said.

In tracking APT29’s activities, FireEye researchers found many data points that indicate the hacking group is state-run, not criminal. For instance, the group’s activities align with the work hours in the UTC+3 time zone, which contains cities such as Moscow and St. Petersburg, and the hackers appeared to stop working on Russian holidays. “If these are criminals, they are criminals behaving like how a government would act,” said Weedon.

Last week, top FBI counterintelligence official William Evanina told reporters that his office plans to update a 2011 report that labelled Russia, along with China, as the top offenders in the theft of U.S. economic and technology information. Evanina said that both China and Russia continue to be cyber-espionage leaders, although Iran has stepped up its activities against U.S. targets.

While the HAMMERTOSS malware is an example of the new innovation and ability being deployed by Russian hackers for espionage purposes, it is not an isolated instance. In November 2014, the State Department shut down its email system for a full weekend after discovering that its servers had been steadily dogged by cyberattacks all year. Similarly, Russian hackers have managed to sneak into “sensitive but unclassified” White House networks, CNN reported on April 7. Moreover, the Russian security firm Kaspersky Lab said that the campaign that targeted the White House appears to have similar code, infrastructure, and political interests as past attacks that were linked to hackers believed to be working for the Russian government.

Moscow-linked attacks have also hit Russia’s former Soviet neighbors. In 2014, a hacker group believed to be sponsored by the Kremlin attacked governments in Georgia, as well as NATO and defense contractors throughout Western Europe. Similarly, cyberattacks on Estonia in 2007 were widely believed to be the work of Russian cybercriminals working either with or for the Russian state.

Photo credit: AFP/Getty Images

Reid Standish is an Alfa fellow and Foreign Policy’s special correspondent covering Russia and Eurasia. He was formerly an associate editor. Twitter: @reidstan