APT28’s Operation Roman Holiday Attack Targets Italy’s Navy

What Is It?

The Russian Advanced Persistent Threat (APT) group, known variously as APT28, Sofacy and Fancy Bear and active since 2007 or earlier, has been linked to various cyber espionage activities against government and public sector organizations, including the breach of the Democratic National Committee (DNC) during the 2016 U.S. presidential election cycle.

Most recently, researchers from Italy-based CSE Cybsec believe they have discovered an APT28 campaign targeting the Italian Navy. Given APT28’s targets in the second half of 2017 were mainly Asian and South East Asian countries, this new campaign has been dubbed Operation Roman Holiday.

The attack consisted of an initial piece of dropper malware, written in the Delphi programming language. Then, the dropper downloads the second stage malware from the internet and executes it. This second stage is a new variant of the X-Agent backdoor malware, which has previously been associated with APT28 and communicates to its command and control (C2) site using the secure HTTPS protocol. X-Agent malware has been observed to be available for most operating systems and can incorporate custom modules for each individual campaign.

However, it was an additional Windows DLL file that the researchers found most interesting, due to its hardcoded C2 site, marina-info.net, which they believe to be specifically chosen for its resemblance to Marina Militare, the name of the Italian Navy. Researchers have yet to determine the specific requirements for this DLL file to activate, but believe it may be the IP range the infected system is part of.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The samples were discovered after being uploaded to sites such as VirusTotal, however, it is highly likely the attack vector would utilize social engineering techniques such as spear phishing emails with attached malicious documents.

When/How Did BluVector Detect It?

Six samples are listed in the report and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown the samples would have been detected an average of 42 months prior to their release.

All Threat Reports