NCSC Issues Warning on Known APT28 Tools
The NCSC has released a report on four tools used by the Russian-associated APT28 group. Some or all of these tools can be used to steal sensitive information, take control of target systems, or disguise APT28 communications.
Summary
The NCSC has released a report on four tools used by the Russian-associated APT28 group. Some or all of these tools can be used to steal sensitive information, take control of target systems, or disguise APT28 communications.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
The National Cyber Security Centre (NCSC) has released a technical advisory on four tools used by the advanced persistent threat group APT28.
Tools
The report indicates that all four tools have been used to penetrate target networks, obtain user and administration credentials, exfiltrate data and alter system files. APT28 uses extensive network and target reconnaissance before deploying sophisticated spear-phishing campaigns to gain access to a target network. Once this is done, they will use a combination of the following tools:.
X-Agent
A modular remote access trojan (RAT) capable of infecting Windows, iOS and Unix devices. Used for information collection purposes including keylogging and file extraction.
CompuTrace
Also known as LoJack or LoJax. A legitimate tool that has been modified by APT28 into a UEFI-capable bootkit. Used to maintain persistence and act as a backdoor for further malware installation.
XTUNNEL
A proxy tool used for network traversal. Provides a secure connection to a command and control server for other APT28 tools to use.
Zebrocy
A file extraction trojan used by APT28 since 2015. Has extensive automation to collect targeted files without attacker interaction.
Impact
A successful network intrusion can have severe impacts, particularly if sensitive information is exposed. Possible impacts include:
- Temporary or permanent loss of sensitive or proprietary information.
- Disruption to regular operations.
- Financial losses incurred to restore systems and files.
- Potential harm to an organisation’s reputation.
Threat updates
| Date | Update |
|---|---|
| 15 Dec 2020 |
New Zebrocy variant detected
Zebrocy has received updates allowing it to act as a loader for other APT28-created tools. This new variant is also delivered as a virtual hard disk (VHD or VHDx) file designed to bypass security and detection services. |
Remediation advice
NCSC recommend organisations follow their security mitigations outlined in the following guidance articles:
Organisations should also consider disabling or restricting PowerShell scripts and Microsoft Office macros, as APT28 exploit both of these in their spear-phishing campaigns.
Additionally, to prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Last edited: 11 January 2022 3:59 pm