Russian hackers have a new tool up their sleeve to gain access to sensitive computers without getting caught, cybersecurity experts say. And they’re using it to target US and European government entities, as well as a former territory of the Soviet Union.
Cybersecurity firm Palo Alto Networks described the hacking tool, which it calls “Cannon,” in a blog post Tuesday. Cannon is a piece of malicious software that hackers sneak onto target computers and use to take screenshots of the infected computer’s homepage. Then the software uses email to send the images back to the hackers and receive new instructions. It’s like a spy camera on your computer that can send images back home, apparently to Russia.
Palo Alto Networks believes the hackers behind Cannon are a group that intelligence officials have concluded is part of Russia’s military spy agency, GRU. Sometimes called blamed for hacking the Democratic National Committee in 2016., the hacking group was also
The hacking tool’s use of email to send information to accounts where the hackers can reach it is both clever and new, said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks. It’s part of a bigger picture in which sophisticated hackers stage elaborate, Ocean’s Eleven-like attacks on computer networks in which nothing is as it seems, all to avoid detection for as long as possible. And as quick as experts get at detecting those evasive techniques, hackers from groups like Fancy Bear change things up.
“It’s a group that is well resourced and has good people,” Miller-Osborn said. “As we evolve our protections against them, they are capable of evolving against those protections.”
It started with a phishing email
The news of Cannon comes less than a week after two other cybersecurity companies told Reuters that Russian hackers were impersonating employees of the US Department of State to send phishing emails to think tanks, businesses and government agencies. Palo Alto Networks did not say whom the hackers were impersonating in the hacking campaign they identified, nor did they provide more information on the specific countries targeted.
The new hacking tool is part of a larger campaign that went through several steps to gain access to targeted computers. Miller-Osborn’s team observed the hacking activity in late October and early November. As is often the case, it started with a phishing email.
Hackers sent emails with a Microsoft Word document inside to the targeted users. The document had nothing malicious in it whatsoever, making it hard for security software that scans email attachments to catch. But once a user clicked on it to open it, the Word document would download something called a remote template that included malicious code. Now the Word document was transformed into a delivery system for malware.
The ability to create remote templates is a Word feature. It lets an organization create a template that its employees can download to give their documents a uniform style. The download can take place automatically.
The experts said they then saw the Word document, now turned bad, install two malicious programs, including Cannon. Cannon could then log into a predetermined email address completely behind the scenes, without a user ever noticing, Miller-Osborn said. From there, it could send screenshots and information from the hacked machine, and potentially receive instructions to install even more malicious software.
Now that Palo Alto Networks has published what it knows about the hacking tools, security software can look for signs of the same attack. That’s why keeping security software up-to-date at home and at work is always a good idea. But beyond that, there’s not much a regular person can do to stop a hack like this.
Except for one thing, Miller-Osborn said. “The only thing they could have done would be to not open the email.”
CNET’s Holiday Gift Guide: The place to find the best tech gifts for 2018.
: The best discounts we’ve found so far.