The Apple Mac spyware used by the Russian group alleged to have carried out the DNC breach looks very similar to that created by Hacking Team, a professional government-grade malware manufacturer. (AP Photo/Tony Avelar)
Earlier this week, malware said to belong to the Russian group behind the hack of the Democratic National Committee, known as APT28 or Fancy Bear, leaked online. Though novel both for its targeting of Apple Macs and iPhone backups, the surveillance tool’s real intrigue lies underneath the hood. According to Patrick Wardle, an ex-NSA staffer and head of research at bug hunting firm Synack, a significant chunk of the APT28 Mac spyware looks much like that shipped by Italian spyware vendor Hacking Team, which sold to both Russian and U.S. government agencies.
Wardle compared the Hacking Team Mac malware, available on Wikileaks after a 2015 breach of the surveillance company, to that published earlier this week by security firms BitDefender and Palo Alto Networks. He claimed the APT28 code resembled Hacking Team’s malware in numerous ways. In particular, Wardle noticed that the two malware samples used the same techniques for injecting code onto a target system, a feature that’s quite rare on Apple Macs, he told FORBES.
After exploring further, he now believes the Russian crew “may have copied and pasted” that entire code injection function of the malware, which could explain some of the “weirdness” Wardle saw. That weirdness included what appeared to be mistakes, or as Wardle called them “wrong logic”, where the code that appeared to have some function would do nothing other than return “NULL”.
“[I’m] 100 per cent sure this is the same code,” Wardle added.
Hacking Team’s sells to adversaries
Hacking Team, a so-called “lawful intercept” company whose emails and files were dumped on Wikileaks after a breach in 2015, sold to both America and Russia. It was a provider for the FBI from 2011, selling as much as $775,000 in surveillance tools, though the feds found limited use for them. The DEA and the DoD were also customers, spending $567,000 and $190,000 respectively. Emails indicated it demoed and sold kit to the FSB too, spending as much as $450,000 via research center Kvant. And in leaked emails an employee from Hacking Team’s chief Israeli surveillance partner NICE noted the FSB was particularly interested in infecting Apple Macs.
Whilst intriguing, the fact that a slice of APT28’s Mac malware looks like Hacking Team’s does not mean it was purchased from the Milan-based firm. It could be that APT28 did what other cybercriminals did after Hacking Team’s files were spilled online, copying and reusing the malware from Wikileaks. Furthermore, the FSB was not the Russian organization linked by the U.S. government to the DNC hack; the military intelligence arm, known as the GRU, was instead blamed by the FBI and DHS. Putin himself was said to have direct involvement in Fancy Bear’s spy operations.
“Now whether the Russians bought it from Hacking Team directly, or simply copied and pasted from the leaks, who knows,” Wardle added. “But I’m leaning towards the copy and paste with removing some of logic that they didn’t need, but leaving in some other code that then didn’t really make sense.
“Of course Hacking Team could have done that themselves and then sold it to the Russians. But if so, the removal of the unneeded code … was done in a really shitty way.” Wardle plans to publish his full technical analysis on his own blog Thursday. He is unsure if the code injection feature created by Hacking Team works on the most recent Mac OS.
Hacking Team had not responded to a request for comment at the time of publication.
Even Hacking Team warned that terrorists would use its leaked tools, in condemning the 2015 breach. It may not have anticipated the hacker group linked to the most significant breach in history would borrow its code for their own machinations.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.