There is a group of cybercriminals who are really making things difficult for NATO. The group is called Earworm and, over the last few years, it has been doing what it does best: cyberwar. This practice has meant that the group has been able to steal confidential, sensitive data from several of the most important institutions and governments in the world.

Who are Earworm?

Evidence seems to suggest that the members of Earworm, also known as Zebocracy, are linked to APT28 (also known as Fancy Bear), a cybercriminal group that has been stealing government intelligence for years, especially from countries it considers to be enemies.

The US Department of Homeland Security and the FBI have never had any doubts: for them, Earworm is Russian. More specifically, they link it to the GRU (military intelligence service), the SVR (Foreign Intelligence Service) and the FSB (the successor of the old KGB). The United States considers that these Russian intelligence groups not only encourage Earworm and APT28, but actively finance their operations.

Who have they attacked?

The group’s criminal record doesn’t go back very far, but is intense and far-reaching. They first came to light in 2016, when they managed to steal sensitive information from the US Democratic National Committee (DNC). They were also behind an attack on the World Anti-Doping Agency (WADA), in which they leaked confidential information about several drug tests.

Its activity since then has had one clear goal: NATO member states whose systems they have managed to gain access to. While United States is one of the main whistleblowers, the Dutch government has also accused the group of stealing information from the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The UK’s National Cyber Security Centre has also accused Earworm and Russia intelligence of carrying out attacks on several countries’ institutional cybersecurity.

How do they do it?

The entry point for Earworm cyberattacks is email. Emails containing attachments were sent to employees and senior members of these organizations, with the senders impersonating someone trustworthy. Once these files had been downloaded, two malware tools came into play.

  • Trojan.Zekapab. This software was installed on the computer, and was able to automatically download other malware tools.
  • Backdoor.Zekapab. In this case, the program was installed on the victim’s system, and was able to take screenshots, run independent files, and even log keystrokes in order to be able to see everything the computer user was writing.

As well as these cybercriminal techniques, the attackers managed to spend long periods of time in a “semi-dormant” state. This allowed them to stay on infected systems for months at a time, without being discovered or arousing suspicion.

How to avoid these attacks

In 2019, institutional cybersecurity is one of the issues that is causing most concern in countries around the world; if they don’t want to experience problems like those recently dealt with by Germany, they need to take measures fast.

1.- Authentication. A very common tactic for cybercriminals is to impersonate someone high up in the company they are trying to attack. These institutions must protect the authentication of all their employees and senior officials in order to avoid such identity theft.

2.- Awareness and email. Employees from any institution that may be in danger must be made aware of how important it is to be alert. This means not trusting emails that seem suspicious, or that contain dubious attachments. On top of this, if any problem should occur, they must inform their superiors so that the cyberattack can be stopped, or at least minimized.

3.- Monitoring. No matter how stealthy they are, when someone breaks into an IT system, they usually leave a trace, especially if the theft is carried out swiftly. For this reason, institutions must have advanced cybersecurity solutions in place. One such solution is Panda Adaptive Defense, which proactively and automatically monitors all processes that are running on the system. If there is any cause for alarm, it creates alerts in real time to avoid problems.

4.- Isolated information. Wherever possible, an institution’s most sensitive and confidential information should be stored in systems with no Internet connection. However, as we have seen, even this measure may be insufficient; it is possible to hack a device that isn’t connected to the Internet and to which we don’t have physical access by using electromagnetic emanations. If this isn’t possible, this information should at least be stored on different servers to those where easily accessible data is kept.

It can be the case that reactions are too slow; when a cyberattack has already been executed and there isn’t much that can be done. There is a real risk that something like this could happen in any country, which means that governments and institutions must be vigilant and proactive in their fight in the cyberwar environment. This is the only way to avoid the grave consequences of a cyberattack on such important institutions as NATO.