The company found that two state-sponsored hacking groups, APT28 and Sandworm, used spear phishing — the practice of sending out emails designed to look like they’re from a trusted party — in an attempt to obtain government information.
FireEye said European government institutions were sent emails with links to websites that appeared to be authentic, luring a person into changing their password and thus sharing their credentials with hackers.
APT28, more popularly known as Fancy Bear, is believed to be linked to Russian military intelligence agency GRU and has been labeled as one of the malicious actors behind the 2016 Democratic National Convention hack.
Sandworm, meanwhile, has also been tied to Russia, and is believed to have been behind the NotPetya ransomware attacks last year which targeted mainly Ukrainian institutions.
The spying efforts of the two hacking groups appeared to be coordinated, but the tools used by both differed, FireEye said. The company said it noticed a “significant increase” in activity from the groups in mid-2018 and that the cyberespionage campaign is ongoing.
“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” Benjamin Read, senior manager of cyberespionage analysis at FireEye, said in a statement Thursday.
FireEye, founded in 2004, provides a number of cybersecurity services, including intelligence analysis, disaster response and outsourced managed security operations. The firm is reported to have worked with Facebook and Google to spot disinformation campaigns.
The firm’s findings are likely to fuel worries over the possibility that Russia may influence upcoming EU elections. As Europe braces itself for a fresh parliamentary vote in May, tensions are running high over the potential for foreign states like Russia to use their cyber capability to sway the results.
French President Emmanuel Macron recently called for a “European renaissance” to combat cyberattacks and foreign funding for European political parties, while former NATO Secretary General Anders Fogh Rasmussen has warned Russia will be a “major malign actor” in the upcoming EU poll.
“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers,” FireEye’s Read said.
FireEye said the cyberspying efforts were concentrated on NATO member states, but declined to identify which specific organizations had been targeted. It also said it was unable to state whether any sensitive data had been leaked from institutions as a result. However, it added that cyber campaigns of this size are usually successful.
FireEye’s alert over Russian hacking follows a similar announcement from Microsoft. The tech giant said last month that hackers linked to Strontium — another name for APT28 — carried out phishing campaigns on think-tanks and non-profit organizations in Europe.