Security firm Root9B is reporting that the Russian hacking group, known as APT28 or Pawn Storm, are writing new malware, registering domain names similar to those of intended targets, and setting up command-and-control servers.

Several security vendors believe it operates out of Russia and has possible ties to that country’s intelligence agencies.

The group’s primary malware tool is a backdoor program called Sednit or Sofacy that it delivers to victims through spear-phishing emails or drive-by downloads launched from compromised websites.

The group appears to be targeting Commercial Bank International in the UAE, Bank of America, TD Canada Trust, the United Nations Childrens Fund (UNICEF), United Bank for Africa, Regions Bank, and possibly Commerzbank.

It is thought that the group will employ spear-phishing as their main method of delivery.

Root9B analysts believe that there might be two subgroups within APT28: One that targets military and government organizations and one that targets financial institutions and banks.

The IP address of a command-and-control server set up by the attackers has been published so that banks and other financial companies can block them on their networks.

Source: CIO.com