A leaked private report by Google from 2014, reportedly reveals that the tech giant was aware of cyberespionage group APT28, also known as Fancy Bear and Sofacy among others, much before cybersecurity experts linked the high profile DNC hack to the state-sponsored hacker group. The leaked report also reportedly details that Google hinted that the group worked for the Kremlin.
Google titled the report "Peering into the Aquarium", considered to be a subtle and clever reference to the headquarters of Russian military intelligence unit GRU (Glavnoye Razvedyvatel'noye Upravleniye), which is popularly known as "The Aquarium". Google researchers noted that the APT28's two malware variants, Sofacy and X-Agent, "are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries."
"It looks like Google researchers were well aware of Sofacy before it was publicly disclosed," Matt Suiche, security researcher and the founder of Comae Technologies told Motherboard, after reviewing the report. "And also attributed Sofacy and X-Agent to Russia before it was publicly done by FireEye, ESET or CrowdStrike."
In the report, Google researchers noted that the hacker group primarily used its first-stage malware Sofacy for a large number of attacks. However, it used its more customised and sophisticated X-Agent malware when going after "high-priority targets".
"Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples," Google's report stated. Google's report also stated that Georgia had the highest submissions rate of X-Agent malware to VirusTotal, the public malware repository acquired by the tech giant in 2012, indicating that the country was a high-priority target for the attackers at one point.
Despite being fairly dated, Google's report reveals APT28's sophisticated cyberespionage activities and techniques, much before the group became known to the world. The report also sheds light on how a tech giant like Google can collect data on government hacker groups thanks to the kind of data it can access.