Russian hacking tool gets extra stealthy to target US, European computers

This malicious software will email your hacker from your computer without you ever knowing.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Aaron Robinson

Russian hackers have a new tool up their sleeve to gain access to sensitive computers without getting caught, cybersecurity experts say. And they're using it to target US and European government entities, as well as a former territory of the Soviet Union.

Cybersecurity firm Palo Alto Networks described the hacking tool, which it calls "Cannon," in a blog post Tuesday. Cannon is a piece of malicious software that hackers sneak onto target computers and use to take screenshots of the infected computer's homepage. Then the software uses email to send the images back to the hackers and receive new instructions. It's like a spy camera on your computer that can send images back home, apparently to Russia.

Palo Alto Networks believes the hackers behind Cannon are a group that intelligence officials have concluded is part of Russia's military spy agency, GRU. Sometimes called Fancy Bear, the hacking group was also blamed for hacking the Democratic National Committee in 2016.

The hacking tool's use of email to send information to accounts where the hackers can reach it is both clever and new, said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks. It's part of a bigger picture in which sophisticated hackers stage elaborate, Ocean's Eleven-like attacks on computer networks in which nothing is as it seems, all to avoid detection for as long as possible. And as quick as experts get at detecting those evasive techniques, hackers from groups like Fancy Bear change things up.

"It's a group that is well resourced and has good people," Miller-Osborn said. "As we evolve our protections against them, they are capable of evolving against those protections."

It started with a phishing email

The news of Cannon comes less than a week after two other cybersecurity companies told Reuters that a different group of hackers associated with Russia were impersonating employees of the US Department of State to send phishing emails to think tanks, businesses and government agencies. One of the cybersecurity firms, FireEye, said Monday it believes the hack was carried out by a group called Cozy Bear, which US intelligence officials have said they believe is Russian spy agency called FSB. Palo Alto Networks did not say whom the hackers were impersonating in the hacking campaign they identified, nor did they provide more information on the specific countries targeted.

The new hacking tool is part of a larger campaign that went through several steps to gain access to targeted computers. Miller-Osborn's team observed the hacking activity in late October and early November. As is often the case, it started with a phishing email.

Watch this: How to protect your Apple ID from hackers

Hackers sent emails with a Microsoft Word document inside to the targeted users. The document had nothing malicious in it whatsoever, making it hard for security software that scans email attachments to catch. But once a user clicked on it to open it, the Word document would download something called a remote template that included malicious code. Now the Word document was transformed into a delivery system for malware.

The ability to create remote templates is a Word feature. It lets an organization create a template that its employees can download to give their documents a uniform style. The download can take place automatically.

The experts said they then saw the Word document, now turned bad, install two malicious programs, including Cannon. Cannon could then log into a predetermined email address completely behind the scenes, without a user ever noticing, Miller-Osborn said. From there, it could send screenshots and information from the hacked machine, and potentially receive instructions to install even more malicious software.

Now that Palo Alto Networks has published what it knows about the hacking tools, security software can look for signs of the same attack. That's why keeping security software up-to-date at home and at work is always a good idea. But beyond that, there's not much a regular person can do to stop a hack like this.

Except for one thing, Miller-Osborn said. "The only thing they could have done would be to not open the email."

The best tech Christmas gifts for 2018

See all photos

CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.

Best Black Friday 2018 deals: The best discounts we've found so far.