{ "id": "4a07ec66-ed38-4764-a728-0c3bc3278e35", "created_at": "2026-04-06T01:31:30.278498Z", "updated_at": "2026-04-10T03:37:50.146966Z", "deleted_at": null, "sha1_hash": "a1330ebd51f4d390ff1e44c474a6337cbeb4688d", "title": "Accenture: Russian hackers using Brexit talks to disguise phishing lures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173627, "plain_text": "Accenture: Russian hackers using Brexit talks to disguise phishing\r\nlures\r\nBy Zaid Shoorbajee\r\nPublished: 2018-11-29 · Archived: 2026-04-06 01:16:57 UTC\r\nA notorious Russian hacking group tried to exploit the latest flurry of Brexit-related news to spread malware to\r\nunsuspecting victims, according to a report from Accenture released Thursday.\r\nAPT28, which Accenture refers to as SNAKEMACKEREL, used a malware-laced Microsoft Word document that\r\nappeared to be about the United Kingdom’s planned separation from the European Union to try breaching a wide\r\nvariety of targets’ systems, researchers said.\r\nAPT28 is widely believed to be the product of Russian intelligence services. Also known as Fancy Bear, Pawn\r\nStorm and other names, its the same group researchers have blamed for the 2016 breach on the Democratic\r\nNational Committee, for leaks relating to the 2018 Winter Olympics and for the targeting of various government,\r\npolitical, critical infrastructure and other organizations.\r\n“Based on observed targeting by this threat group over the past few years, we assess with moderate confidence\r\nthat they are likely to have targeted government, politics, think tanks and defense organizations in the US, Europe\r\nand a former eastern bloc country,” Michael Yip, security principal at Accenture’s iDefense team, told\r\nCyberScoop in an email.\r\nAccenture said it observed activity relating to this malware campaign around the same time that government\r\nleaders in the U.K. announced a draft deal for Brexit earlier this month. The name of the Word document used in\r\nthe campaign is “Brexit 15.11.2018.docx,” suggesting that the Russian hacking group is exploiting current events\r\nto make its messages seem legitimate. The document displays garbled text in an attempt to get targets to enable\r\nmacros, unleashing the “Zekapab” malware.\r\nhttps://www.cyberscoop.com/apt28-brexit-phishing-accenture/\r\nPage 1 of 2\n\nResearchers said this document displays garbled text in an attempt to get victims to enable macros. (Accenture\r\nSecurity)\r\nZekapab, which has previously been observed by Accenture and others, is a first-stage malware that establishes a\r\nbackdoor on a victim’s system and collects information about the host. The malware is also known as Zebrocy and\r\nwas spotted by Palo Alto Networks researchers in another APT28-linked campaign late October and early\r\nNovember.\r\n“The use of weaponized Microsoft Office documents to deliver first stage malware such as Zekapab (aka Zebrocy)\r\nand the use of news headline themes for document lures are hallmarks of SNAKEMACKEREL’s modus\r\noperandi,” Yip said. “The speed in which fresh news headlines are used for document lures in attacks particularly\r\nhighlights the group’s knowledge of foreign affairs and provides strong indications of their targeting remit.”\r\nSean Lyngaas contributed to this story.\r\nSource: https://www.cyberscoop.com/apt28-brexit-phishing-accenture/\r\nhttps://www.cyberscoop.com/apt28-brexit-phishing-accenture/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/" ], "report_names": [ "apt28-brexit-phishing-accenture" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439090, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1330ebd51f4d390ff1e44c474a6337cbeb4688d.pdf", "text": "https://archive.orkl.eu/a1330ebd51f4d390ff1e44c474a6337cbeb4688d.txt", "img": "https://archive.orkl.eu/a1330ebd51f4d390ff1e44c474a6337cbeb4688d.jpg" } }