Sofacy APT turns to the East

Kaspersky Lab publishes an update on Russian-speaking Sofacy APT activity in 2017

We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.

One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.

We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).

Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.

The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.

In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.

To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.

You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.

Tips