Sofacy in 2017: Shifts focus from NATO and Ukraine towards the East

Kaspersky Lab’s Global Research and Analysis Team is publishing an overview of 2017 activity by the threat actor Sofacy, also known as APT 28 and Fancy Bear, to help organizations across the world better understand and protect themselves against this threat actor.

Context

Sofacy is a highly active and prolific cyberespionage group. Its reported presence in the U.S.’s DNC network in 2016, alongside APT29, thrust the group into the media spotlight, but that is just a small part of the story.  

Kaspersky Lab’s Global Research and Analysis Team has been tracking the Russian-speaking Sofacy for many years, and in 2017 reported at length on its latest tools, techniques and targets.

The overview report summarizes their findings.

• In 2017, Sofacy activity moved from a heavy focus on NATO and Ukrainian-related targets at the start of the year to a growing focus on Central Asia and even further East by the end of the year.

• The year began with the completion of the late 2016 Dealers’ Choice spear-phishing campaign, targeting organizations related to Ukraine and NATO military and diplomatic interests.  The global reach of this campaign was remarkable, with KSN and third party data sources confirming targets in Armenia, Azerbaijan, France, Germany, Iraq, Italy, Kyrgyzstan, Morocco, Switzerland, Ukraine, United States, Vietnam, Turkey, Poland, Bosnia and Herzegovina, Azerbaijan, South Korea, Latvia, Georgia, Australia, Sweden, and Belgium.

• The early part of the year also saw the use in spear-phishing of a zero day exploiting a Microsoft Office vulnerability CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263), used to hit predominantly NATO targets in Europe, generally with content related to the Syrian military conflict.

• By the middle of 2017, detections of Sofacy’s SPLM backdoor revealed an ongoing focus on ex-Soviet republics in Central Asia. Target profiles included defense related commercial and military organizations and telecommunications. One outlier SPLM target spotted by researchers was an audit and consulting firm in Bosnia and Herzegovina.  

• Alongside this, researchers discovered that Sofacy’s Zebrocy payload and delivery mechanism was being modified and used to hit a small, specific subset of targets within the broader set. For these attacks, content was related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appeared to be widely spread across the Middle East, Europe and Asia and focused on industrial, technology, government and diplomatic targets, among others.

• Targets for both Zebrocy and SPLM attacks have been detected in: Afghanistan, Armenia, Australia, Azerbaijan, Bangladesh, Belgium, China, Germany, Estonia, Finland, Georgia, Israel, India, Jordan, Kuwait, Kyrgyzstan, Kazakhstan, Lebanon, Lithuania, Mongolia, Malaysia, Netherlands, Oman, Pakistan, Poland, Saudi Arabia, South Africa, South Korea, Sweden, Switzerland, Tajikistan, Turkmenistan, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, and Bosnia and Herzegovina.

• During 2017, some of Sofacy’s infrastructure was publicly disclosed, so researchers expect to see changes to this introduced in 2018.

“Sofacy is one of the most active threat actors we monitor, and it continues to spear-phish its way into targets, often on a remarkable global scale. Our data and detections show that in 2017 the threat actor further developed its toolset as it moved from high volume NATO spear-phish targeting towards the Middle East and Central Asia, before finally shifting its focus further East. Mass campaigns appear to have given way to subsets of activity and malware involving such tools as Zebrocy and SPLM.” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.

Kaspersky Lab advice for staying safe

With a group like Sofacy, once it is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and VPN access.

In order to identify its presence, you can gain valuable insight into its targeting from intelligence reports, and a powerful means of detection with hunting tools like YARA. It is also worth investing in an anti-targeted-attack solution, like KATA, that offers out-of-band processing.

Further information, including technical details, can be found in the full report on Securelist