Kaspersky Lab’s Global Research and Analysis Team is publishing an overview of 2017 activity by the threat actor Sofacy, also known as APT 28 and Fancy Bear, to help organizations across the world better understand and protect themselves against this threat actor.
Context
Sofacy is a highly active and prolific cyberespionage group. Its reported presence in the U.S.’s DNC network in 2016, alongside APT29, thrust the group into the media spotlight, but that is just a small part of the story.
Kaspersky Lab’s Global Research and Analysis Team has been tracking the Russian-speaking Sofacy for many years, and in 2017 reported at length on its latest tools, techniques and targets.
The overview report summarizes their findings.
“Sofacy is one of the most active threat actors we monitor, and it continues to spear-phish its way into targets, often on a remarkable global scale. Our data and detections show that in 2017 the threat actor further developed its toolset as it moved from high volume NATO spear-phish targeting towards the Middle East and Central Asia, before finally shifting its focus further East. Mass campaigns appear to have given way to subsets of activity and malware involving such tools as Zebrocy and SPLM.” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.
Kaspersky Lab advice for staying safe
With a group like Sofacy, once it is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and VPN access.
In order to identify its presence, you can gain valuable insight into its targeting from intelligence reports, and a powerful means of detection with hunting tools like YARA. It is also worth investing in an anti-targeted-attack solution, like KATA, that offers out-of-band processing.
Further information, including technical details, can be found in the full report on Securelist