Kaspersky Lab’s Global Research and Analysis Team has spotted new attacks by the Sofacy group which make use of several upgraded techniques designed for aggressive persistency and greater invisibility of malicious activity in the attacked system.
Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is a russian-speaking advanced threat group that has been active since at least 2008, targeting mostly military and government entities worldwide. Since appearing on the public radar in 2014, the group hasn’t stopped its activities. Moreover, Kaspersky Lab experts have discovered new, even more advanced tools in Sofacy’s arsenal. The new toolset is:
Interchangeable: The attackers use multiple backdoors to infect a target with several different malicious tools, one of which serves as a reinfection tool should another one be blocked or killed by a security solution.
Modular: The attackers use malware modularisation, putting some features of the backdoors into separate modules to better hide malicious activity in the attacked system. This is an increasingly popular trend which Kaspersky Lab sees regularly in targeted attacks.
Air-gapped: In many recent (2015) attacks, the Sofacy group made use of a new version of its USB stealing implant, which allows it to copy data from air-gapped computers.
“Usually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now and its activity has been reported by the security community multiple times. In 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena. We have reasons to believe that these attacks will continue,” – said Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab.
Kaspersky Lab products detect some of the new malware samples used by Sofacy threat actor with the following detection names: Trojan.Win32.Sofacy.al, Trojan.Win32.Sofacy.be, Trojan.Win32.Sofacy.bf, Trojan.Win32.Sofacy.bg, Trojan.Win32.Sofacy.bi, Trojan.Win32.Sofacy.bj, Trojan.Win64.Sofacy.q, Trojan.Win64.Sofacy.s, HEUR:Trojan.Win32.Generic.
To protect an organisation against sophisticated targeted attacks, including those by Sofacy, Kaspersky Lab recommends using a multi-layered approach that combines:
– Traditional anti-malware technologies,
– Patch management,
– Host intrusion detection,
– Whitelisting and default-deny strategies.