Sofacy in 2017: shifts focus from NATO and Ukraine towards the East

Kaspersky Lab’s Global Research and Analysis Team is publishing an overview of 2017 activity by the threat actor Sofacy, also known as APT 28 and Fancy Bear, to help organizations across the world better understand and protect themselves against this threat actor.

Sofacy is a highly active and prolific cyberespionage group. Its reported presence in the U.S.’s DNC network in 2016, alongside APT29, thrust the group into the media spotlight, but that is just a small part of the story.
Kaspersky Lab’s Global Research and Analysis Team has been tracking the Russian-speaking Sofacy for many years, and in 2017 reported at length on its latest tools, techniques and targets.

The overview report summarizes their findings.
·In 2017, Sofacy activity moved from a heavy focus on NATO and Ukrainian-related targets at the start of the year to a growing focus on Central Asia and even further East by the end of the year.

·The year began with the completion of the late 2016 Dealers’ Choice spear-phishing campaign, targeting organizations related to Ukraine and NATO military and diplomatic interests. The global reach of this campaign was remarkable, with KSN and third party data sources confirming targets in Armenia, Azerbaijan, France, Germany, Iraq, Italy, Kyrgyzstan, Morocco, Switzerland, Ukraine, United States, Vietnam, Turkey, Poland, Bosnia and Herzegovina, Azerbaijan, South Korea, Latvia, Georgia, Australia, Sweden, and Belgium.

·The early part of the year also saw the use in spear-phishing of a zero day exploiting a Microsoft Office vulnerability CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263), used to hit predominantly NATO targets in Europe, generally with content related to the Syrian military conflict.

·By the middle of 2017, detections of Sofacy’s SPLM backdoor revealed an ongoing focus on ex-Soviet republics in Central Asia. Target profiles included defense-related commercial and military organizations and telecommunications. One outlier SPLM target spotted by researchers was an audit and consulting firm in Bosnia and Herzegovina.

·Alongside this, researchers discovered that Sofacy’s Zebrocy payload and delivery mechanism was being modified and used to hit a small, specific subset of targets within the broader set. For these attacks, content was related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appeared to be widely spread across the Middle East, Europe and Asia and focused on industrial, technology, government and diplomatic targets, among others.

·Targets for both Zebrocy and SPLM attacks have been detected in: Afghanistan, Armenia, Australia, Azerbaijan, Bangladesh, Belgium, China, Germany, Estonia, Finland, Georgia, Israel, India, Jordan, Kuwait, Kyrgyzstan, Kazakhstan, Lebanon, Lithuania, Mongolia, Malaysia, Netherlands, Oman, Pakistan, Poland, Saudi Arabia, South Africa, South Korea, Sweden, Switzerland, Tajikistan, Turkmenistan, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, and Bosnia and Herzegovina.