Sofacy new waves: billowing with new tricks

Do you work with government or military contractors? Or are YOU the contractor? Then be warned: the Sofacy targeted attack actor has scaled up its activities – and may be

Do you work with government or military contractors? Or are YOU the contractor? Then be warned: the Sofacy targeted attack actor has scaled up its activities – and may be interested in your data.

Sofacy is a highly professional Russian-speaking threat actor, known for its daring attacks on government and military targets and active from circa 2008. Suspected of a connection with the notorious Miniduke actors, Sofacy has been notable for its extensive use of 0-day exploits. As attacks are highly dynamic and Sofacy constantly switches targets in search of new victims, it’s almost impossible to predict who, or even where in the world, their next victims may be.

In the past, we’ve seen victims of Sofacy in countries including Ukraine, France, Greece, UK, Jordan and Belgium. The group also has a history of targeting military contractors who sell to multiple NATO-group and other countries.

This year, however, the plot of Sofacy’s targeted attack development story has taken a new twist. The group has increased its activities almost tenfold – its activities providing a classic case study in just how far sophisticated attacks differ from the vast sea of ‘mass-market’ malware. True to their zero-day-wielding reputation, they used no fewer than five new exploits targeting Java, Flash and Microsoft Windows and Office.

New features – new problems

First, in July 2015, Sofacy’s authors dropped two completely new exploits – Microsoft Office and Oracle Java 0-days. Then in August, during a new wave of attacks focused on military-related targets, they developed a brand new version of their first-level implant, dubbed AZZY, which specifically aimed at high-profile victims.

With critical targets like these in their sites, attackers watch closely over their ongoing espionage operations, reacting at high speed and with deadly efficiency to each defensive action on the part of their victims. In this instance, the appropriate signature, once deployed, continued statically detecting the AZZY malware for only an hour or so before this attack method was dropped.  By then, the attackers, working at extremely high speed, had already compiled a second x64 backdoor – which naturally avoided further detection by the static signature. Kaspersky Lab’s behavioristic System Watcher technology[1], however, detected this new sample version without too much trouble.

Meanwhile, the extremely short time-lapse before the appearance of the new backdoor suggested that, rather than using an exploit, the backdoor was being downloaded by malware already residing in the targeted system. A further search proved this to be true.

The new, previously unknown, malware was found in the shape of a .dll file residing in one of the target’s hidden system directories. Just how this top-level malware was introduced into the target system remains unknown.

To complicate things even further, another malware .dll was serving as a communication agent, interacting with the attackers’ Command & Control servers. This modularized approach allowed the attackers to reduce the chances of behavioral and even manual discovery.

In addition, mindful of the air-gaps often employed by their targets to guard their secrets, the Sofacy actors developed a family of USBSTEALER modules. These would allow spying malware to communicate with its creators, its messages carried on USB portable storage devices through the guarded perimeter and into the outer world.


..but it’s solvable

The Sofacy operation makes one thing very clear: a ‘generic’ approach to information security is definitely not enough against such agile attackers. As is so often demonstrated, the best defense against targeted attacks is a comprehensive strategy relying on a multi-layered security approach.

Combining anti-malware technologies with patch management, Host-based Intrusion Prevention (HIPS) and ideally, allowlists and default-deny would significantly reduce the chances of a successful intrusion mounted in this way.

While attack via USB storage is often considered outdated in the modern threat landscape, no one should underestimate the danger presented by these devices.

The use of Device Control technology can limit the use of USB devices and prevent data from leaving the defensive perimeter – or attackers’ own toolset components from reaching into or outside of air-gapped networks.

Employing a number of small modules, each undertaking just one small part of the attack, in order to keep under the radar of the behavioral engine, is just one of a plethora of tricks. To significantly increase the chances of discovery, one needs a bird’s eye view of activities occurring at different levels of IT infrastructure (including both network and endpoints) – and some way of identifying and correlating a number of seemingly innocuous separate events into a security alarm.

Kaspersky Lab’s upcoming advanced threat detection solution does exactly this, and more, providing a comprehensive and highly scalable platform for the analysis of events and objects throughout the whole IT network. It enables the timely detection of Targeted Attacks, however subtle the indicators might be.

To further empower your defensive strategy, Kaspersky Lab also offers a comprehensive portfolio of Intelligence Services. This portfolio of services enables your Security Officers to strengthen multiple facets of your security, from calling upon our incident response expertise to boosting your overall security posture through applying our leading-edge intelligence.


Of course, such attacks are essentially a large enterprise issue. Sofacy’s new wave focuses primarily on military contractors, who could theoretically provide entry points into the military itself. But do please be aware of new trends in the cybersecurity world, even your own business is not a large one and has no military customers. The chains by which attackers reach their targets can comprise many links, and smaller companies can sometimes have extremely valuable secrets.

Known Sofacy samples are detected by Kaspersky Lab’s solutions under the following verdicts:

  • Win64.Sofacy.q
  • Win64.Sofacy.s
  • HEUR:Trojan.Win32.Generic

The exploits are stopped with verdicts:

  • PDM:Exploit.Java.Generic
  • PDM:Exploit.Win32.Generic


[1] System Watcher behavioral technology provides protection from unknown malware and Advanced Threats in all tiers of Kaspersky Endpoint Security for Business