{"id":21227,"date":"2018-02-20T10:42:18","date_gmt":"2018-02-20T15:42:18","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=21227"},"modified":"2019-11-15T06:41:18","modified_gmt":"2019-11-15T11:41:18","slug":"sofacy-2017-update","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/sofacy-2017-update\/21227\/","title":{"rendered":"Sofacy APT turns to the East"},"content":{"rendered":"

We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn\u2019t matter which language the threat actor speaks, it\u2019s our duty to know about it, investigate it, and protect our customers from it.<\/p>\n

One of the most active threat actors is a Russian-speaking APT<\/a> called Sofacy<\/a>, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing<\/a> campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.<\/p>\n

We\u2019ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia \u2014 and farther \u2014 in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).<\/p>\n

Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer\u2019s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted<\/a> communications.<\/p>\n

The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities<\/a> and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect \u2014 which, of course, makes it harder to investigate.<\/p>\n

In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.<\/p>\n

To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn\u2019t hurt, either. As a solution, we offer the Threat Management and Defense<\/a> platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.<\/p>\n

You can find more information on the threat actor\u2019s activity in 2017, including technical details, on Securelist<\/a>. Further, at the start of this year, our researchers found some interesting shifts in Sofacy\u2019s behavior that we will highlight at the SAS 2018 conference<\/a>. If you are interested in APTs and building defense against them, don\u2019t forget to get a ticket \u2014 or at least visit our blogs frequently during the SAS.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kaspersky Lab publishes an update on Russian-speaking Sofacy APT activity in 2017<\/p>\n","protected":false},"author":696,"featured_media":21228,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,5,3052,2683],"tags":[499,2821,2752,2361,422],"class_list":{"0":"post-21227","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-news","9":"category-smb","10":"category-threats","11":"tag-apt","12":"tag-fancy-bear","13":"tag-sas-2018","14":"tag-sofacy","15":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/sofacy-2017-update\/21227\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/sofacy-2017-update\/12595\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/sofacy-2017-update\/10437\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/sofacy-2017-update\/14734\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/sofacy-2017-update\/13049\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/sofacy-2017-update\/12508\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/sofacy-2017-update\/15380\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/sofacy-2017-update\/15104\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/sofacy-2017-update\/19737\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/sofacy-2017-update\/15959\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/sofacy-2017-update\/9378\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/sofacy-2017-update\/19671\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/sofacy-2017-update\/19661\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/sofacy-2017-update\/19678\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=21227"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21227\/revisions"}],"predecessor-version":[{"id":29800,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21227\/revisions\/29800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/21228"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=21227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=21227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=21227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}