The AlienVault Blogs
Taking On Today’s Threats
October 28, 2014

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

  • CVE-2010-3333
  • CVE-2012-0158
  • CVE-2014-1761

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

  • System Compromise, Targeted Malware, OLDBAIT - Sofacy
  • System Compromise, Targeted Malware, Chopstick - Sofacy
  • System Compromise, Targeted Malware, Coreshell - Sofacy
  • System Compromise, C&C Communication, Sofacy Activity

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

  • CVE-2013-1347
  • CVE-2013-3897
  • CVE-2014-1776

The following rule detects activity related to this exploit kit:

  • Exploitation & Installation, Malicious website - Exploit Kit, Sednit EK

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

  • Delivery & Attack, Malicious website, Sofacy Phishing

References:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf

GO DEEPER WITH THIS WEBCAST:

How to Detect and Investigate Brute Force Attacks with AlienVault USM Anywhere

A brute force attack is one of the more common types of attack that malicious actors use to try and gain access to your IT servers, applications and data. These attacks are relatively simple for attackers to implement and they can wreak havoc on your organization when successful. However, many IT security teams may not be aware that they are at risk from these attacks, or what to do about them.

Watch it now ›
‹ BACK TO ALL BLOGS

Get the latest
security news in
your inbox.

Subscribe via Email

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content

Chat