A well-known Russian cyber-espionage group has subtly changed its modus operandi, moving to what security researchers from Palo Alto Networks are calling "parallel attacks."
These new "parallel attacks" are in stark contrast with what security researchers from multiple cyber-security firms have previosuly seen from Sofacy, a well-known APT (advanced persistent threat —a term used to describe nation-state hackers).
For the past few years, this group —which has also been known under names like APT28, Sednit, Fancy Bear, Pawn Storm, and Tsar Team— has operated in a similar manner by targeting a small number of users inside an organization, usually with the same exploit chain and the same malware.
But in a report published yesterday, Palo Alto Networks researchers have revealed that the group has evolved from this stealthier tactic to a shotgun approach, regularly seen in the tactics of financially motivated hackers.
The first thing that jumped out to researchers is that instead of targeting a few key individuals inside an organization, the group is targeting a larger number of victims.
"The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines," said Palo Alto Networks researchers Bryan Lee and Robert Falcone.
"This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack."
But besides targeting more users than usual, security experts have also noticed another new wrinkly in Sofacy's m.o.. According to Palo Alto Networks, the group is now deploying multiple different attack methods to infect victims with varying strains of malware, sometimes at the same time, hence the name of parallel attacks.
Palo Alto Networks says it has seen the group using spear-phishing emails that spread Office documents laced with macros, Office documents leveraging a well-known DDE exploit, and emails with classic executable files as attachments.
What was quite peculiar is that the three Zebrocy versions were coded in different programming languages (AutoIt, C++, Delphi), all of which were deployed in the recent attacks, sometimes against the same target organization.
This, again, stood out as it was quite a unique tactic for an APT, and Sofacy in particular.
"In our research, we have not seen the Sofacy threat group use variations of the same tool developed in multiple languages for the same operating system as part of the same attack campaign," Lee and Falcone told Bleeping Computer via email yesterday.
"However, there has been at least two instances where they ported an existing tool to a completely new platform [1, 2], leading us to believe it is certainly within their capabilities to switch up development languages mid attack, or even change tactics to ultimately accomplish their mission."
As mentioned before, this shotgun approach of deploying different malware through different infection channels is not usually a method employed by APT groups, but rather by desperate low-level cyber-criminals looking to infect victims at any costs.
The reason is that shotgun targeting through parallel exploit chains leaves attackers open to easier detection, as there's more artifacts that security software can pick up during attacks, rather than the low number of items that can be detected during carefully honed one-way approaches.
Palo Alto Networks says that Sofacy deployed these recent "parallel attacks" for campaigns targeting government organizations dealing with foreign affairs. The group didn't focus on particular countries, but targeted foreign affairs orgs all over the world, from North America to Asia.
The Palo Alto Networks report details Sofacy's most recent tactics. If our readers are interested in reading more and getting a deeper look into Sofacy's recent hacking efforts, Palo Alto Networks has previously published reports detailing Sofacy's February and March campaigns. Further, ESET, McAfee, and Kaspersky Lab have also published recent reports on Sofacy's 2017 activities.