Sofacy parallel attacks

A well-known Russian cyber-espionage group has subtly changed its modus operandi, moving to what security researchers from Palo Alto Networks are calling "parallel attacks."

These new "parallel attacks" are in stark contrast with what security researchers from multiple cyber-security firms have previosuly seen from Sofacy, a well-known APT (advanced persistent threat —a term used to describe nation-state hackers).

For the past few years, this group —which has also been known under names like APT28, Sednit, Fancy Bear, Pawn Storm, and Tsar Team— has operated in a similar manner by targeting a small number of users inside an organization, usually with the same exploit chain and the same malware.

Sofacy widens attack arsenal for increased infection rate

But in a report published yesterday, Palo Alto Networks researchers have revealed that the group has evolved from this stealthier tactic to a shotgun approach, regularly seen in the tactics of financially motivated hackers.

The first thing that jumped out to researchers is that instead of targeting a few key individuals inside an organization, the group is targeting a larger number of victims.

"The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines," said Palo Alto Networks researchers Bryan Lee and Robert Falcone.

"This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack."

Sofacy diversifies infection chains, malware payloads

But besides targeting more users than usual, security experts have also noticed another new wrinkly in Sofacy's m.o.. According to Palo Alto Networks, the group is now deploying multiple different attack methods to infect victims with varying strains of malware, sometimes at the same time, hence the name of parallel attacks.

Palo Alto Networks says it has seen the group using spear-phishing emails that spread Office documents laced with macros, Office documents leveraging a well-known DDE exploit, and emails with classic executable files as attachments.

Victims who downloaded and ran these boobytrapped files are infected with the Koadic remote access trojan or one of three versions of the Zebrocy backdoor.

What was quite peculiar is that the three Zebrocy versions were coded in different programming languages (AutoIt, C++, Delphi), all of which were deployed in the recent attacks, sometimes against the same target organization.

This, again, stood out as it was quite a unique tactic for an APT, and Sofacy in particular.

"In our research, we have not seen the Sofacy threat group use variations of the same tool developed in multiple languages for the same operating system as part of the same attack campaign," Lee and Falcone told Bleeping Computer via email yesterday.

"However, there has been at least two instances where they ported an existing tool to a completely new platform [1, 2], leading us to believe it is certainly within their capabilities to switch up development languages mid attack, or even change tactics to ultimately accomplish their mission."

Parallel attacks deployed against orgs involved in foreign affairs

As mentioned before, this shotgun approach of deploying different malware through different infection channels is not usually a method employed by APT groups, but rather by desperate low-level cyber-criminals looking to infect victims at any costs.

The reason is that shotgun targeting through parallel exploit chains leaves attackers open to easier detection, as there's more artifacts that security software can pick up during attacks, rather than the low number of items that can be detected during carefully honed one-way approaches.

Palo Alto Networks says that Sofacy deployed these recent "parallel attacks" for campaigns targeting government organizations dealing with foreign affairs. The group didn't focus on particular countries, but targeted foreign affairs orgs all over the world, from North America to Asia.

The Palo Alto Networks report details Sofacy's most recent tactics. If our readers are interested in reading more and getting a deeper look into Sofacy's recent hacking efforts, Palo Alto Networks has previously published reports detailing Sofacy's February and March campaigns. Further, ESET, McAfee, and Kaspersky Lab have also published recent reports on Sofacy's 2017 activities.

Related Articles:

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

White-Hats Go Rogue, Attack Financial Institutions

Iranian Hackers Charged in March Are Still Actively Phishing Universities

Domestic Kitten APT Operates in Silence Since 2016

Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack