Following the news on the latest DNC breach, Costin Raiu, Director at Kaspersky Lab’s Global Research and Analysis Team, commented below.

Costin Raiu, Director at Kaspersky Lab’s Global Research and Analysis Team:

Costin RaiuKaspersky Lab is familiar with and detects the activities of both the Sofacy and CozyDuke APT groups, which are also known as Fancy Bear and Cozy Bear.

One of the most worrying things about the DNC breach is that according to published information, the CozyDuke threat actor was able to penetrate the organisation’s perimeter, apparently through a phishing attack, and move freely around the network for a whole year before being detected – by which time another advanced threat actor, Sofacy had successfully conducted a similar attack.

The fact that two known, Russian-speaking cyberespionage groups were found in the network of one organisation is particularly intriguing. The CozyDuke and Sofacy groups are both considered to be nation-state sponsored, and the fact that they’re both hunting for data in the same network may indicate that there is an element of competition between them.

The Sofacy advanced threat group, also known as Fancy Bear, Sednit, STRONTIUM and APT28, has been active since at least 2008. By using a set of advanced malicious tools that include deploying at least six zero-day exploits during the last two years, it hunts for secret data stored in the networks of organisations around the world, with a focus on NATO countries, Ukraine, governments, and military contractors.

The Global Research and Analysis Team at Kaspersky Lab observed that over the 2015, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day. At the beginning of August 2015, Sofacy began a new wave of attacks, focusing on defense-related targets.

To protect an organisation against sophisticated targeted attacks, including those by Sofacy and CozyDuke, Kaspersky Lab recommends using a multi-layered approach that combines:

  • Robust and trusted anti-malware solutions,
  • Patch management,
  • Host intrusion detection,
  • Whitelisting and default-deny strategies,
  • Raising awareness among employees on cyber-safety matters
  • Investing in threat intelligence services in order to build awareness of the emerging threats that might affect your organisation and compromise your business

Kaspersky Lab’s experts continue to track the activities of these threat actors as well as new and emerging threats. Kaspersky Security Intelligence Services can help organisations to assess the level of risk and prevent possible losses.