From Russia with Love: Sofacy/Sednit/APT28 Is in Town

By   ISBuzz Team
Writer , Information Security Buzz | Oct 30, 2014 04:05 pm PST

Recently, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET, and others.

Featured Download: Social media access at work. Do your employees know the rules?

We have been tracking this threat actor from Russia (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya, and Georgia that indicates one of the group’s objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.


Most of the spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

– CVE-2010-3333
– CVE-2012-0158
– CVE-2014-1761

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

– System Compromise, Targeted Malware, OLDBAIT – Sofacy
– System Compromise, Targeted Malware, Chopstick – Sofacy
– System Compromise, Targeted Malware, Coreshell – Sofacy
– System Compromise, C&C Communication, Sofacy Activity

Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

– CVE-2013-1347
– CVE-2013-3897
– CVE-2014-1776

The following rule detects activity related to this exploit kit:

– Exploitation & Installation, Malicious website – Exploit Kit, Sednit EK

Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim’s company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

– Delivery & Attack, Malicious website, Sofacy Phishing

By Jaime Blasco, Director, AlienVault Labs

About AlienVault Labs

AlienVaultAlienVault Labs conducts security research on global threats and vulnerabilities. The team of security experts, led by renowned Labs director, Jaime Blasco, constantly monitors, analyzes, reverse engineers, and reports on sophisticated zero-day threats including malware, botnets, phishing campaigns and more.

Using an ever-expanding array of manual and automated techniques, AlienVault Labs researchers ensure that AlienVault’s Unified Security Management™ platform is always up-to-date with the latest threat intelligence. In addition, the Labs also runs AlienVault’s Open Threat Exchange™ (OTX), an open information sharing and analysis network that provides real-time, actionable threat information submitted by over 8,000 contributors from over 140 countries.

The discoveries of the AlienVault Labs researchers are shared regularly on their blog, and you’ll see them quoted in the news often!