The Fancy Bear hackers turn their attention to military objectives in the Far East

- Adrian Ungureanu

Kaspersky Lab researchers have observed that the Russian-speaking threat actor Sofacy, also known as APT28 or Fancy Bear is shifting its targeting to the Far East, with a strong interest in military, defense and diplomatic organizations – in addition to its traditional NATO-related targets.

The researchers discovered that Sofacy sometimes overlaps with other threat actors when targeting victims, including with the Russian-speaking Turla and the Chinese-speaking Danti, Most intriguingly of all, they found Sofacy backdoors on a server previously compromised by the English-language threat actor behind the Lamberts. The server belongs to a military and aerospace conglomerate in China.

Sofacy is a highly active and prolific cyberespionage group that Kaspersky Lab’s researchers have been tracking for many years. In February, Kaspersky Lab published an overview of Sofacy’s activities in 2017, revealing a gradual move away from NATO-related targets towards the Middle East, Central Asia, and beyond.

Sofacy uses spear-phishing and sometimes water-holing to steal information, including account credentials, sensitive communications and documents. It is also suspected of delivering destructive payloads to various targets.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets. As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap – and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks,” said Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab.

For organizations with military, defense and foreign affairs-related operations in the regions affected, Kaspersky Lab recommends implementing the following measures to avoid falling victim to an advanced targeted attack:
• Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and give cybersecurity teams full visibility over the network and response automation;
• Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC), YARA and customized advanced threat reporting;
• If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.