Earlier this week, cybersecurity firm Palo Alto Networks reported that the Sofacy group (also known as “Fancy Bear”, “APT28” and “Grizzly Steppe” among other things) is behind a spear phishing attack aimed at foreign ministries and foreign affairs agencies in North America and Europe.
The Sofacy group is widely believed to be connected to the Russian government. The U.S. intelligence community blamed the hacking group for cyberattacks against the Democratic Party ahead of the 2016 U.S. presidential election. Palo Alto Networks has not explicitly linked the group to Russia or any other nation state, but other cybersecurity firms including FireEye and Crowdstrike have said it is linked to Russia.
Palo Alto Networks said that Sofacy used the same tools and methodology in the present attack as it had done in the past. In a blog post on its site, Christopher Budd, Senior Threat Communications Manager, says, “Given the significant activity attributed to Sofacy, and the new evidence directly targeting the diplomatic community, Palo Alto Networks wants to ensure that foreign affairs agencies around the world understand how the attacks are carried out, and what agencies and personnel can do to protect themselves”.
The security firm then sets out in detail how the attacks are carried out, and describes the way in which they begin via an email sent to a “carefully chosen target in the agency”. The most recent spoofed emails appear to come from Jane’s 360 Defense Events, which routinely supplies information and analysis to governments on defense matters. The email pretends to be about Janes 360 events coming up in 2018, which the recipient must download to read. Once they have done so, a blank Excel spreadsheet pops open; then the recipient is encouraged to click “Enable Content” as they are directed to do in the accompanying email. Once that button has been clicked, it both reveals the information promised and silently installs a program on the system, which gives the attackers “complete control over the computer and can enable them to copy documents, usernames, passwords, account information and even take screenshots”.
Palo Alto Networks believes that the tool Sofacy uses for the macro to run closely resembles those found within Luckystrike, which generates malicious delivery documents.
The attack patterns used by Sofacy formerly found reuse of WHOIS artifacts, IP reuse, and themes in domain name choices, Palo Alto notes. Sofacy’s “attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” it states.