Sofacy Group

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

The Sofacy Group employs spear phishing attacks, using malware to gain control of systems via a command and control infrastructure.

Targets

The Sofacy Group's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater) and Science Applications International Corporation (SAIC).[1]

Security reports

Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.[2] The name was due to the group's use of "two or more connected tools/tactics to attack a specific target similar to the chess strategy."[3]

Network security firm FireEye released a detailed report on Sofacy in October 2014. The report designated the group as "Advanced Persistent Threat 28" (APT28) and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash.[4] The report found operational details indicating that the source is a "government sponsor based in Moscow". Evidence collected by FireEye suggested that the Sofacy Group's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours in Moscow's time zone.[5] FireEye director of threat intelligence Laura Galante referred the group's activities as "state espionage"[6] and said that targets also include "media or influencers."[7][8]

Attacks

German attack

Sofacy is thought to have been responsible for a six-month long attack on the German parliament that began in December 2014.[9]

TV5Monde cyber-attack

On April 8, 2015, French television network TV5Monde was the victim of a cyberattack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL). Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5,[10] overriding the broadcast programming for over three hours.[11] Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9.[11] Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack.[12][11] The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against the organization, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose".[13][11]

As part of the official response to the attack, the French Minister of Culture and Communications, Fleur Pellerin, called for an emergency meeting of the heads of various major media outlets and groups. The meeting took place on April 10 at an undisclosed location.[12] The French Prime Minister Manuel Valls called the attack "an unacceptable insult to freedom of information and expression".[12] His cabinet colleague, the Interior Minister Bernard Cazeneuve attempted to allay public concern by stating that France "had already increased its anti-hacking measures to protect against cyber-attacks" following the aforementioned terrorist attacks on January earlier that year, which had left a total of 20 people dead.[12]

French investigators later discounted the theory that militant Islamists were behind the cyber attack, instead suspecting the involvement of Sofacy.[14]

EFF spoof, White House and NATO attack

In August 2015, Sofacy used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false url electronicfrontierfoundation.org.[15][16]

See also

References

  1. Yadron, Danny (October 28, 2014). "Hacking Trail Leads to Russia, Experts Say". Wall Street Journal.
  2. Gogolinski, Jim. "Operation Pawn Storm: The Red in SEDNIT". Trend Micro.
  3. "Operation Pawn Storm: Using Decoys to Evade Detection" (PDF). Trend Micro. 2014.
  4. Menn, Joseph (April 18, 2015). "Russian cyber attackers used two unknown flaws: security company". Reuters.
  5. Kumar, Mohit (October 30, 2014). "APT28 — State Sponsored Russian Hacker Group". The Hacker News.
  6. Mamiit, Aaron (October 30, 2014). "Meet APT28, Russian-backed malware for gathering intelligence from governments, militaries: Report". Tech Times.
  7. "APT28: A Window into Russia's Cyber Espionage Operations?". FireEye. October 27, 2014.
  8. Weissman, Cale Guthrie (June 11, 2015). "France: Russian hackers posed as ISIS to hack a French TV broadcaster". Business Insider.
  9. "Russian Hackers Suspected In Cyberattack On German Parliament". London South East (Alliance News). June 19, 2015.
  10. Hacked French network exposed its own passwords during TV interview - arstechnica
  11. 1 2 3 4 "Isil hackers seize control of France's TV5Monde network in 'unprecedented' attack". Daily Telegraph. April 9, 2015. Retrieved April 10, 2015.
  12. 1 2 3 4 "French media groups to hold emergency meeting after Isis cyber-attack". The Guardian. April 9, 2015. Retrieved April 10, 2015.
  13. "French TV network TV5Monde 'hacked by cyber caliphate in unprecedented attack' that revealed personal details of French soldiers". The Independent. April 9, 2015. Retrieved April 9, 2015.
  14. "France probes Russian lead in TV5Monde hacking: sources". Reuters. June 10, 2015. Retrieved 9 July 2015.
  15. Doctorow, Cory (August 28, 2015). "Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House". Boing Boing.
  16. Quintin, Cooper (August 27, 2015). "New Spear Phishing Campaign Pretends to be EFF". EFF.
This article is issued from Wikipedia - version of the Monday, December 28, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.