The Russia-linked cyber espionage group known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium has shifted its focus from NATO member countries and Ukraine to Central Asia and even further east, Kaspersky Lab reported on Tuesday.
Sofacy, which is believed to be behind attacks targeting the 2016 presidential election in the United States, has been known to target Ukraine and NATO countries. NATO was heavily targeted in early 2017, including with zero-day exploits, but Kaspersky said the group later started to shift its focus towards the Middle East and Central Asia, which had been less targeted in the first half of the year.
According to the security firm, by mid-2017, detections of a Sofacy backdoor tracked as SPLM, CHOPSTICK and X-Agent showed that the hackers had been increasingly targeting former Soviet countries in Central Asia, including telecoms firms and defense-related organizations. The attacks were aimed at countries such as Turkey, Kazakhstan, Armenia, Kyrgyzstan, Jordan and Uzbekistan.
Attacks involving SPLM and a tool tracked as Zebrocy were increasingly spotted between the second and fourth quarters of 2017 further east. The list of countries where these pieces of malware were detected by Kaspersky includes China, Mongolia, South Korea and Malaysia.
Zebrocy, which allows attackers to collect data from victims, has been used to target various types of organizations, including accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs.
As for the infrastructure used in these attacks, researchers pointed out that Sofacy has been fairly consistent throughout the years and many of its techniques and patterns have been publicly disclosed. As a result, Kaspersky expects to see some changes this year.
“Sofacy is one of the most active threat actors we monitor, and it continues to spear-phish its way into targets, often on a remarkable global scale,” explained Kurt Baumgartner, principal security researcher at Kaspersky Lab. “Our data and detections show that in 2017, the threat actor further developed its toolset as it moved from high volume NATO spear-phish targeting towards the Middle East and Central Asia, before finally shifting its focus further East. Mass campaigns appear to have given way to subsets of activity and malware involving such tools as Zebrocy and SPLM.”