Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

CVE-2010-3333

CVE-2012-0158

CVE-2014-1761

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

System Compromise, Targeted Malware, OLDBAIT - Sofacy

System Compromise, Targeted Malware, Chopstick - Sofacy

System Compromise, Targeted Malware, Coreshell - Sofacy

System Compromise, C&C Communication, Sofacy Activity

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

CVE-2013-1347

CVE-2013-3897

CVE-2014-1776

The following rule detects activity related to this exploit kit:

Exploitation & Installation, Malicious website - Exploit Kit, Sednit EK

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

Delivery & Attack, Malicious website, Sofacy Phishing

References:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf

[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/

[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf

[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

[5] http://malware.prevenity.com/2014/08/malware-info.html

[6] http://www.fireeye.com/resources/pdfs/apt28.pdf