Russia-linked Sofacy APT targets an unnamed European Government agency

While US-CERT warns of cyber attacks against critical infrastructure in the energy sectors, Russia-linked Sofacy APT is targeting a government agency in Europe.

Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intelligence agency GRU.

Despite the sanctions, Russian hackers continue to target entities worldwide, including US organizations.

The Russian spy agencies and the individuals are accused of trying to influence the 2016 presidential election and launching massive NotPetya ransomware campaign and other attacks on businesses in the energy industry.

Last year, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Now the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it label the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

According to the DHS, based on the analysis of indicators of compromise, the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

The Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

A few days ago, cyber security experts at Palo Alto Networks uncovered hacking campaigns launched by Sofacy against an unnamed European government agency leveraging an updated variant of the DealersChoice tool.

“On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice.” reads the analysis published by PaloAlto Networks.

“The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed. One of the differences was a particularly clever evasion technique.”

The attacks uncovered by PaloAlto aimed at a government organization in Europe used a spear phishing email referencing the “Underwater Defence & Security” conference, which will take place in the U.K. later this month.

While previous versions of DealersChoice loaded a malicious Flash object as soon as the bait document was opened, the samples analyzed by PaloAlto that were related to the last attacks include the Flash object on page three of the document and it’s only loaded if users scroll down to it.

“The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.” states the analysis.

Early February, experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – energy firms, critical infrastructure)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.