Sofacy Group

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

The Sofacy Group employs spear phishing attacks, using malware to gain control of systems via a command and control infrastructure.

Targets

The Sofacy Group's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater) and Science Applications International Corporation (SAIC).^[1]

Security reports

Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.^[2] The name was due to the group's use of "two or more connected tools/tactics to attack a specific target similar to the chess strategy."^[3]

Network security firm FireEye released a detailed report on Sofacy in October 2014. The report designated the group as "Advanced Persistent Threat 28" (APT28) and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash.^[4] The report found operational details indicating that the source is a "government sponsor based in Moscow". Evidence collected by FireEye suggested that the Sofacy Group's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours in Moscow's time zone.^[5] FireEye director of threat intelligence Laura Galante referred the group's activities as "state espionage"^[6] and said that targets also include "media or influencers."^[7][8]

Attacks

German attack

Sofacy is thought to have been responsible for a six-month long attack on the German parliament that began in December 2014.^[9]

TV5Monde cyber-attack

On April 8, 2015, French television network TV5Monde was the victim of a cyberattack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL). Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5,^[10] overriding the broadcast programming for over three hours.^[11] Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9.^[11] Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack.^[12][11] The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against the organization, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose".^[13][11]

As part of the official response to the attack, the French Minister of Culture and Communications, Fleur Pellerin, called for an emergency meeting of the heads of various major media outlets and groups. The meeting took place on April 10 at an undisclosed location.^[12] The French Prime Minister Manuel Valls called the attack "an unacceptable insult to freedom of information and expression".^[12] His cabinet colleague, the Interior Minister Bernard Cazeneuve attempted to allay public concern by stating that France "had already increased its anti-hacking measures to protect against cyber-attacks" following the aforementioned terrorist attacks on January earlier that year, which had left a total of 20 people dead.^[12]

French investigators later discounted the theory that militant Islamists were behind the cyber attack, instead suspecting the involvement of Sofacy.^[14]

EFF spoof, White House and NATO attack

In August 2015, Sofacy used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false url electronicfrontierfoundation.org.^[15][16]

See also

• Cyberwarfare in Russia
• Russian espionage in the United States
• Trolls from Olgino

References

<templatestyles src="Reflist/styles.css" />

1. ↑ Lua error in package.lua at line 80: module 'strict' not found.
2. ↑ Lua error in package.lua at line 80: module 'strict' not found.
3. ↑ Lua error in package.lua at line 80: module 'strict' not found.
4. ↑ Lua error in package.lua at line 80: module 'strict' not found.
5. ↑ Lua error in package.lua at line 80: module 'strict' not found.
6. ↑ Lua error in package.lua at line 80: module 'strict' not found.
7. ↑ Lua error in package.lua at line 80: module 'strict' not found.
8. ↑ Lua error in package.lua at line 80: module 'strict' not found.
9. ↑ Lua error in package.lua at line 80: module 'strict' not found.
10. ↑ Hacked French network exposed its own passwords during TV interview - arstechnica
11. ↑ ^{11.0 11.1 11.2 11.3} Lua error in package.lua at line 80: module 'strict' not found.
12. ↑ ^{12.0 12.1 12.2 12.3} Lua error in package.lua at line 80: module 'strict' not found.
13. ↑ Lua error in package.lua at line 80: module 'strict' not found.
14. ↑ Lua error in package.lua at line 80: module 'strict' not found.
15. ↑ Lua error in package.lua at line 80: module 'strict' not found.
16. ↑ Lua error in package.lua at line 80: module 'strict' not found.