ATK5

Presumed Origin: Russia < Back

Alias: APT 28, APT28, Fancy Bear, Group-4127, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TAG_0700, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, apt_sofacy

ATK5 (aka: Sofacy, APT28) is a Russian state-sponsored group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets such as political and military targets that benefit the Russian government. It is a skilled team which has the capabilities to develop complex modular malwares and exploit multiple 0-days. Their malwares are compiled with Russian language setting and during the Russian office working hours. Despite number of public disclosure from European governments and indictments from the U.S. Department of Justice, this adversary continues to launch operation targeting the political and defense sector in Europe and Eurasia.

Between 2007 and 2014, ATK5 had three kind of targets:

Georgian government agencies (Ministry of Internal Affairs and Ministry of Defense) or citizens
Eastern European governments
Security organisations

The attack of the Georgian Ministry of Defense can be a response to the growing U.S.-Georgian military relationship. In 2013, the group targeted a journalist which is a way to monitor public opinion, spread disinformations or identify dissident.

During 2015 and 2016, this group’s activity has increased significantly, with numerous attacks against government departments and embassies all over the world.

Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde. ATK5 seems to have a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics. They alos have been implicated in the U.S. presidential election attacks in late 2016.

The 2016 attacks were visible and disruptive but in 2017 the group operates a great change to more stealthy attacks to gather intelligence about a range of targets.

One of the striking characteristics of ATK5 is its ability to come up with brand-new 0-day vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities. This high number of 0-day exploits suggests significant resources available, either because the group members have the skills and time to find and weaponize these vulnerabilities, or because they have the budget to purchase the exploits. In addition, APT28 tries to profile its target system to deploy only the needed tools. This prevents researchers from having access to their full arsenal.

REFERENCES

- MITRE ATT&CK, APT28, https://attack.mitre.org/groups/G0007/
- 27/10/2014, FireEye, APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?, https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- 27/10/2014, TrendMicro, Operation Pawn Storm, https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
- 04/02/2015, TrendMicro, Pawn Storm Update: iOS Espionage App Found, https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/
- 16/04/2015, TrendMicro, Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House, https://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/
- 18/04/2015, FireEye, Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack, https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
- 19/06/2015, NETZPOLITIK.ORG, Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag, https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
- 08/09/2015, F-Secure, Sofacy Recycles Carberp and Metasploit Code, https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/
- 04/12/2015, Kaspersky, Sofacy APT hits high profile targets with updated toolset, https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
- 17/12/2015, Bitdefender, APT28 Under the Scope, https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf
- 14/06/2016, PaloAlto, New Sofacy Attacks Against US Government Agency, https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
- 16/06/2016, Dell Secureworks, Threat Group 4127 Targets Hillary Clinton Presidential Campaign, https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign
- 20/07/2016, PaloAlto, Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks, https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
- 13/09/2016, WADA, WADA Confirms Attack by Russian Cyber Espionage Group, https://www.wada-ama.org/en/media/news/2016-09/wada-confirms-attack-by-russian-cyber-espionage-group
- 26/09/2016, PaloAlto, Sofacy’s ‘Komplex’ OS X Trojan, https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
- 17/10/2016, PaloAlto, ‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform, https://unit42.paloaltonetworks.com/unit42-dealerschoice-sofacys-flash-player-exploit-platform/
- 20/10/2016, ESET, En Route with Sednit Part 1, https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
- 25/10/2016, ESET, En Route with Sednit Part 2, https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- 26/10/2016, ESET, En Route with Sednit Part 3, https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
- 22/12/2016, CrowdStrike, Use of Fancy Bear Android Malware In Tracking Of Ukrainian Filed Artillery Units, https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
- 29/12/2016, NCCIC, GRIZZLY STEPPE – Russian Malicious Cyber Activity, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
- 11/01/2017, FireEye, APT28: At The Center Of The Storm, https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
- 14/02/2017, PaloAlto, XAgentOSX: Sofacy’s XAgent macOS Tool, https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
- 25/04/2017, TrendMicro, Two Years of Pawn Storm, https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
- 11/08/2017, FireEye, APT28 Targets Hospitality Sector, Presents Threat to Travelers, https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
- 22/10/2017, Talos, “Cyber Conflict” Decoy Document Used In Real Cyber Conflict, https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
- 07/11/2017, McAfee, Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack, https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
- 20/02/2018, Kaspersky, A Slice of 2017 Sofacy Activity, https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
- 28/02/2018, PaloAlto, Sofacy Attacks Multiple Government Entities, https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/
- 09/03/2018, Kaspersky, Masha and these Bears, https://securelist.com/masha-and-these-bears/84311/
- 15/03/2018, PaloAlto, Sofacy Uses DealersChoice to Target European Government Agency, https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/
- 24/04/2018, ESET, Sednit update: Analysis of Zebrocy, https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 06/06/2018, PaloAlto, Sofacy Group’s Parallel Attacks, https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- 27/09/2018, ESET, LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group, https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
- 04/10/2018, Symantec, APT28: New Espionage Operations Target Military and Government Organizations, https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
- 20/11/2018, ESET, Sednit: What’s going on with Zebrocy?, https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/
- 20/11/2018, PaloAlto, Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan, https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
- 29/11/2018, Accenture, SNAKEMACKEREL, https://www.accenture.com/t20181129t203820z__w__/us-en/_acnmedia/pdf-90/accenture-snakemackerel-delivers-zekapab-malware.pdf
- 12/12/2018, PaloAlto, Dear Joohn: The Sofacy Group’s Global Campaign, https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
- 18/12/2018, PaloAlto, Sofacy Creates New ‘Go’ Variant of Zebrocy Tool, https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
- 22/05/2019, ESET, A journey to Zebrocy land, https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
- 05/08/2019, Microsoft, Corporate IoT – a path to intrusion, https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

Target sector

Aerospace
Defense
Defense contractors
Embassies
Energy
Government and administration agencies
Healthcare
High-Tech
Hospitality
International Organizations
Media
Political Organizations
Think Tank
Transportation
Universities

Target countries

Afghanistan
Armenia
Azerbaijan
Belarus
Belgium
Brazil
Bulgaria
Canada
China
France
Georgia
Germany
Hungary
Iran, Islamic Republic Of
Japan
Kazakhstan
Korea, Republic of
Latvia
Malaysia
Mongolia
Montenegro
Netherlands
Poland
Romania
Saudi Arabia
Slovakia
Spain
Sweden
Tajikistan
Turkey
Ukraine
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1001 - Data Obfuscation
T1002 - Data Compressed
T1003 - Credential Dumping
T1005 - Data from Local System
T1014 - Rootkit
T1024 - Custom Cryptographic Protocol
T1025 - Data from Removable Media
T1027 - Obfuscated Files or Information
T1037 - Logon Scripts
T1040 - Network Sniffing
T1056 - Input Capture
T1057 - Process Discovery
T1059 - Command-Line Interface
T1064 - Scripting
T1067 - Bootkit
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1071 - Standard Application Layer Protocol
T1074 - Data Staged
T1075 - Pass the Hash
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1085 - Rundll32
T1086 - PowerShell
T1090 - Connection Proxy
T1091 - Replication Through Removable Media
T1092 - Communication Through Removable Media
T1099 - Timestomp
T1105 - Remote File Copy
T1107 - File Deletion
T1113 - Screen Capture
T1114 - Email Collection
T1119 - Automated Collection
T1120 - Peripheral Device Discovery
T1122 - Component Object Model Hijacking
T1134 - Access Token Manipulation
T1137 - Office Application Startup
T1140 - Deobfuscate/Decode Files or Information
T1158 - Hidden Files and Directories
T1173 - Dynamic Data Exchange
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1199 - Trusted Relationship
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1210 - Exploitation of Remote Services
T1211 - Exploitation for Defense Evasion
T1213 - Data from Information Repositories
T1221 - Template Injection
T1328 - Buy domain name
T1346 - Obtain/re-use payloads

Motivation

Espionage
Political Manipulation

Malwares

ADVSTORESHELL
Blitz backdoor
CORESHELL
Cannon
DealersChoice
Delphocy
Downdelph
Drovorub
HIDEDRV
JHUHUGIT
Komplex
LoJax
OLDBAIT
USBStealer
X-Agent
X-Agent for Android
XAgentOSX
XTunnel
Zebrocy

Vulnerabilities

CVE-2010-3333
CVE-2012-0158
CVE-2013-1347
CVE-2013-3897
CVE-2013-3906
CVE-2014-0515
CVE-2014-1761
CVE-2014-1776
CVE-2014-4076
CVE-2015-1641
CVE-2015-1642
CVE-2015-1701
CVE-2015-2387
CVE-2015-2424
CVE-2015-2590
CVE-2015-3043
CVE-2015-4902
CVE-2015-5119
CVE-2015-7645
CVE-2016-7255
CVE-2016-7855
CVE-2017-0144
CVE-2017-0262
CVE-2017-0263
CVE-2020-0688
CVE-2020-17144