Bringing cybersecurity globally to critical and complex key activities
Alias: APT 28, APT28, Fancy Bear, Group-4127, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TAG_0700, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, apt_sofacy
ATK5 (aka: Sofacy, APT28) is a Russian state-sponsored group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets such as political and military targets that benefit the Russian government. It is a skilled team which has the capabilities to develop complex modular malwares and exploit multiple 0-days. Their malwares are compiled with Russian language setting and during the Russian office working hours. Despite number of public disclosure from European governments and indictments from the U.S. Department of Justice, this adversary continues to launch operation targeting the political and defense sector in Europe and Eurasia.
Between 2007 and 2014, ATK5 had three kind of targets:
The attack of the Georgian Ministry of Defense can be a response to the growing U.S.-Georgian military relationship. In 2013, the group targeted a journalist which is a way to monitor public opinion, spread disinformations or identify dissident.
During 2015 and 2016, this group’s activity has increased significantly, with numerous attacks against government departments and embassies all over the world.
Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde. ATK5 seems to have a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics. They alos have been implicated in the U.S. presidential election attacks in late 2016.
The 2016 attacks were visible and disruptive but in 2017 the group operates a great change to more stealthy attacks to gather intelligence about a range of targets.
One of the striking characteristics of ATK5 is its ability to come up with brand-new 0-day vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities. This high number of 0-day exploits suggests significant resources available, either because the group members have the skills and time to find and weaponize these vulnerabilities, or because they have the budget to purchase the exploits. In addition, APT28 tries to profile its target system to deploy only the needed tools. This prevents researchers from having access to their full arsenal.
REFERENCES