APT28 stronger, faster in recent months

Advanced persistent threat group (APT)APT28 has increased its activity tenfold by going after high profile targets with an updated set of tools, according to researchers at Kaspersky Lab.

The security firm’s Global Research & Analysis Team said the group also known as Sofacy, Fancy Bear, Sednit, and STRONTIUM has began a new wave of attacks using new tools and leading to an increase in defense-related targets and an increase in activity in Ukraine, according to a Dec. 4 blog post.

“The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement,” researchers said in the blog.

Researchers spotted the first versions of the AZZY implant in August and said the group is attacking more frequently than before while using more sophisticated methods including multi-backdoor packages for extreme resilience to attack better defended targets.

“In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself,” researchers said in the post.

The most recent waves of attacks also included a new generation of USB stealers that appear to be geared exclusively toward high-profile targets, the report said.

Kurt Baumgartner, principal security researcher at Kaspersky Lab, told SCMagzine.com that the group’s activities are classic cyber espionage and that its use of new tools show that the group is developing stronger methods to overcome better defended targets including those that use air gaps.

He said that the group is very technically capable and that they will develop what they need to attack the targets.

“This quick work is a new characteristic of their work, and this stepped up urgency is something that is unusual. In general, APT intrusions can last months or longer, and in these cases, we see Sofacy acting with unusually ramped urgency,” Baumgartner said.

Researchers said in the post the best defense against targeted attacks is a multi-layered approach that combines traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.

 

SOURCE: Robert Abel | scmagazine.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s