CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.
Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their update on Sofacy, also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report shows how Sofacy is continuing to evolve in 2018.
Most intriguing to researchers is the overlap between Sofacy and the English-speaking threat actor behind the Lamberts, also known as Longhorn. Researchers made the discovery connecting the two APTs when the presence of Sofacy was found on a server in China belonging to a company with ties to the aerospace and defense industry. The server was previously identified as compromised by Grey Lambert malware.
In this case, Sofacy’s SPLM (aka Xagent, aka CHOPSTICK) tool was found on the server, but it’s unclear what tactics were used by the APT to plant the malware. Researchers theorize a Power Shell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.
The samples of SPLM that researchers examined demonstrate how Sofacy now maintains “distinct subdivisions for each of its main tools, with clusters for the coding, development and targeting of SPLM, GAMEFISH, and Zebrocy,” according to Kaspersky researchers.
....
....
....
