Sofacy – including AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, and Pawn Storm – is widely believed to be supported by the Russian government.
Sofacy – including AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, and Pawn Storm – is widely believed to be supported by the Russian government.

A persistent adversary known as the Sofacy group last month targeted a North American and European foreign ministry agency, reports cybersecurity firm Palo Alto Networks' Unit 42, which didn't reveal which countries were impacted.

Separately, the German Ministries of Interior and Defense admitted it had been hit by an isolated cyberattack. Sofacy – aka APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, and Pawn Storm – is widely believed to be supported by the Russian government.

"We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cybersecurity incident concerning the federal government's information technology and networks," a German interior ministry spokesman told the BBC. The attack was “brought under control,” but declined to comment on reports of Russian involvement.

Palo Alto Networks actively monitors Sofacy “due to their persistent nature globally across all industry verticals,” a Unit 42 Feb. 28 blog post explains.

“There are clear trends with government attacks that make them predictable, but unfortunately, attackers have many advantages over defenders that explain why it keeps happening,” comments Tom Van de Wiele, F-Secure's principal security consultant.

In early February, Unit 42 tracked Sofacy's two-pronged campaign using completely different toolsets to attack various Ministries of Foreign Affairs around the world.

The post details a Sofacy phishing scheme pretending to be from IHSMarkit, whose “Jane's 360 defense events” emailed newsletter supplies information and analysis to governments on defense matters.

An Excel attachment contained a malicious macro script that requires the recipient to enable the macros, resulting in abnormal artifacts not found in a legitimate document. Once opened, the XLS file changes font color as the macro runs. Unit 42 believes Sofacy used a tool that closely resembles macros found within Luckystrike, which generates malicious delivery documents.

The attack patterns previously found reuse of WHOIS artifacts, IP reuse, and domain name themes, Palo Alto notes. Sofacy's “attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” Unit 42 states.

F-Secure's Van de Wiele notes attributing specific attacks to an individual, group, movement, or country “in an age where toolkits and resources are bought and sold is no trivial task. And when it comes to figuring out who is executing or financing attacks, it's often a crapshoot.” That element of plausible deniability makes cyber attacks an attractive tool for espionage and data theft, he adds.