A Russian-speaking online threat actor, known as Sofacy, has been observed to be shifting its attention to the Far East, and showing interest in military, defence and diplomatic organisations, the security firm Kaspersky Lab claims.
Researchers from the company said these targets were in addition to the traditional NATO-related organisations which have been targeted by Sofacy, which is also known as APT28 or Fancy Bear, in the past.
The announcement was made on Friday, the second day of the Kaspersky Security Analyst Summit being held in Cancun, Mexico.
The researchers said they had found that Sofacy sometimes overlapped with other threat actors like the Russian-speaking Turla and the Chinese-speaking Danti, when targeting victims.
{loadposition sam08}Unusually, they also found Sofacy backdoors on a server which had previously compromised by the English-speaking threat actor behind the Lamberts.
This connection came to light Sofacy was detected on a server that had been previously identified as compromised by the Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defence technologies.
Sofacy has been tracked by Kaspersky Lab’s researchers for many years. It uses spear-phishing and sometimes water-holing to steal information, including account credentials, sensitive communications and documents. It is also suspected of delivering destructive payloads to various targets.
Researchers discovered instances where Sofacy's Zebrocy malware competed for victim access with Russian-speaking Mosquito Turla clusters. Others where its SPLM backdoor competed with traditional Turla and Chinese-speaking Danti attacks were also found.
The shared targets included government administration, technology, science and military-related organisations in or from Central Asia.
“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile," said Kurt Baumgartner (above), principal security researcher, Kaspersky Lab.
"Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets.
"As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap – and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks."
The writer is attending the Kaspersky Security Analyst Summit as a guest of the company.
Photo: courtesy Kaspersky Lab