The infamous APT group known as ‘Sofacy’ or ‘Pawn Storm’ has increased its activity nearly tenfold over the past year, including a new wave of attacks against defense targets since August, according to researchers.
Kaspersky Lab’s Global Research and Analysis Team (GREAT) revealed in a new blog post that the group, also known as ‘Sednit’ or APT 28, has been spotted using new 'USB stealer' modules designed to jump target organizations’ air-gapped networks.
“Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well,” the team wrote.
“The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015.”
One such module was designed to monitor removable media and collect files from them according to the hackers’ aims. Stolen data is copied into a hidden directory where it can be exfiltrated out of the organization.
These new attacks against “defense-related targets” were still ongoing as of November this year.
“The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance,” Kaspersky Lab explained. “Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as ‘Mimikatz’ for lateral movement.”
The group is known for its speed and use of “multi-backdoor packages for extreme resilience” – infecting targets with both the SPLM and AZZY malware so that if one is detected the other will provide continued access.
“As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies,” the vendor advised.
“While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.”
The APT group has been linked to Moscow in earlier reports and was pegged for the attack on French TV channel TV5Monde as well as the White House.