Sofacy, the cyberespionage group, has launched an attack against the US government using a “new persistence mechanism” designed to help evade detection.
Attackers sent a spear-phishing e-mail to a US government entity using an email address belonging to the Ministry of Foreign Affairs of another country. Analysis of the attack revealed a high likelihood that the sender’s email address was not spoofed and is instead a result of a compromised host or account belonging to that Ministry.
The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks.
The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns, according to Palo Alto networks, who discovered the threat.
Commenting on the attack, Mark James, security specialist at ESET, said: “These types of threats rely on user interaction; they require you to actually trigger the phishing attack. If you have procedures and policies in place to deal with this then its success rate should be relatively low. Having said that, spam and phishing emails are still the highest and most popular means to deliver malware because it only requires a momentary lapse of concentration to click that link or run that file. Often the end user is misdirected while the malware does its dirty deeds in the background.”
James recommends that staff are made aware of the dangers of opening attachments and or clicking links within emails. “Policies and rules will help to keep the danger to a minimum but ultimately the user is the biggest threat,” he said. “Good regular updating internet security software along with fully patched operating systems and applications will help to keep you safe. Putting off upgrading operating systems may not actually be saving you money, one mistake and the few thousand pounds you may have saved may cost you hundreds of thousands or even more importantly your good name.”
Full details of the recent Sofacy attack can be found here.