Connect with us

Hi, what are you looking for?



Russian Cyberspies Shift Focus From NATO Countries to Asia

The Russia-linked cyber espionage group known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium has shifted its focus from NATO member countries and Ukraine to Central Asia and even further east, Kaspersky Lab reported on Tuesday.

The Russia-linked cyber espionage group known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium has shifted its focus from NATO member countries and Ukraine to Central Asia and even further east, Kaspersky Lab reported on Tuesday.

Sofacy, which is believed to be behind attacks targeting the 2016 presidential election in the United States, has been known to target Ukraine and NATO countries. NATO was heavily targeted in early 2017, including with zero-day exploits, but Kaspersky said the group later started to shift its focus towards the Middle East and Central Asia, which had been less targeted in the first half of the year.

According to the security firm, by mid-2017, detections of a Sofacy backdoor tracked as SPLM, CHOPSTICK and X-Agent showed that the hackers had been increasingly targeting former Soviet countries in Central Asia, including telecoms firms and defense-related organizations. The attacks were aimed at countries such as Turkey, Kazakhstan, Armenia, Kyrgyzstan, Jordan and Uzbekistan.

Attacks involving SPLM and a tool tracked as Zebrocy were increasingly spotted between the second and fourth quarters of 2017 further east. The list of countries where these pieces of malware were detected by Kaspersky includes China, Mongolia, South Korea and Malaysia.

Zebrocy, which allows attackers to collect data from victims, has been used to target various types of organizations, including accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs.

As for the infrastructure used in these attacks, researchers pointed out that Sofacy has been fairly consistent throughout the years and many of its techniques and patterns have been publicly disclosed. As a result, Kaspersky expects to see some changes this year.

“Sofacy is one of the most active threat actors we monitor, and it continues to spear-phish its way into targets, often on a remarkable global scale,” explained Kurt Baumgartner, principal security researcher at Kaspersky Lab. “Our data and detections show that in 2017, the threat actor further developed its toolset as it moved from high volume NATO spear-phish targeting towards the Middle East and Central Asia, before finally shifting its focus further East. Mass campaigns appear to have given way to subsets of activity and malware involving such tools as Zebrocy and SPLM.”

Advertisement. Scroll to continue reading.

Related: Russia-Linked Spies Deliver Malware via DDE Attack

Related: Russian ‘Fancy Bear’ Hackers Abuse Blogspot for Phishing

Related: Kaspersky Details APT Trends for Q2 2017

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...