Security Experts:

Russian Cyberspies Use Updated Arsenal to Attack Defense Contractors

A Russia-linked cyber espionage group has been using new tools in attacks against defense contractors and other high profile targets, Kaspersky Lab reported on Friday.

The threat actor, known as Pawn Storm, Strontium, APT28, Sofacy, Sednit and Fancy Bear, has been actively targeting military, media, defense and government organizations from across the world since 2007. Entities in NATO countries have been primarily targeted, but researchers recently spotted an increase in attacks aimed at Ukraine.

Pawn Storm has been known to use zero-day exploits targeting Adobe Flash Player, Java, Microsoft Office and Windows in its operations. The attackers have also leveraged a wide range of tools to achieve their goals, including backdoors such as SPLM (also known as Xagent and CHOPSTICK) and AZZY (aka ADVSTORESHELL, NETUI and EVILTOSS), and USB stealers designed for data theft from air-gapped systems. Implants dubbed JHUHUGIT and JKEYSKW have also been observed in Pawn Storm attacks.

Up until August, Pawn Storm leveraged zero-day exploits to infect systems with JHUHUGIT and JKEYSKW first-stage implants. However, in August, Kaspersky Lab researchers spotted a new version of the AZZY Trojan, which is mainly used for reconnaissance, while investigating a wave of attacks aimed at defense organizations. Experts said the campaign was still ongoing in November.

The new AZZY, most recently seen in an October attack, had been delivered by another piece of malware instead of a zero-day exploit. An analysis of the threat revealed that unlike previous variants, the new AZZY backdoor has been using an external library for command and control (C&C) communications.

“In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking,” Kaspersky researchers noted in a blog post.

Pawn Storm has also updated its data theft tools. The spy group’s USB stealer modules, used for stealing data from isolated networks, were first updated in February 2015 and the latest versions appear to have been compiled in May 2015, Kaspersky said. Older versions of USBStealer malware were analyzed by researchers at ESET in November 2014.

The USBStealer compiled in May is designed to monitor the infected device for USB drives and collect specified files from them. The files are copied to a hidden folder from where they can be exfiltrated using the AZZY backdoor.

“Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience,” researchers said. “In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”

Pawn Storm also appears to be interested in Malaysia Airlines Flight MH17, a plane that crashed in July 2014 after being hit by a Russian-made missile while flying over a conflict zone in eastern Ukraine. Trend Micro reported in October that the attackers targeted organizations tasked with investigating the incident.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.