Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian Cyberspies Use Updated Arsenal to Attack Defense Contractors

A Russia-linked cyber espionage group has been using new tools in attacks against defense contractors and other high profile targets, Kaspersky Lab reported on Friday.

A Russia-linked cyber espionage group has been using new tools in attacks against defense contractors and other high profile targets, Kaspersky Lab reported on Friday.

The threat actor, known as Pawn Storm, Strontium, APT28, Sofacy, Sednit and Fancy Bear, has been actively targeting military, media, defense and government organizations from across the world since 2007. Entities in NATO countries have been primarily targeted, but researchers recently spotted an increase in attacks aimed at Ukraine.

Pawn Storm has been known to use zero-day exploits targeting Adobe Flash Player, Java, Microsoft Office and Windows in its operations. The attackers have also leveraged a wide range of tools to achieve their goals, including backdoors such as SPLM (also known as Xagent and CHOPSTICK) and AZZY (aka ADVSTORESHELL, NETUI and EVILTOSS), and USB stealers designed for data theft from air-gapped systems. Implants dubbed JHUHUGIT and JKEYSKW have also been observed in Pawn Storm attacks.

Up until August, Pawn Storm leveraged zero-day exploits to infect systems with JHUHUGIT and JKEYSKW first-stage implants. However, in August, Kaspersky Lab researchers spotted a new version of the AZZY Trojan, which is mainly used for reconnaissance, while investigating a wave of attacks aimed at defense organizations. Experts said the campaign was still ongoing in November.

The new AZZY, most recently seen in an October attack, had been delivered by another piece of malware instead of a zero-day exploit. An analysis of the threat revealed that unlike previous variants, the new AZZY backdoor has been using an external library for command and control (C&C) communications.

“In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking,” Kaspersky researchers noted in a blog post.

Pawn Storm has also updated its data theft tools. The spy group’s USB stealer modules, used for stealing data from isolated networks, were first updated in February 2015 and the latest versions appear to have been compiled in May 2015, Kaspersky said. Older versions of USBStealer malware were analyzed by researchers at ESET in November 2014.

The USBStealer compiled in May is designed to monitor the infected device for USB drives and collect specified files from them. The files are copied to a hidden folder from where they can be exfiltrated using the AZZY backdoor.

Advertisement. Scroll to continue reading.

“Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience,” researchers said. “In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”

Pawn Storm also appears to be interested in Malaysia Airlines Flight MH17, a plane that crashed in July 2014 after being hit by a Russian-made missile while flying over a conflict zone in eastern Ukraine. Trend Micro reported in October that the attackers targeted organizations tasked with investigating the incident.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Funding/M&A

Thirty-five cybersecurity-related M&A deals were announced in February 2023

Funding/M&A

Forty-one cybersecurity-related M&A deals were announced in March 2023.

Funding/M&A

Forty cybersecurity-related M&A deals were announced in January 2023.

Funding/M&A

Thirty-eight cybersecurity merger and acquisition (M&A) deals were announced in April 2023.