Connect with us

Hi, what are you looking for?



Russian Cyberspies Use Updated Arsenal to Attack Defense Contractors

A Russia-linked cyber espionage group has been using new tools in attacks against defense contractors and other high profile targets, Kaspersky Lab reported on Friday.

A Russia-linked cyber espionage group has been using new tools in attacks against defense contractors and other high profile targets, Kaspersky Lab reported on Friday.

The threat actor, known as Pawn Storm, Strontium, APT28, Sofacy, Sednit and Fancy Bear, has been actively targeting military, media, defense and government organizations from across the world since 2007. Entities in NATO countries have been primarily targeted, but researchers recently spotted an increase in attacks aimed at Ukraine.

Pawn Storm has been known to use zero-day exploits targeting Adobe Flash Player, Java, Microsoft Office and Windows in its operations. The attackers have also leveraged a wide range of tools to achieve their goals, including backdoors such as SPLM (also known as Xagent and CHOPSTICK) and AZZY (aka ADVSTORESHELL, NETUI and EVILTOSS), and USB stealers designed for data theft from air-gapped systems. Implants dubbed JHUHUGIT and JKEYSKW have also been observed in Pawn Storm attacks.

Up until August, Pawn Storm leveraged zero-day exploits to infect systems with JHUHUGIT and JKEYSKW first-stage implants. However, in August, Kaspersky Lab researchers spotted a new version of the AZZY Trojan, which is mainly used for reconnaissance, while investigating a wave of attacks aimed at defense organizations. Experts said the campaign was still ongoing in November.

The new AZZY, most recently seen in an October attack, had been delivered by another piece of malware instead of a zero-day exploit. An analysis of the threat revealed that unlike previous variants, the new AZZY backdoor has been using an external library for command and control (C&C) communications.

“In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking,” Kaspersky researchers noted in a blog post.

Pawn Storm has also updated its data theft tools. The spy group’s USB stealer modules, used for stealing data from isolated networks, were first updated in February 2015 and the latest versions appear to have been compiled in May 2015, Kaspersky said. Older versions of USBStealer malware were analyzed by researchers at ESET in November 2014.

Advertisement. Scroll to continue reading.

The USBStealer compiled in May is designed to monitor the infected device for USB drives and collect specified files from them. The files are copied to a hidden folder from where they can be exfiltrated using the AZZY backdoor.

“Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience,” researchers said. “In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”

Pawn Storm also appears to be interested in Malaysia Airlines Flight MH17, a plane that crashed in July 2014 after being hit by a Russian-made missile while flying over a conflict zone in eastern Ukraine. Trend Micro reported in October that the attackers targeted organizations tasked with investigating the incident.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Forty cybersecurity-related M&A deals were announced in January 2023.


Thirty-five cybersecurity-related M&A deals were announced in February 2023


Seventeen cybersecurity-related M&A deals were announced in the first half of February 2023.


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Twenty-one cybersecurity-related M&A deals were announced in December 2022.