Sofacy

Threat Actor updated 5 months ago (2024-05-04T18:42:58.241Z)
Download STIX
Preview STIX
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase evasion, and it has been speculated that this was done due to the known and widely analyzed nature of the Delphi variant of Zebrocy. The Sofacy group has been known to use IP-based command-and-control servers, and examining the infrastructure did not reveal significant overlap or relationships with previous Zebrocy or Sofacy infrastructure. Their presence in the DNC network alongside APT29 brought attention to their activities in 2016, and they later targeted the Olympics and the World Anti-Doping Agency and Court of Arbitration for Sports by compromising individuals and servers via phishing attacks. To protect against Sofacy's activities, it is recommended to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services like email and VPN access. However, Palo Alto Networks customers are already protected from the threat posed by Sofacy's Zebrocy and Cannon campaigns.
Description last updated: 2023-06-21T15:18:42.863Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT28 is a possible alias for Sofacy. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on th
6
Sednit is a possible alias for Sofacy. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, Se
4
STRONTIUM is a possible alias for Sofacy. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's
2
Pawn Storm is a possible alias for Sofacy. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Octopus Malware is associated with Sofacy. Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Fancy Bear Threat Actor is associated with Sofacy. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy BeUnspecified
3