Sofacy

Threat Actor updated 6 months ago (2024-05-04T18:42:58.241Z)

Download STIX

Preview STIX

Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase evasion, and it has been speculated that this was done due to the known and widely analyzed nature of the Delphi variant of Zebrocy. The Sofacy group has been known to use IP-based command-and-control servers, and examining the infrastructure did not reveal significant overlap or relationships with previous Zebrocy or Sofacy infrastructure. Their presence in the DNC network alongside APT29 brought attention to their activities in 2016, and they later targeted the Olympics and the World Anti-Doping Agency and Court of Arbitration for Sports by compromising individuals and servers via phishing attacks. To protect against Sofacy's activities, it is recommended to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services like email and VPN access. However, Palo Alto Networks customers are already protected from the threat posed by Sofacy's Zebrocy and Cannon campaigns.

Description last updated: 2023-06-21T15:18:42.863Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Sofacy. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on th	6
Sednit is a possible alias for Sofacy. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, Se	4
STRONTIUM is a possible alias for Sofacy. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's	2
Pawn Storm is a possible alias for Sofacy. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Octopus Malware is associated with Sofacy. Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Fancy Bear Threat Actor is associated with Sofacy. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be	Unspecified	3

Source Document References

Information about the Sofacy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a year ago	APT28 hacked Roundcube email servers of Ukrainian entities
CERT-EU	a year ago	Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor
MITRE	2 years ago	Russia-Linked Hackers Target Diplomatic Entities in Central Asia
MITRE	2 years ago	XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE	2 years ago	Octopus-infested seas of Central Asia
MITRE	2 years ago	APT trends report Q1 2020
MITRE	2 years ago	APT Trends report Q1 2018
MITRE	2 years ago	Our Work with the DNC: Setting the record straight
MITRE	2 years ago	Introducing WhiteBear
MITRE	2 years ago	Sofacy Uses DealersChoice to Target European Government Agency
MITRE	2 years ago	Sofacy APT hits high profile targets with updated toolset
MITRE	2 years ago	IRON TWILIGHT Supports Active Measures
MITRE	2 years ago	Sofacy Group’s Parallel Attacks
MITRE	2 years ago	A Slice of 2017 Sofacy Activity
MITRE	2 years ago	APT Trends report Q2 2017
MITRE	2 years ago	Mac Malware of 2017
MITRE	2 years ago	A Look Into Fysbis: Sofacy’s Linux Backdoor
MITRE	2 years ago	Sofacy Attacks Multiple Government Entities
MITRE	2 years ago	Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
MITRE	2 years ago	Dear Joohn: The Sofacy Group’s Global Campaign