Sofacy Group

Threat Actor updated 3 months ago (2024-09-05T13:17:44.275Z)

Download STIX

Preview STIX

The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a well-established threat actor that has been active since at least 2007. This group, which could be an individual, a private company, or part of a government entity, has targeted governments, militaries, and security organizations worldwide. Their activities have been marked by the use of sophisticated tools and techniques, including the creation and deployment of various Trojans and backdoors for cyber espionage purposes. Among the tools developed by the Sofacy Group is Komplex, a Trojan designed to compromise OS X devices. They have also introduced Cannon, a new Trojan with a novel email-based C2 communication channel, which had not been previously observed in their operations. The group has shown its adaptability and innovation by continuously enhancing its toolset to carry out attack campaigns across multiple platforms. In addition to these developments, the Sofacy Group has deployed a new set of data-theft modules against victims, including the AZZY backdoors with side-DLL for Command & Control (C&C). Notably, the group seems to persistently use the same hosting services to host their infrastructure, despite no direct overlap in IP addresses. As the Sofacy Group continues to bolster its toolset and refine its tactics, it remains a significant threat to global cybersecurity.

Description last updated: 2024-09-05T13:16:00.678Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Sofacy Group. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	4
Sednit is a possible alias for Sofacy Group. Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. Sedn	2
Pawn Storm is a possible alias for Sofacy Group. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Sofacy Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	Is Russian group APT28 behind the cyber attack on the German air traffic control agency (DFS)?
Securityaffairs	6 months ago	APT28 targets key networks in Europe with HeadLace malware
Securityaffairs	6 months ago	Russia-linked APT28 targets government Polish institutions
Securityaffairs	7 months ago	NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs	7 months ago	Russia-linked APT28 used tool GooseEgg for to exploit Win bug
Securityaffairs	a year ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
Securityaffairs	a year ago	Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
Securityaffairs	a year ago	ANSSI warns of Russia-linked APT28 attacks on French entities
MITRE	2 years ago	XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE	2 years ago	Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Securityaffairs	a year ago	APT28 hacked Roundcube email servers of Ukrainian entities
DARKReading	2 years ago	Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies
MITRE	2 years ago	Sofacy’s ‘Komplex’ OS X Trojan
MITRE	2 years ago	Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag
Securityaffairs	2 years ago	APT28 uses fake Windows Update instructions to target Ukraine
MITRE	2 years ago	A Slice of 2017 Sofacy Activity
MITRE	2 years ago	Sofacy APT hits high profile targets with updated toolset
MITRE	2 years ago	Sofacy Uses DealersChoice to Target European Government Agency
Securityaffairs	2 years ago	US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws
MITRE	2 years ago	Sofacy Group’s Parallel Attacks