A cyberespionage group called Sofacy has launched a fresh attack against the US government, using a "new persistence mechanism" designed to help evade detection. The campaign involves sending government officials spear-phishing emails from the email address belonging to the ministry of foreign affairs of another nation, indicating that the sender's account may have been compromised.
Security firm Palo Alto Networks uncovered that the email came with the subject of "FW: Exercise Noble Partner 2016" and incorporated an RTF (Rich Text Format) file attachment with a similar name ("Exercise_Noble_Partner_16.rtf), which referred to a joint US-Georgia military exercise.
"The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the ministry of foreign affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks," Palo Alto Networks said.
Security researchers also noted that there was a "high likelihood that the sender's email address was not spoofed", adding that the ministry official's account was likely compromised. Researchers also highlighted an unfamiliar tactic used by the group, which allows attackers "to determine if the infected machine is a target of interest" and evade detection.
Unlike most other malware that activate when a computer starts up, Sofacy specifically designed their malware to activate only in the event of a Microsoft Office product being used. This means that the malware would begin operating only when the user opened a Word, Excel or Power Point file.
"The use of this new persistence method shows the continued development of tactics and techniques employed by this threat group, often times in clever ways as we observed in this instance," the firm noted.
Palo Alto Networks also observed that the campaign was linked to only one C&C (command and control) server, which also appeared to be very new. "We have not observed this IP address used by the Sofacy group in any previous attack campaigns, and examining passive DNS data showed no other correlations to potentially related attacks. This domain also appears to be newly created for this specific attack campaign, with no strong links to any previous attacks," it said.
It is highly likely that Sofacy is involved in more such cyberespionage campaigns. A German intelligence agency recently accused the Russian-linked hacker group of targeting the country's government and parliament. The group has also been connected to a targeted campaign called Operation Pawn Storm which set its sights on attacking the US military, Nato, Ukrainian activists and Russian separatists, among others.