Your trusted source

Kaspersky Lab's Global Research and Analysis Team has published an overview of 2017 activity by the threat actor Sofacy, also known as APT 28 and Fancy Bear, to help organizations across the world better understand and protect themselves against this threat actor.

As the Kaspersky Lab Armenian office reports, in 2017, Sofacy activity moved from a heavy focus on NATO and Ukrainian-related targets at the start of the year to a growing focus on Central Asia and even further East by the end of the year.

Sofacy is a highly active and prolific cyberespionage group. Its reported presence in the U.S.'s DNC network in 2016, alongside APT29, thrust the group into the media spotlight, but that is just a small part of the story. 

Kaspersky Lab's Global Research and Analysis Team has been tracking the Russian-speaking Sofacy for many years, and in 2017 reported at length on its latest tools, techniques and targets, targeting organizations related to Ukraine and NATO military and diplomatic interests. According to the source, the global reach of this campaign was remarkable, with KSN and third-party data sources confirming targets in Armenia, Azerbaijan, France, Germany, Iraq, Italy, Kyrgyzstan, Morocco, Switzerland, Ukraine, United States, Vietnam, Turkey, Poland, Bosnia and Herzegovina, Azerbaijan, South Korea, Latvia, Georgia, Australia, Sweden, and Belgium.

"Sofacy is one of the most active threat actors we monitor, and it continues to spear-phish its way into targets, often on a remarkable global scale. Our data and detections show that in 2017 the threat actor further developed its toolset as it moved from high volume NATO spear-phish targeting towards the Middle East and Central Asia, before finally shifting its focus further East. Mass campaigns appear to have given way to subsets of activity and malware involving such tools as Zebrocy and SPLM." said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.