Sofacy shifts focus to include Far East defense and diplomacy, overlaps with advanced cyberespionage groups
Kaspersky Lab researchers have observed that the Russian-speaking threat actor Sofacy, also known as APT28 or Fancy Bear is shifting its targeting to the Far East, with a strong interest in military, defence and diplomatic organisations – in addition to its traditional NATO-related targets. The researchers discovered that Sofacy sometimes overlaps with other threat actors when targeting victims, including with the Russian-speaking Turla and the Chinese-speaking Danti, Most intriguingly of all, they found Sofacy backdoors on a server previously compromised by the English-language threat actor behind the Lamberts. The server belongs to a military and aerospace conglomerate in China.
Sofacy is a highly active and prolific cyberespionage group that Kaspersky Lab’s researchers have been tracking for many years. In February, Kaspersky Lab published an overview of Sofacy’s activities in 2017, revealing a gradual move away from NATO-related targets towards the Middle East, Central Asia, and beyond. Sofacy uses spear-phishing and sometimes