Sofacy Sofacy

  • First known sample

    2008

  • Discovery

    2014

  • Number of targets

    1-100

  • Current status

    Active

  • Type

    Backdoor , Trojan

  • Targeted platforms

    Linux , Windows , iOS

  • TOP targeted countries

    Belgium , France , Greece , Jordan , USA , United Arab Emirates

  • Connected attacks

    MiniDuke

  • The way of propagation

    Exploits , Social engineering

  • Purpose/Functions

    Cyberespionage , Data theft , Data wiping , Surveillance
  • Special features
    Modular structure, USB stealing implant, which allows it to copy data from air-gapped computers

  • Targets

    Defense industrial base , Government entities , Military
  • Artefacts/Attribution
    Russian language artefacts
  • Description

    Active since 2004, this group is one of the most prolific and persistent threat actors to date. They’re most well-known for their attacks against the Democratic National Committee in 2016 in an effort to interfere with the US presidential elections and have been blamed for attempting to influence the French presidential elections in 2017. Their attacks have included the use of zero day exploits, custom developed malware in a variety of languages, and even attacks against mobile platforms. This actor has attacked government agencies, media outlets, and NGOs. Aside from traditional targeting, they are also well-known for their use of false fronts to conduct disinformation campaigns.

    Additional information

© 2024 AO Kaspersky Lab. All Rights Reserved. Privacy Policy Cookies
  1. Adding detection for known modules
  2. Collecting samples
  3. Reversing the samples
  4. Decrypting sophisticated encryption and compression schemes
  5. Understanding lateral movement
  6. Outlining multiple attack stages in the correct order
  7. Mapping C&C infrastructure
  8. Setting up sinkholes
  9. Analyzing collected traffic and communication protocols
  10. Crawling other hosts that understand the same protocol
  11. Taking down and acquiring images of C&C servers
  12. Identifying victims, sending out notifications to victims and global CERTs
  13. Applying forensic analysis and extracting logs, stolen files, other components
  14. Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
  15. Writing a comprehensive report
Read more
Mitigation is where enterprises need to start, prevention being significantly more effective and more cost-efficient than remediation after an attack Read more
For any inquiries, please contact apt.securelist@kaspersky.com If you are looking for more detailed information about an APT, please contact intelreports@kaspersky.com