Bitdefender blames Russian speakers, but not necessarily Kremlin backed, or even Russian (Source Flofanov
Bitdefender blames Russian speakers, but not necessarily Kremlin backed, or even Russian

Bitdefender has published its research into an advanced persistent threat known as APT28 or Sofacy and concludes that the evidence points to Russian speaking hackers.

Security companies love to show their skills by doing in-depth reports around malware. Most of it is of limited interest to anyone bar security teams who can use it to beef up their defences. Sometimes it is worth wading through the technical stuff to understand the goals behind an attack. This report is one of those times where there is information outside of the technical realm that has an import for companies and governments.

Russian speaking does not mean Russian involvement

What is interesting about this report is that while Bitdefender talks about Sofacy having been apparently written by Russian speakers it doesn’t follow that they were carried out by the Russian state. Russia, its aerospace industry and one of its latest fighter aircraft programmes appear to have been part of the attack spectrum.

Bitdefender says that: “We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian. Our assumption is supported by different markers identified during analysis.”

Those markers include the dates and times that code was compiled. It highlights all the countries that share the same time code and comes to the conclusion that only Russia has the skills to have created this attack. It then identifies the use of Russian language in some of the paths to a debug file.

All in all this is scant evidence for Bitdefender to confidently base its assertion that Russia is the originator of Sofacy unless there is more evidence it has not provided in the report. It is not beyond scope to consider China or Israel, two countries with equal capabilities and both of whom are active in cyber espionage, as being the originators. The use of Russian in files names can also be explained away as a move to deflect attention should the attack be discovered.

Playing the long game

The report  APT28 Under the Scope – A Journey into Exfiltrating Intelligence and Government Information, is interesting at many levels. For one it exposes the myth that the first Advanced Persistent Threat was Stuxnet designed by the US and Israeli military intelligence communities to disrupt the Iranian nuclear programme.

The report puts Sofacy as having been around since 2007. With other APT’s such as Night Dragon which targeted global energy companies  and we also know that with other APT’s such as Night Dragon also appearing at the same time is it likely that even APT28 is unlikely to be the first of its kind.

The goal of an APT is to slowly work its way into an organisation and eventually become a trusted piece of software. At that point, rather like a sleeper in the physical spy world, it sits and waits for instructions before beginning its job. This is what makes this type of attack so dangerous and why the impact can be devastating for a business as they try and unravel how long it has been in place and what it has done.

Who was targeted?

The report points out that unlike generic malware which is indiscriminate, Sofacy is targeted at a narrow range of targets and remains active even today. The targets are hand-picked by those behind the APT who feed it the IP addresses of computers to scan and the victims are primarily based in Ukraine, Spain, Russia, Romania, United States and Canada.

Attacks are also targeted narrowly. The report highlights categories such as political, e-services, telecommunication services and the aerospace industry. Interestingly, in the download copy of the report a category has been removed. Why that is the case is not stated.

Despite being in place since 2007 it was only in 2015 that the first attacks were identified. The attack took place between 10th and 14th February 2015 during the Minsk summit which was attempting to agree a ceasefire in Ukraine.

Bitdefender says that in this attack 8,762,106 IP addresses were scanned with around 19% or roughly 1 in 5 being identified as vulnerable to an attack. This is a significantly high number especially as this is not about home computers but carefully chosen categories. While the majority of the targets were in Ukraine it also targeted the Russian Federation, Romania, Bulgaria, United States, Canada and Italy.

Shortly after this the attention turned to Spain with UK, Portugal, United States and Mexico also being targeted. Out of 58,624 new targets just over 10% were found to be vulnerable. Bitdefender suggests that this was due to this being a highly targeted attack at specific institutions. If that is the case then a 10% success rate suggests there is a lot of work to be done to protect computers.

There are a number of redacted portions of the report which seems a little disingenuous of Bitdefender. These focus on the details of who was attacked, where files were sent and some of the institutions that were attacked. The redaction is presumably there to protect either commercial arrangements between Bitdefender and those named or to avoid any risk of legal action against Bitdefender. It would have been much easier to have just reworked the report.

Spear phishing, Word and Excel

While the attacks identify vulnerable machines the next phase is to use email and spear phishing by engaging with an identified target. They would be sent emails with infected Word or Excel documents.

Alternatively they would be sent links to websites that, at first glance, look real but are in fact what the report describes a typosquatted domains. A typosquatted domain takes advantage of people mistyping common domain names and ending up on a website that then attempts to install malware on the computer. At some point everyone does this and there has been a continual rise in the use of typosquatted domains by hackers over the last decade.

The attackers also took advantage of zero-day exploits. As we know from the Hacking Team breach, they can buy openly from commercial security companies as well as from the Dark Net.

Once the machine is infected the hacker then deploys tools to acquire passwords, acquire escalated privileges and use the tool to attack other computers. Perhaps the most dangerous here for many companies is the latter. The ability to attack other computers on the same internal network makes life easier for a hacker as most security tends to be outward facing. It also highlights the need for better internal network security tools from vendors.


The narrow focus of APT28 or Sofacy should send a warning shot across the bows of IT security teams in those sectors. It also highlights the need for much greater education of users around the types of file, the use of typosquatted domains and drive by attacks. There is also a message for the security industry that is has to do more to protect computers on the same network rather than focusing on defending the edge of the network.

We are seeing a rise in new forms of defence for computers with the use of machine learning from companies such as Cylance and the acquisition of SurfRight by Sophos. There is also a push by software vendors to move to behavioural analytics for better security. All of this costs time, money and requires expertise that isn’t readily available.

For now, it appears the hackers have the upper hand when it comes to playing the long game with APT’s.


Please enter your comment!
Please enter your name here