Sofacy Advisory


Sofacy (also known as APT28, Pawn Storm, Tsar Team, Fancy Bear, Sednit and Strontium) is a cyber espionage group. Its behaviour has been classified as an advanced persistent threat. They employ zero-day vulnerabilities and use spear phishing and malware to compromise targets. Preferred targets are web-based email services. The threat group is known to target government, military, and security organizations. Sofacy route their attacks through relatively small supply chain companies was effective in this instance, as the smaller orgainisations did not realise the risks associated with remote access, nor their role as an infiltration vector to other companies.




1. Access Levels: It is important to identify and reevaluate the access levels that third party suppliers have to a corporate network. This includes the isolation of services and systems, to reduce any possible traversal through the network.

2. Role-Based Monitoring: Parts of the attacks listed above operated outside of standard working hours and role based monitoring could be beneficial in order to identify any signs of compromise. For all external supplier accounts, developing a baseline for elements such as logs on times and programs accessed could also be beneficial, especially if automating alerts when abnormalities arise.

3. Two Factor Authentications (2FA): Both breaches were possible due to configuration of the remote access tools being legitimately used. Implementing 2FA for any external access is a feature which may deter and even prevent malicious access.

4. Anti-virus: the malware used by Sofacy is well known to security vendors; however, the actors behind these campaigns are known to alter the signatures of this malware to evade AV detection. It is therefore important that organizations ensure their AV is regularly updated.

5. Patching: the Sofacy actors use exploits both known and 0-days. Companies should ensure that they have a comprehensive patching policy in place that is adhered to.

6. Education: Phishing emails comprise a large portion of Sofacy’s infiltration strategy. Companies should ensure that users are educated on how to identify phishing emails and what to do if they think they have received one. It is also important that if an employee believes they have opened an attachment or clicked on a link, they know they can report the potential compromise without fear of repercussions.

7. Third party risk assessments: develop and conduct third party risk assessments. It is important to measure the risk a third party has, and develop a better understanding of the security implemented. Re-evaluate access on a regular basis.