Security firm says Sofacy is starting to target organizations in Middle East, Central Asia

Security firm says Sofacy is starting to target organizations in Middle East, Central Asia
© Getty Images

Kaspersky Lab researchers say that a hacking group widely believed to be linked to the Russian government has been executing cyberattacks against a new set of targets in the Far East, including military, defense and diplomatic organizations, according to a new report

The Moscow-based security firm said Friday that Sofacy, commonly known as “Fancy Bear” and “APT28,” is behind new attacks that reach outside of its usual European and NATO-tied targets.

Kaspersky Lab says the group is now branching out to attack groups in the Middle East and Central Asia — largely government, technology, science and military-related organizations in or from Central Asia.


"Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets," Kurt Baumgartner, the principal security researcher at Kaspersky Lab, said in a statement.

Kaspersky Lab said it found certain scenarios where the cyber espionage group's efforts clashed with other cyber predators, which at times led to "a target overlap between very different threat actors."

For example, the researchers found that Sofacy's malware vied for access to certain victims with other cyber espionage groups like the Russian-speaking Turla and the Chinese-speaking Danti.

“As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap — and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks, ” Baumgartner said.

Baumgartner also pointed out that their research suggests Sofacy is overall a calculating and "agile" group, which pushes back on contrary descriptions that portrayed it as carrying out attacks in a "wild and reckless" manner.

The cyber group has been known to use spear-phishing in its attacks, a tactic that uses emails from a trusted source to share a URL link that contains malicious software that can be used to then steal users' information or further infiltrate the receiver's computer system.

Kaspersky Lab has come under heavy scrutiny last year for alleged ties to the Russian government.

The Department of Homeland Security (DHS) banned federal agencies from using products developed by the global cybersecurity company in September, arguing that they could pose a potential security risk because it is based in Moscow.

Although the company has repeatedly maintained that it operates independently of the Russian government, the law enforcement agency said the decision was based on information already available in the public view — like newspaper reports and congressional testimonies.

Congress has made moves to prevent the products from being used, which comes after the intelligence community largely found that Russia meddled in the 2016 presidential election.

In recent months, Kaspersky Lab has become embroiled in a legal battle with the U.S. government over what it says is an unlawful ban.