Threat Brief: Sofacy Group Targeting European and North American Diplomats

Share and earn Cybytes
Facebook Twitter LinkedIn Email


Palo Alto Networks Unit 42 threat research team has just uncovered a new set of attacks by the Sofacy group using malicious emails targeting foreign affairs agencies and ministries in North America and Europe, including a European embassy in Moscow.

Given the significant activity attributed to Sofacy, and the new evidence directly targeting the diplomatic community, Palo Alto Networks wants to ensure that foreign affairs agencies around the world understand how the attacks are carried out, and what agencies and personnel can do to protect themselves.

The Sofacy Group (AKA APT28, Grizzly Steppe, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm) is a well-known hacking organization widely reported to be associated with Russia by the US Intelligence Community, numerous media reports and other cybersecurity companies.  Sofacy Group has been associated with many attacks against targets around the world, including the International Olympic Committee (IOC) in 2018, the World Anti-Doping Agency in 2016, the Dutch Safety Board in 2015, and German, French, Ukrainian, and Dutch political and military targets throughout 2014 through 2018.


How the Attacks are Carried Out: Via Email

These attacks begin with an email sent to a carefully chosen target in the agency. The recent spoofed emails we have seen are forged to appear to come from Jane’s 360 Defense Events to tell the recipient about events coming up in 2018.

  • The actual subject line is “Upcoming Defense events February 2018
  • The sender address falsely claims to be “Jane’s 360 defense events <>
  • The email has a Microsoft Excel spreadsheet attached and urges the recipient to open the attachment Most importantly, the email says “If you have trouble viewing the document you can try to enable content to resolve the issue”

The figure below shows an example.



Once the recipient opens the Excel spreadsheet, she or he does have trouble viewing the document: it opens as a blank spreadsheet. The attackers are relying on the recipient to follow the instruction in the email and click “Enable Content”. You can see below what the spreadsheet looks like and the enable content button.



Clicking the “Enable Content” button is the key to the attack. While it makes the text in the spreadsheet visible and so seems to solve the problem, it’s a trick: It’s really running a program that silently installs a program on the system. This program gives the attackers complete control over the computer and can enable them to copy documents, usernames, passwords, account information and even take screenshots.

How you can protect yourself

There are several things that you can do to help protect against these latest Sofacy attacks and others like it.  With the public awareness of this particular decoy, it is highly likely that the Sofacy group will shift their attacks to spoof emails from a different organization to continue carrying out these attacks.  Additionally, this attack technique is not exclusive to the Sofacy Group.

Therefore, these suggested actions can protect not just against these known attacks but others like it.

  • First: Ensure your agency is running advanced security that can provide protection against attacks like this.
  • Second: You may also want to work with your security team to determine if you received this particular email and if this attack potentially impacted you.
  • Third: Be cautious when opening attachments that you get through email. If you get an unexpected email with an attachment be very wary.
  • Fourth: Be even more cautious when opening an attachment that in some way tells you to “Enable Content”. The “Enable Content” button is actually a security protection in Microsoft Word and Excel: it prevents programs from running. Attackers regularly try to get people to turn off this protection using tricks like we see here.

An unexpected email message with an attachment that says you should “enable content” has a high likelihood of being malicious in some way. If you get an email like this, you shouldn’t open the attachment and click “enable content”. Instead, you should verify that the message and the attachment are legitimate by contacting the sender in some way other than replying to the email (because replying to the email may go back to the attackers who will, of course, say it’s legitimate). Or, just delete the message and report it to your security team.

Palo Alto Networks Unit 42 regularly researches threats like these and provides information about them on our blog.

The post Threat Brief: Sofacy Group Targeting European and North American Diplomats appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?