APT28 Changes TTPs, Casts Wide Net with Parallel Attacks

APT28, also known as Fancy Bear or Sofacy, changed their tactics, techniques, and procedures (TTPs) in recent campaigns. According to researchers at Palo Alto Networks, the advanced persistent threat (APT) group attributed to the Russian government engaged in tactics typically conducted by profit-motivated threat actors, targeting a large number of individuals and attempting to deliver several malware variants at once, a technique known as “parallel attacks.” Spear-phishing emails delivered in these campaigns were sent with an attached executable file, a Microsoft Office document containing malicious macros, or an Office document leveraging a Dynamic Data Exchange (DDE) exploit. These files attempted to deliver the Koadic remote access trojan or one of three versions of the Zebrocy backdoor. Users involved with foreign affairs at various government organizations all over the world were targeted in these campaigns. The NJCCIC recommends entities that may be considered high-value targets for APT28 operations review the Palo Alto Networks report for more information on recent campaigns, including tactics, techniques, and procedures (TTPs) and associated IOCs. Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep antivirus, hardware, and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities.