A group of Russian-speaking hackers that has targeted politicians, state entities, and companies over the past eight years is continuing to develop its skills, according to an analysis by security researchers.
"Our recent investigation into the Sofacy operations revealed that the cyber-group is extremely active and focused on specific regions," said the report from security company Bitdefender. It said the primary targets of the group are in countries such as Ukraine, Spain, Russia, Romania, the US and Canada.
The group -- variously known as the Sofacy Group, also known as APT28, Strontium, Fancy Bear or Sednit -- has a particular interest in Ukraine: for example intrusions often coincided with political events such as the ceasefire in Ukraine's Donbass region.
In the case of Romania, the attacked computers were part of government infrastructures or are closely related to it.
APT28 victims are hand-picked, according to Bitdefender, so as not to raise suspicions or trip intrusion detection systems. "It is currently unknown what criteria the APT28 operators used to select targets, but our research identified that they are picked from a list of vulnerable IP addresses prepared beforehand," the report said.
The analysis implies that the group is based in Russia, or is located in a neighbouring country that speaks the language: about 90 percent of the files collected were compiled during times which fit with the working day in central Russia, Georgia and Azerbaijan.
"Russia is the only country that possesses the necessary skills and resources to pull off this kind of attack," Bitdefender researchers said.
The data pulled by the company's experts shows that there are three attack vectors used to infect targets: spear phishing e-mails with crafted Word and Excel documents attached, phishing websites hosted on typosquatted domains and malicious iFrames leading to Java and Flash zero-day exploits.
Bitdefender said that in the past year the hacking group has refined its tools, building even more advanced attack schemes. It now uses multiple backdoors to infect a computer with more than one malicious tool.
As of this year, the group can copy data from air-gapped computers by using a new version of the USB stealing implant, a recent report issued by Kaspersky Lab at the beginning of this month said.
According to another report issued by Microsoft last month, the hacking group took advantage of several newly discovered zero-days exploits."In other cases, Stontium deployed exploits within days of a vendor releasing a security update that addressed the associated vulnerability, relying on the fact that not everyone installs security updates immediately after they are published," according to the Microsoft report.