Bitdefender technical investigation reveals strategy and likely culprits behind ’APT28’

December 2015


Russian speaking threat actors have targeted top European political figures and and state agencies for nearly a decade

A technical investigation by Bitdefender, a leading Internet security technology company protecting 500 million users worldwide, indicates the APT28, or ‘Sofacy’, is likely organized by Russian speakers, targeting hand-picked victims in a massive intelligence-gathering operation.

The newly released Bitdefender report APT28 Under the Scope – A Journey into Exfiltrating Intelligence and Government Informationlays out evidence that Sofacy, which has operated covertly in Europe since 2007, has been used to harvest intelligence on issues of importance to Russia. APT28 activity peaked during international eventssuch as peace talks between Moscow-backed rebels and government forcesin Ukraineor during the intense media coverage of the Russian “smartplane” PAK FA T-50 Fighter (a contender to Lockheed Martin’sF-35).

The report connects the dots between the Advanced Persistent Threat and its operators, advancing a growing body of evidence that countries with advanced technological capabilities are spearheading a new wave of cyber-espionage malware worldwide.

APT28 Under the Scopedelves into APT28’s three distinct attack vectors, its exhaustive methods of probing to find new victims and its targeting of top political figures, government institutions, telecommunication and e-crime services, as well as aerospace companies from Germany, Ukraine  and Romania.

“While advanced persistent threat first became a popular term after the discovery of Stuxnet in an Iranian nuclear processing facility more than five years ago, some other threat actors such as the operators of APT28 have managed to covertly gather intelligence for almost a decade,” said Viorel Canja, Head of Antimalware and Antispam Labs at Bitdefender. “Our investigation focused on the APT28 infrastructure and operation particularities, which allowed us to link the threat with its operators and offer a glimpse of how one APT works and who it targets.”