Full Report
The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives.
Analysis Summary
# Threat Actor: Sednit (APT28 / Fancy Bear / Sofacy)
## Attribution & Identity
The threat actor is identified as **Sednit**, also known by the aliases **Sofacy group**, **APT28**, or **“Fancy Bear”**.
## Activity Summary
The Sednit group has been targeting various institutions for many years, with discovered activity potentially dating back to at least 2005.
Recent activities mentioned include:
* Performing watering-hole attacks using a custom-built exploit kit (discovered in October 2014).
* Employing a specific tool, detected as **Win32/USBStealer**, designed to infiltrate and exfiltrate data from physically isolated ("air-gapped") networks using removable drives.
## Tactics, Techniques & Procedures
The core TTP detailed in the article relates to infecting air-gapped networks:
* **Exfiltration from Air-Gapped Networks:** Utilizes removable drives (USB) that bridge Internet-connected machines (Computer A) and isolated machines (Computer B).
* **Persistence on Infected Host (Computer A):** The dropper (`USBSRService.exe`) monitors USB insertion events.
* **Infection Mechanism (Removable Drive):** Drops the payload (`USBGuard.exe`) and an `AUTORUN.INF` file onto the removable drive.
* **AutoRun Exploitation (Historical):** The `AUTORUN.INF` file attempts to execute the payload when the drive is opened, leveraging the Windows AutoRun feature (which was largely disabled by KB971029 in August 2009, suggesting the actor was active prior to this or targets unpatched systems).
* **Stealth:** Sets file timestamps to mimic legitimate system files and uses hidden/system attributes for dropped files.
* *MITRE ATT&CK IDs are not explicitly provided in the text.*
## Targeting
* **Sectors:** Governmental institutions.
* **Geography:** Eastern Europe.
* **Victims:** Governmental institutions (specific names not provided).
* **Focus:** Precise targeting is indicated by the specific file names sought by the automatic extraction procedure.
## Tools & Infrastructure
* **Malware families used:**
* **Dropper:** Detected as `Win32/USBStealer.D` (filename `USBSRService.exe`). Mimics legitimate Russian software "USB Disk Security."
* **Payload:** Detected as `Win32/USBStealer.A` (filename `USBGuard.exe`).
* **Component File:** `AUTORUN.INF`.
* **Associated Campaign/Toolset:** Custom-built exploit kit for watering-hole attacks.
* **Infrastructure:** The article mentions the group's activity in the context of **Operation Pawn Storm**, but details specific C2 domains or IPs are not provided for the USBStealer component itself (the dropper does not have the ability to communicate over the Internet).
## Implications
The Sednit group is a long-standing, sophisticated threat actor (potentially active since 2005) capable of executing highly specialized attacks against the most secure environments (air-gapped networks). Their ability to persist within physical security measures highlights significant access and operational security. Targeting governmental institutions suggests nation-state espionage objectives.
## Mitigations
Focus on preventing the bridging of security domains via removable media:
1. Strictly control the use of removable media, especially between external/Internet-connected systems and sensitive, isolated networks.
2. Ensure all systems, especially legacy or isolated machines (which may be hard to update), have Windows updates (like KB971029) or security configurations addressing AutoRun features fully applied.
3. Monitor for the presence of files like `USBGuard.exe` or `AUTORUN.INF` on network endpoints and removable media.
4. Investigate suspicious behavior related to USB insertion events and file modification timestamps.
5. Check for IOCs such as mutexes (`ZXCVMutexHello`, `USB_Flash`) and specific registry run keys associated with the dropper and payload.