Cyber Incident Victim: US municipal government
Date:
Jun 2016
Location:
United States of America
Summary
A cyberespionage group known as Sofacy or APT28 targeted a US government entity using spear-phishing emails appearing to originate from a compromised foreign ministry account. The emails contained a malicious RTF file attachment referencing a joint military exercise, delivering a Carberp-based Trojan variant with a novel persistence mechanism that only activates when Microsoft Office applications are launched. This technique aimed to evade detection by avoiding standard startup execution. The campaign employed a newly created command-and-control server with no prior observed connections to the group, suggesting infrastructure tailored for this operation. Security researchers assessed the sender's account was likely breached rather than spoofed, indicating potential broader compromises. The incident demonstrated the group's evolving tactics to selectively target high-value systems while obscuring their activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2016, the Sofacy cyberespionage group (also known as APT28) conducted a spear-phishing campaign targeting United States government entities. The attackers sent emails appearing to originate from a compromised email account belonging to the ministry of foreign affairs of an unspecified foreign government, with security analysts noting a high likelihood the account was genuinely compromised rather than spoofed. These emails used the subject line "FW: Exercise Noble Partner 2016" and contained an RTF file attachment named "Exercise_Noble_Partner_16.rtf," referencing a joint military exercise between the United States and Georgia. When opened, the attachment deployed a Carberp-variant Sofacy Trojan featuring a novel persistence mechanism not observed in prior attacks. Unlike conventional malware that activates upon system startup, this variant only initiated when users launched Microsoft Office applications like Word, Excel, or PowerPoint, demonstrating deliberate design to evade detection by limiting operational windows to periods of legitimate user activity.
Security researchers from Palo Alto Networks' Unit 42 identified the campaign and documented its technical specifications. The malware communicated with a single command-and-control server that appeared newly created for this operation, with no historical links to previous Sofacy infrastructure based on passive DNS analysis. The group's tactics aligned with their established pattern of cyberespionage operations against governmental targets, including prior campaigns like Operation Pawn Storm targeting NATO, Ukrainian activists, and Russian separatists. German intelligence agencies had concurrently accused Sofacy of targeting their government and parliament around the same timeframe. While the full impact on U.S. systems was not publicly disclosed, the incident underscored Sofacy's continued refinement of tradecraft, particularly through the development of targeted activation triggers and compromised legitimate email accounts to enhance social engineering effectiveness.