Cyber Incident Victim: United States government
Date:
Jun 2016
Location:
United States of America
Summary
A cyberespionage group known as Sofacy or APT28 conducted a spear-phishing campaign targeting the United States government, using a compromised email account from a foreign ministry to send malicious RTF attachments disguised as documents related to a military exercise. The attack deployed a novel Carberp malware variant featuring a persistence mechanism that activated only when Microsoft Office applications were launched, enhancing evasion capabilities by avoiding standard startup detection. The operation utilized a newly created command-and-control server with no prior links to the group's activities, indicating tailored infrastructure for this campaign.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 14, 2016, cybersecurity researchers at Palo Alto Networks identified a targeted cyberespionage campaign conducted by the Sofacy group (also known as APT28) against the United States government. The attackers sent spear-phishing emails appearing to originate from a compromised email account belonging to the ministry of foreign affairs of an unspecified foreign government. These emails used the subject line "FW: Exercise Noble Partner 2016" and contained a malicious RTF file attachment named "Exercise_Noble_Partner_16.rtf," referencing a joint military exercise between the United States and Georgia. Security analysis confirmed the attachment delivered a variant of the Sofacy Trojan known as Carberp, which incorporated a previously unseen persistence mechanism designed to evade detection. Unlike conventional malware that activates upon system startup, this variant only initiated when users launched Microsoft Office applications such as Word, Excel, or PowerPoint, demonstrating deliberate operational refinement by the threat actors.
Palo Alto Networks determined with high confidence that the sender's email address was not spoofed but had been legitimately compromised, indicating prior unauthorized access to the foreign ministry's account. The campaign employed a single command-and-control server that showed no historical connections to previous Sofacy operations, with passive DNS analysis revealing no correlations to earlier attacks. This infrastructure appeared newly created for this specific operation. The Sofacy group's activities were linked to broader geopolitical cyberespionage patterns, including German intelligence allegations of Russian state connections and prior campaigns such as Operation Pawn Storm targeting NATO, Ukrainian activists, and Russian separatists. The incident highlighted continued evolution in attacker tradecraft through novel persistence techniques and infrastructure compartmentalization, though specific containment measures or direct operational impacts on US government systems were not detailed in available reporting.