The New Sophistication Of Nation-State Hacking

The renowned Russian hacker goup known as Fancy Bear has expanded its repertoire to more than 30 commands for infecting systems, executing code, and reconnaissance, researchers have found. Zebrocy malware, widely considered to be part of the infamous APT28/Fancy Bear Russian cyber-espionage group's toolset, now has more than 30 commands for reconnoitering compromised systems and spreading across networks.

Researchers from security firm ESET  have published new findings on the attack tool, which improves upon the older Sofacy backdoor, and combines downloaders and remote administration tools to allow attackers to control compromised systems. 

Both programs have been linked to the Russian cyber-espionage group that has been blamed for cyberattacks on the nation of Georgia prior to Russia's 2008 invasion and for stealing e-mail and data from the US Democratic National Committee prior to the 2016 presidential election. 

ESET used telemetry generated by systems using its security agent to observe the initial Zebrocy infection via spearphishing attacks and subsequent commands, the company stated in an analysis. 

"We were able to monitor the way they use the Zebrocy malware after they infected their target, including all the interactions they had with the infected systems, and gain some intelligence," says Alexis Dorais-Joncas, security intelligence team lead for ESET. 

"It is an updated modus operandi used by the group in the way ... they perform their initial infection."

The research sheds light on a tool that has become a major part of the operations of a long-running cyber espionage group.

While ESET does not explicitly attribute the attacks to Fancy Bear, analyses by other companies have explicitly connected the use of the tool to the group. Earlier this year, security firm Kaspersky Lab noted that Zebrocy, once a component of the Sofacy backdoor package in 2015, had rapidly become a popular tool, especially for use against government systems in Central Asia.

"Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity," Kaspersky Lab concluded in its analysis. "Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development."

ESET's research, meanwhile, highlights the rapidity with which the group behind Zebrocy has innovated with its tools and techniques. APT28/Fancy Bear is one of the original Russian cyber-operations groups tracked by security firms and government intelligence. 

Known also as Sofacy, STRONTIUM, and the Sednit group, ESET's preferred name, the group has actively developed its toolbox of hacking programs.

In 2018, for example, ESET discovered that the Sednit group had successfully deployed a Unified Extensible Firmware Interface (UEFI) rootkit, dubbed LoJax, which infects the basic hardware operating system and can survive rebooting the system.

"Three years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia," ESET wrote in its analysis. "Since then, the number and diversity of components has increased drastically."

The group has mainly targeted embassies, ministries, and diplomats in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, according to ESET.

How it Works
Zebrocy consists of two downloaders, one written in the Delphi scripting language and another in the AutoIt scripting language. Only one of the two downloaders need to run to install a backdoor, the third Zebrocy component, onto a targeted system.

Once installed, the operators would quickly perform reconnaissance on the system and gather operating system and file information, as well as other details about the system.

"The operators would quickly perform a reconnaissance phase to understand the kind of target that they just managed to infect," says Dorais-Joncas. "They get information like the operating system, even some screenshots from the infected machines, get some networking information, IT configuration, and things like that." 

In some cases, the first downloader installed another component whose purpose is currently being studied, according to ESET.

"The very short timeframe where this backdoor is on the system and operating makes it harder to retrieve....once its operators complete their evil deeds, they quickly remove it."

Finally, because the commands issued after the initial installation are the same and executed very quickly, ESET suggested that they might be automated, rather than waiting for a member of the Sednit group to manually attack the system.

"They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data," the report stated. "It shows a large gap between the development strategy and what operators do in practice.

Backdoors with custom configuration and modules are deployed very carefully, which indicates some precautions to avoid ending up in the hands of researchers."

Dark Reading:         

You Might Also Read:

Britain Hacks Back:

Israel Responds To A Cyber Attack With Bombs:

 

« The Human Cost Of Cyberwar
A Cyber Toolkit For Small Business »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Cybereason

Cybereason

Cybereason provides attack protection with cutting edge EDR and XDR, and industry recognized consulting services to support organizations throughout any stage of the incident lifecycle.

Think Cyber Security (ThinkCyber)

Think Cyber Security (ThinkCyber)

ThinkCyber is a Tel Aviv-based Israeli company with a team of cybersecurity professionals who are experts in both information and operations technology.

SecuLution

SecuLution

SecuLution is an Antivirus product using Application Whitelisting which offers much more protection than Virus Scanners ever can.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Dataprovider.com

Dataprovider.com

Our Brand Protection Suite gives you the tools to discover trademark infringement on the Internet, such as websites selling counterfeit products, even when this is not immediately noticeable.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

ramsac

ramsac

ramsac provide secure, resilient IT management, cybersecurity, 24 hour support and IT strategy to businesses in London and the South East.

CyberXposure

CyberXposure

CyberXposure has been built by a team comprising of Cyber Security Professionals and SAAS experts in data backup, disaster recovery and cyber-security.

Keytos

Keytos

Keytos has revolutionized the Identity Management and PKI industry by creating cryptographic tools that allow you to go password-less by making security transparent to the user.

vpnMentor

vpnMentor

We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.

Dispel

Dispel

Dispel makes the fastest secure remote access for industrial networks. Built by operators for operators: a zero trust engine for your entire OT, IoT, and xIoT stack.

Liverton Security

Liverton Security

Liverton Security is a New Zealand-owned cyber security provider offering consultancy and security-related products to government and commercial customers throughout New Zealand.

Securafy

Securafy

At Securafy, we understand how important it is to have the right IT partner by your side. For over 30 years, we’ve helped businesses stay secure, connected, and compliant.

Hurricane Labs

Hurricane Labs

Hurricane Labs is a managed security services provider (MSSP) that focuses on Splunk.

FSP

FSP

FSP is a leading consultancy specialising in Digital, Security and AI solutions. We navigate the complexities of data sensitivity, confidentiality, governance and compliance.