Pulse Detail — Threat Intelligence

PULSE NAME

En Route with Sednit

WHITE Sofacy AlienVault 2016-10-20 Modified: 2019-10-24

114

IOCs

HIGH VOLUME

The Sednit group—variously also known as APT28, Fancy Bear, Sofacy, Pawn Storm, STRONTIUM and Tsar Team—is a group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets. Over the past two years, this group’s activity has increased significantly, with numerous attacks against government departments and embassies all over the world. Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde [3]. Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics

Indicators of Compromise (114)

All domain hostname FileHash-SHA1 CVE Mutex YARA

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	nato-news.com	—	2016-10-20
domain	ausameetings.com	—	2016-10-20
domain	shurl.biz	—	2016-10-20
domain	military-info.eu	—	2016-10-20
domain	unian-news.info	—	2016-10-20
domain	stratforglobal.net	—	2016-10-20
domain	diplomatnews.org	—	2016-10-20
domain	dailyforeignnews.com	—	2016-10-20
domain	natopress.com	—	2016-10-20
domain	militaryadviser.org	—	2016-10-20
domain	natoint.com	—	2016-10-20
domain	osce-press.org	—	2016-10-20
domain	politicalreview.eu	—	2016-10-20
domain	worldpoliticsreviews.com	—	2016-10-20
domain	osce-info.com	—	2016-10-20
domain	unitednationsnews.eu	—	2016-10-20
domain	defencereview.eu	—	2016-10-20
domain	euroreport24.com	—	2016-10-20
domain	worldpostjournal.com	—	2016-10-20
domain	thediplomat-press.com	—	2016-10-20
domain	bbc-press.org	—	2016-10-20
domain	worldmilitarynews.org	—	2016-10-20
domain	trend-news.org	—	2016-10-20
domain	cnnpolitics.eu	—	2016-10-20
domain	worldpoliticsnews.org	—	2016-10-20
domain	aljazeera-news.com	—	2016-10-20
domain	euronews24.info	—	2016-10-20
domain	swsupporttools.com	—	2016-10-20
domain	nato-hq.com	—	2016-10-20
domain	kg-news.org	—	2016-10-20
domain	theguardiannews.org	—	2016-10-20
domain	militaryobserver.net	—	2016-10-20
domain	dailypoliticsnews.com	—	2016-10-20
domain	defenceiq.us	—	2016-10-20
domain	politicsinform.com	—	2016-10-20
domain	virusdefender.org	—	2016-10-20
domain	reuters-press.com	—	2016-10-20
domain	pakistan-mofa.net	—	2016-10-20
hostname	www.winupdatesysmic.com	—	2016-10-20
hostname	www.dataclen.org	—	2016-10-20
hostname	www.mscoresvw.com	—	2016-10-20
hostname	www.windowscheckupdater.net	—	2016-10-20
hostname	www.acledit.com	—	2016-10-20
hostname	www.biocpl.org	—	2016-10-20
hostname	www.storsvc.org	—	2016-10-20
hostname	www.tabsync.net	—	2016-10-20
hostname	www.capisp.com	—	2016-10-20
FileHash-SHA1	ed9f3e5e889d281437b945993c6c2a80c60fdedc	—	2016-10-20
FileHash-SHA1	e742b917d3ef41992e67389cd2fe2aab0f9ace5b	—	2016-10-20
FileHash-SHA1	17661a04b4b150a6f70afdabe3fd9839cc56bee8	—	2016-10-20
FileHash-SHA1	90c3b756b1bb849cba80994d445e96a9872d0cf5	—	2016-10-20
FileHash-SHA1	9b276a0f5fd824c3dff638c5c127567c65222230	—	2016-10-20
FileHash-SHA1	3956cfe34566ba8805f9b1fe0d2639606a404cd4	—	2016-10-20
FileHash-SHA1	351c3762be9948d01034c69aced97628099a90b0	—	2016-10-20
FileHash-SHA1	ef755f3fa59960838fa2b37b7dedce83ce41f05c	—	2016-10-20
FileHash-SHA1	80dca565807fa69a75a7dd278cef1daaee34236e	—	2016-10-20
FileHash-SHA1	c2e8c584d5401952af4f1db08cf4b6016874ddac	—	2016-10-20
FileHash-SHA1	76053b58643d0630b39d8c9d3080d7db5d017020	—	2016-10-20
FileHash-SHA1	21835aafe6d46840bb697e8b0d4aac06dec44f5b	—	2016-10-20
FileHash-SHA1	5c3e709517f41febf03109fa9d597f2ccc495956	—	2016-10-20
FileHash-SHA1	d85e44d386315b0258847495be1711450ac02d9f	—	2016-10-20
FileHash-SHA1	a43ef43f3c3db76a4a9ca8f40f7b2c89888f0399	—	2016-10-20
FileHash-SHA1	a857bccf4cc5c15b60667ecd865112999e1e56ba	—	2016-10-20
FileHash-SHA1	e7f7f6caaede6cc29c2e7e4888019f2d1be37cef	—	2016-10-20
FileHash-SHA1	10686cc4e46cf3ffbdeb71dd565329a80787c439	—	2016-10-20
FileHash-SHA1	99f927f97838eb47c1d59500ee9155adb55b806a	—	2016-10-20
FileHash-SHA1	63d1d33e7418daf200dc4660fc9a59492ddd50d9	—	2016-10-20
FileHash-SHA1	e5fb715a1c70402774ee2c518fb0e4e9cd3fdcff	—	2016-10-20
FileHash-SHA1	f7608ef62a45822e9300d390064e667028b75dea	—	2016-10-20
FileHash-SHA1	6fb3fd8c2580c84314b14510944700144a9e31df	—	2016-10-20
FileHash-SHA1	51e42368639d593d0ae2968bd2849dc20735c071	—	2016-10-20
FileHash-SHA1	51b0e3cd6360d50424bf776b3cd673dd45fd0f97	—	2016-10-20
FileHash-SHA1	842b0759b5796979877a2bac82a33500163ded67	—	2016-10-20
FileHash-SHA1	b8aabe12502f7d55ae332905acee80a10e3bc399	—	2016-10-20
FileHash-SHA1	c345a85c01360f2833752a253a5094ff421fc839	—	2016-10-20
FileHash-SHA1	f024dbab65198467c2b832de9724cb70e24af0dd	—	2016-10-20
FileHash-SHA1	a5fca59a2fae0a12512336ca1b78f857afc06445	—	2016-10-20
FileHash-SHA1	d3aa282b390a5cb29d15a97e0a046305038dbefe	—	2016-10-20
FileHash-SHA1	9fc43e32c887b7697bf6d6933e9859d29581ead0	—	2016-10-20
FileHash-SHA1	4d5e923351f52a9d5c94ee90e6a00e6fced733ef	—	2016-10-20
FileHash-SHA1	c1eae93785c9cb917cfb260d3abf6432c6fdaf4d	—	2016-10-20
FileHash-SHA1	0f7893e2647a7204dbf4b72e50678545573c3a10	—	2016-10-20
FileHash-SHA1	2c86a6d6e9915a7f38d119888ede60b38ab1d69d	—	2016-10-20
FileHash-SHA1	d9989a46d590ebc792f14aa6fec30560dfe931b1	—	2016-10-20
FileHash-SHA1	4fae67d3988da117608a7548d9029caddbfb3ebf	—	2016-10-20
FileHash-SHA1	015425010bd4cf9d511f7fcd0fc17fc17c23eec1	—	2016-10-20
FileHash-SHA1	69d8ca2a02241a1f88a525617cf18971c99fb63b	—	2016-10-20
FileHash-SHA1	b4a515ef9de037f18d96b9b0e48271180f5725b7	—	2016-10-20
FileHash-SHA1	8f99774926b2e0bf85e5147aaca8bbbbcc5f1d48	—	2016-10-20
FileHash-SHA1	2663eb655918c598be1b2231d7c018d8350a0ef9	—	2016-10-20
FileHash-SHA1	f3d50c1f7d5f322c1a1f9a72ff122cac990881ee	—	2016-10-20
FileHash-SHA1	b7788af2ef073d7b3fb84086496896e7404e625e	—	2016-10-20
CVE	CVE-2015-1701	—	2016-10-20
CVE	CVE-2015-7645	—	2016-10-20
CVE	CVE-2015-1641	—	2016-10-20
CVE	CVE-2012-0158	—	2016-10-20
CVE	CVE-2015-4902	—	2016-10-20
CVE	CVE-2009-3129	—	2016-10-20
CVE	CVE-2014-1761	—	2016-10-20
CVE	CVE-2015-2424	—	2016-10-20
CVE	CVE-2013-2729	—	2016-10-20
CVE	CVE-2010-3333	—	2016-10-20
CVE	CVE-2015-3043	—	2016-10-20
CVE	CVE-2015-2590	—	2016-10-20
CVE	CVE-2016-4117	—	2016-10-20
Mutex	//dfc01ell6zsq3-ufhhf	—	2016-10-20
Mutex	\BaseNamedObjects\513AbTAsEpcq4mf6TEacB	—	2016-10-20
Mutex	\BaseNamedObjects\ASLIiasiuqpssuqkl713h	—	2016-10-20
Mutex	\BaseNamedObjects\B5a20F03e6445A6987f8EC87913c9	—	2016-10-20
Mutex	\BaseNamedObjects\sSbydFdIob6NrhNTJcF89uDqE2	—	2016-10-20
Mutex	\BaseNamedObjects\ASijnoKGszdpodPPiaoaghj8127391	—	2016-10-20
YARA	60cb1f35ae0a91dbf601ad64e778744db7af66dd	—	2017-07-25
FileHash-SHA1	90d17ebd75ce7ff4f15b2df951572653efe2ea17	—	2017-07-25
FileHash-SHA1	acf181d6c2c43356e92d4ee7592700fa01e30ffb	—	2017-07-25

References (2)

↗ http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/ ↗ https://github.com/eset/malware-ioc/blob/master/sednit/part1.adoc