Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks. The group, which Microsoft calls Strontium, is also known as APT28, Tsar Team and Sednit among other identifiers.
Microsoft said the zero day vulnerability, the existence of which along with limited details were disclosed on Monday by Google, will be patched Nov. 8. Google said yesterday it privately disclosed both zero days, which were used in tandem in these targeted attacks against unknown victims, to Microsoft and Adobe on Oct. 21. Adobe rushed an emergency patch for Flash Player on Oct. 26, while Microsoft had yet to acknowledge the vulnerability until Google’s disclosure. Microsoft was critical of Google’s action yesterday and reiterated its stance today in a post, providing some details on the vulnerability and attacks.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” said Terry Myerson, executive vice president Windows and Devices Group at Microsoft. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Microsoft added that it is coordinating with Google and Adobe on the patch, which is being tested by partners. Nov. 8 is Microsoft’s next scheduled patch release. Microsoft said that the attacks were spreading in what it called a “low volume” spear phishing campaign. Sofacy’s targets are largely strategic: government agencies, diplomatic institutions, military organizations, defense contractors and public policy research institutes.