Full Report
Zebrocy is the name given to a subset of the Sofacy group (aka Fancy Bear, Sednit, APT28, Tsar Team, etc.). GreyEnergy and Zebrocy used the same servers at the same time and attacked the same organization.
Analysis Summary
# Threat Actor: Zebrocy
## Attribution & Identity
**Zebrocy** is identified as a distinct subset or specialized unit operating within the broader **Sofacy** umbrella (also known as **Fancy Bear, APT28, Sednit, STRONTIUM, and Tsar Team**). While traditionally linked to Sofacy, research indicates a high-confidence operational overlap with **GreyEnergy** (a successor to BlackEnergy/Sandworm), suggesting cross-group collaboration or shared infrastructure management.
## Activity Summary
Recent investigations highlight a direct nexus between Zebrocy and GreyEnergy operations. The two groups were observed utilizing the same command-and-control (C2) servers simultaneously to target the same industrial organization. Zebrocy typically acts as a fast-moving reconnaissance and data exfiltration stage, often preceding or running alongside more destructive or long-term persistence actors like GreyEnergy.
## Tactics, Techniques & Procedures
- **Spear-phishing:** Primary initial access vector using malicious attachments (Excel, Word with macros).
- **Simultaneous Multi-Stage Attacks:** Deploying multiple malware strands from different actor sets to ensure redundancy.
- **Rapid Exfiltration:** Designed for "smash-and-grab" operations to quickly identify and exfiltrate sensitive data.
- **Shared Infrastructure:** Utilizing the same IP addresses for C2 communication across different malware families.
- **Living off the Land (LotL):** Use of legitimate administrative tools to blend in with network traffic.
## Targeting
- **Sectors:** Industrial Control Systems (ICS), Energy, Government, Military, and Defense.
- **Geography:** Primarily Eastern Europe, Central Asia, and occasionally Western diplomatic targets.
- **Victims:** At least one specific industrial organization was targeted by both Zebrocy and GreyEnergy concurrently.
## Tools & Infrastructure
- **Malware Families:**
- **Zebrocy (Delphi, Go, and AutoIt versions):** Modular malware used for system profiling and file theft.
- **GreyEnergy:** Highly modular framework for espionage and potential sabotage.
- **Infrastructure:**
- C2 Server: `194.187.249[.]103` (Historically associated with GreyEnergy, but used to host Zebrocy components).
- C2 Server: `185.25.204[.]140`
- Domain: `it-pro-center[.]com` (Defanged)
## Implications
The overlap suggests a blurring of lines between "separate" Russian-aligned threat actors (Sofacy and BlackEnergy lineage). This indicates either a centralized resource-sharing hub (a "Quartermaster" model) or a high level of operational coordination where one group (Zebrocy) performs initial compromise and reconnaissance, while another (GreyEnergy) maintains long-term access for more complex objectives like industrial sabotage.
## Mitigations
- **Email Security:** Implement robust attachment filtering and macro-blocking policies for Microsoft Office documents.
- **Network Segmentation:** Isolate ICS/OT environments from corporate IT networks to prevent lateral movement.
- **Endpoint Monitoring:** Monitor for Delphi and Go-based binaries executing from temporary directories (`%AppData%`, `%Temp%`).
- **Threat Hunting:** Regularly sweep environment for the defanged IPs (`194.187.249[.]103` and `185.25.204[.]140`) and associated unusual traffic patterns.