Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT28
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT28
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
ID: G0007
Associated Groups: Sednit, Sofacy, Group 74, Swallowtail, Pawn Storm, TG-4127, Threat Group-4127, IRON TWILIGHT, GruesomeLarch, Forest Blizzard, FROZENLAKE, STRONTIUM, Tsar Team, Fancy Bear, SNAKEMACKEREL
Version: 5.2
Created: 31 May 2017
Last Modified: 10 Mar 2025

Associated Group Descriptions
Name Description
Sednit This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
Sofacy This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)
Group 74 (Citation: Talos Seduploader Oct 2017)
Swallowtail (Citation: Symantec APT28 Oct 2018)
Pawn Storm (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
TG-4127 (Citation: SecureWorks TG-4127)
Threat Group-4127 (Citation: SecureWorks TG-4127)
IRON TWILIGHT (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
GruesomeLarch (Citation: Nearest Neighbor Volexity)
Forest Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
FROZENLAKE (Citation: Leonard TAG 2023)
STRONTIUM (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Tsar Team (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
Fancy Bear (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
SNAKEMACKEREL (Citation: Accenture SNAKEMACKEREL Nov 2018)

Techniques Used
Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll)
Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1583 .001 Acquire Infrastructure: Domains

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.(Citation: FireEye APT28)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Google TAG Ukraine Threat Landscape March 2022)
.003 Acquire Infrastructure: Virtual Private Server

APT28 hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard TAG 2023)

.006 Acquire Infrastructure: Web Services

APT28 has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT28 has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Storm 2019)
Enterprise T1557 .004 Adversary-in-the-Middle: Evil Twin

APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.(Citation: US District Court Indictment GRU Oct 2018)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
.003 Application Layer Protocol: Mail Protocols

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT28 has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020)
Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.(Citation: Unit 42 Playbook Dec 2017)
Enterprise T1110 .001 Brute Force: Password Guessing

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
.003 Brute Force: Password Spraying

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy 06-2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

APT28 has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Threat Landscape March 2022)
Enterprise T1584 .008 Compromise Infrastructure: Network Devices

APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.(Citation: Leonard TAG 2023)
Enterprise T1001 .001 Data Obfuscation: Junk Data

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28)
Enterprise T1074 .001 Data Staged: Local Data Staging

APT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)
.002 Data Staged: Remote Data Staging

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

APT28 has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia)
Enterprise T1114 .002 Email Collection: Remote Email Collection

APT28 has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)
Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.(Citation: ESET Sednit Part 1)(Citation: ESET Zebrocy May 2019)
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1589 .001 Gather Victim Identity Information: Credentials

APT28 has harvested user's login credentials.(Citation: Microsoft Targeting Elections September 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

APT28 has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
.003 Hide Artifacts: Hidden Window

APT28 has used the WindowStyle parameter to conceal PowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)
.004 Indicator Removal: File Deletion

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018)

.006 Indicator Removal: Timestomp

APT28 has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016)

Enterprise T1056 .001 Input Capture: Keylogging

APT28 has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) They have also dumped the LSASS process memory using the MiniDump function.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
.003 OS Credential Dumping: NTDS

APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017)
Enterprise T1137 .002 Office Application Startup: Office Test

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.(Citation: Palo Alto Office Test Sofacy)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
.002 Phishing: Spearphishing Link

APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.(Citation: ESET Sednit Part 3)
Enterprise T1090 .002 Proxy: External Proxy

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018)
.003 Proxy: Multi-hop Proxy

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

APT28 has mapped network drives using Net and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1505 .003 Server Software Component: Web Shell

APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.(Citation: Crowdstrike DNC June 2016)(Citation: Bitdefender APT28 Dec 2015)(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: ESET Zebrocy May 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.(Citation: Trend Micro Pawn Storm OAuth 2017)
.002 Use Alternate Authentication Material: Pass the Hash

APT28 has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19)

Enterprise T1204 .001 User Execution: Malicious Link

APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
.002 User Execution: Malicious File

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Enterprise T1102 .002 Web Service: Bidirectional Communication

APT28 has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)

Software
ID Name References Techniques
S0039 Net (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0134 Downdelph (Citation: ESET Sednit Part 3) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) Bypass User Account Control, Symmetric Cryptography, DLL, Ingress Tool Transfer, Junk Data
S0160 certutil (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: TechNet Certutil) (Citation: Unit 42 Sofacy Feb 2018) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S1187 reGeorg (Citation: Fortinet reGeorg MAR 2019) (Citation: GitHub reGeorg 2016) (Citation: Security Affairs ANSSI APT28 OCT 2023) SSH, SMB/Windows Admin Shares, Protocol Tunneling, Web Shell, Proxy, Non-Application Layer Protocol, Python, Web Protocols, Ingress Tool Transfer, Remote Desktop Protocol
S0138 OLDBAIT (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) Match Legitimate Resource Name or Location, Credentials from Password Stores, Mail Protocols, Credentials from Web Browsers, Obfuscated Files or Information, Web Protocols
S0410 Fysbis (Citation: Fysbis Palo Alto Analysis) Standard Encoding, Keylogging, Encrypted/Encoded File, Match Legitimate Resource Name or Location, System Information Discovery, File and Directory Discovery, Masquerade Task or Service, Process Discovery, Unix Shell, File Deletion, Systemd Service, XDG Autostart Entries, Commonly Used Port
S0161 XAgentOSX (Citation: OSX.Sofacy) (Citation: Symantec APT28 Oct 2018) (Citation: US District Court Indictment GRU Oct 2018) (Citation: XAgentOSX 2017) Screen Capture, System Owner/User Discovery, Keylogging, System Information Discovery, Native API, Credentials from Web Browsers, File and Directory Discovery, Process Discovery, File Transfer Protocols, File Deletion
S0137 CORESHELL (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) (Citation: SOURFACE) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy) Rundll32, Standard Encoding, Symmetric Cryptography, System Information Discovery, Mail Protocols, Junk Code Insertion, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Web Protocols, Ingress Tool Transfer
S0117 XTunnel (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 2) (Citation: ESET Sednit Part 3) (Citation: Invincea XTunnel) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Symantec APT28 Oct 2018) (Citation: Trojan.Shunnael) (Citation: US District Court Indictment GRU Oct 2018) (Citation: X-Tunnel) (Citation: XAPS) Junk Code Insertion, Proxy, Credentials In Files, Obfuscated Files or Information, Asymmetric Cryptography, Windows Command Shell, Network Service Discovery, Fallback Channels
S0044 JHUHUGIT (Citation: ESET Sednit Part 1) (Citation: F-Secure Sofacy 2015) (Citation: FireEye APT28 January 2017) (Citation: GAMEFISH) (Citation: JKEYSKW) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sednit) (Citation: Seduploader) (Citation: SofacyCarberp) (Citation: Symantec APT28 Oct 2018) (Citation: Talos Seduploader Oct 2017) (Citation: Trojan.Sofacy) (Citation: US District Court Indictment GRU Oct 2018) (Citation: Unit 42 Sofacy Feb 2018) Scheduled Task, Screen Capture, Rundll32, Standard Encoding, Encrypted/Encoded File, Windows Service, Clipboard Data, System Information Discovery, Process Injection, System Network Configuration Discovery, Process Discovery, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, Component Object Model Hijacking, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Logon Script (Windows), Fallback Channels
S0243 DealersChoice (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy DealersChoice) Exploitation for Client Execution, Windows Command Shell, Web Protocols
S0193 Forfiles (Citation: Microsoft Forfiles Aug 2016) (Citation: Überwachung APT28 Forfiles June 2015) Indirect Command Execution, Data from Local System, File and Directory Discovery
S0191 Winexe (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Winexe Github Sept 2013) (Citation: Überwachung APT28 Forfiles June 2015) Service Execution
S0502 Drovorub (Citation: NSA/FBI Drovorub August 2020) Rootkit, Data from Local System, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Kernel Modules and Extensions, Unix Shell, Obfuscated Files or Information, Non-Application Layer Protocol, File Deletion, Web Protocols, Ingress Tool Transfer, Internal Proxy
S0174 Responder (Citation: FireEye APT28 Hospitality Aug 2017) (Citation: GitHub Responder) (Citation: US District Court Indictment GRU Oct 2018) Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay
S0251 Zebrocy (Citation: Accenture SNAKEMACKEREL Nov 2018) (Citation: CISA Zebrocy Oct 2020) (Citation: CyberScoop APT28 Nov 2018) (Citation: ESET Zebrocy May 2019) (Citation: Palo Alto Sofacy 06-2018) (Citation: Securelist Sofacy Feb 2018) (Citation: Unit42 Cannon Nov 2018) (Citation: Unit42 Sofacy Dec 2018) (Citation: Zekapab) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Standard Encoding, Local Data Staging, Automated Collection, Network Share Discovery, Peripheral Device Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Archive Collected Data, Mail Protocols, Credentials from Web Browsers, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Asymmetric Cryptography, Query Registry, Uncommonly Used Port, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Ingress Tool Transfer, Logon Script (Windows), System Time Discovery, Credential API Hooking, Custom Command and Control Protocol
S0136 USBStealer (Citation: ESET Sednit Part 3) (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) Encrypted/Encoded File, Data from Removable Media, Local Data Staging, Match Legitimate Resource Name or Location, Automated Collection, Peripheral Device Discovery, Replication Through Removable Media, Timestomp, Communication Through Removable Media, Automated Exfiltration, File and Directory Discovery, Registry Run Keys / Startup Folder, Exfiltration over USB, File Deletion
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky Sofacy) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0397 LoJax (Citation: ESET LoJax Sept 2018) Rootkit, System Firmware, Modify Registry, System Firmware, Registry Run Keys / Startup Folder, NTFS File Attributes
S0250 Koadic (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Rundll32, Bypass User Account Control, Security Account Manager, Clipboard Data, Network Share Discovery, System Information Discovery, Data from Local System, System Network Configuration Discovery, File and Directory Discovery, Mshta, PowerShell, Registry Run Keys / Startup Folder, Regsvr32, Asymmetric Cryptography, Hidden Window, Windows Command Shell, Web Protocols, Visual Basic, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, NTDS, Service Execution, Dynamic-link Library Injection
S0023 CHOPSTICK (Citation: Backdoor.SofacyX) (Citation: DOJ GRU Indictment Jul 2018) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) (Citation: Kaspersky Sofacy) (Citation: SPLM) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Symantec APT28 Oct 2018) (Citation: X-Agent) (Citation: Xagent) (Citation: webhp) Screen Capture, Fileless Storage, Keylogging, Domain Generation Algorithms, Symmetric Cryptography, Replication Through Removable Media, Mail Protocols, Modify Registry, Communication Through Removable Media, Command and Scripting Interpreter, File and Directory Discovery, Virtualization/Sandbox Evasion, Asymmetric Cryptography, Query Registry, Security Software Discovery, Web Protocols, Ingress Tool Transfer, Fallback Channels, Internal Proxy
S0351 Cannon (Citation: Unit42 Cannon Nov 2018) (Citation: Unit42 Sofacy Dec 2018) Screen Capture, System Owner/User Discovery, System Information Discovery, Mail Protocols, Winlogon Helper DLL, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Uncommonly Used Port, Ingress Tool Transfer, System Time Discovery
S1205 cipher.exe (Citation: Nearest Neighbor Volexity) (Citation: cipher.exe) Disk Content Wipe
S0135 HIDEDRV (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016) Rootkit, Dynamic-link Library Injection
S0183 Tor (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: Dingledine Tor The Second-Generation Onion Router) Multi-hop Proxy, Asymmetric Cryptography
S0162 Komplex (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy Komplex Trojan) (Citation: XAgentOSX 2017) System Owner/User Discovery, Symmetric Cryptography, Process Discovery, Launch Agent, File Deletion, Web Protocols, Hidden Files and Directories
S0645 Wevtutil (Citation: Crowdstrike DNC June 2016) (Citation: Wevtutil Microsoft Documentation) Data from Local System, Disable Windows Event Logging, Clear Windows Event Logs
S0045 ADVSTORESHELL (Citation: ESET Sednit Part 2) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) Rundll32, Standard Encoding, Keylogging, Archive via Custom Method, Local Data Staging, Symmetric Cryptography, Peripheral Device Discovery, System Information Discovery, Native API, Scheduled Transfer, Archive Collected Data, Modify Registry, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Component Object Model Hijacking, Asymmetric Cryptography, Query Registry, Windows Command Shell, File Deletion, Web Protocols, Commonly Used Port

References

  1. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
  4. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  5. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  6. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  7. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  8. OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024.
  9. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  10. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  11. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  12. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  13. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  14. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  15. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  16. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  17. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  18. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved November 17, 2024.
  19. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
  20. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  21. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  22. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
  23. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  24. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
  25. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  26. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  27. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  28. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  29. Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
  30. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.
  31. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  32. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  33. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  34. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  35. U.S. Department of Justice. (2018, October 4). U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations. Retrieved February 25, 2025.
  36. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  37. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  38. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  39. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  40. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  41. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  42. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  43. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  44. Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
  45. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  46. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  47. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
  48. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  49. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  50. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  51. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.
  52. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  53. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.