Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
ID: G0007
Associated Groups: SNAKEMACKEREL, Fancy Bear, Tsar Team, STRONTIUM, FROZENLAKE, Forest Blizzard, IRON TWILIGHT, Threat Group-4127, TG-4127, Pawn Storm, Swallowtail, Group 74, Sednit, Sofacy
Version: 5.1
Created: 31 May 2017
Last Modified: 10 Oct 2024

Associated Group Descriptions

Name Description
SNAKEMACKEREL (Citation: Accenture SNAKEMACKEREL Nov 2018)
Fancy Bear (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Tsar Team (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
STRONTIUM (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
FROZENLAKE (Citation: Leonard TAG 2023)
Forest Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
IRON TWILIGHT (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
Threat Group-4127 (Citation: SecureWorks TG-4127)
TG-4127 (Citation: SecureWorks TG-4127)
Pawn Storm (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
Swallowtail (Citation: Symantec APT28 Oct 2018)
Group 74 (Citation: Talos Seduploader Oct 2017)
Sednit This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
Sofacy This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll)

Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1583 .001 Acquire Infrastructure: Domains

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.(Citation: FireEye APT28)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Google TAG Ukraine Threat Landscape March 2022)

.003 Acquire Infrastructure: Virtual Private Server

APT28 hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard TAG 2023)

.006 Acquire Infrastructure: Web Services

APT28 has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT28 has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Storm 2019)

Enterprise T1557 .004 Adversary-in-the-Middle: Evil Twin

APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.(Citation: US District Court Indictment GRU Oct 2018)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

.003 Application Layer Protocol: Mail Protocols

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT28 has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.(Citation: Unit 42 Playbook Dec 2017)

Enterprise T1110 .001 Brute Force: Password Guessing

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

.003 Brute Force: Password Spraying

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy 06-2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

APT28 has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Threat Landscape March 2022)

Enterprise T1584 .008 Compromise Infrastructure: Network Devices

APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.(Citation: Leonard TAG 2023)

Enterprise T1001 .001 Data Obfuscation: Junk Data

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28)

Enterprise T1074 .001 Data Staged: Local Data Staging

APT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)

.002 Data Staged: Remote Data Staging

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

APT28 has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia)

Enterprise T1114 .002 Email Collection: Remote Email Collection

APT28 has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.(Citation: ESET Sednit Part 1)(Citation: ESET Zebrocy May 2019)

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

APT28 has harvested user's login credentials.(Citation: Microsoft Targeting Elections September 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

APT28 has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)

.003 Hide Artifacts: Hidden Window

APT28 has used the WindowStyle parameter to conceal PowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)

.004 Indicator Removal: File Deletion

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018)

.006 Indicator Removal: Timestomp

APT28 has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016)

Enterprise T1056 .001 Input Capture: Keylogging

APT28 has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) They have also dumped the LSASS process memory using the MiniDump function.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

.003 OS Credential Dumping: NTDS

APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017)

Enterprise T1137 .002 Office Application Startup: Office Test

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.(Citation: Palo Alto Office Test Sofacy)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

.002 Phishing: Spearphishing Link

APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.(Citation: ESET Sednit Part 3)

Enterprise T1090 .002 Proxy: External Proxy

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018)

.003 Proxy: Multi-hop Proxy

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

APT28 has mapped network drives using Net and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1505 .003 Server Software Component: Web Shell

APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.(Citation: Crowdstrike DNC June 2016)(Citation: Bitdefender APT28 Dec 2015)(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: ESET Zebrocy May 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.(Citation: Trend Micro Pawn Storm OAuth 2017)

.002 Use Alternate Authentication Material: Pass the Hash

APT28 has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19)

Enterprise T1204 .001 User Execution: Malicious Link

APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

.002 User Execution: Malicious File

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT28 has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)

Software

ID Name References Techniques
S0039 Net (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0134 Downdelph (Citation: ESET Sednit Part 3) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) Junk Data, Bypass User Account Control, Symmetric Cryptography, Ingress Tool Transfer, DLL Search Order Hijacking
S0160 certutil (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: TechNet Certutil) (Citation: Unit 42 Sofacy Feb 2018) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0138 OLDBAIT (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) Match Legitimate Name or Location, Credentials from Web Browsers, Mail Protocols, Obfuscated Files or Information, Credentials from Password Stores, Web Protocols
S0410 Fysbis (Citation: Fysbis Palo Alto Analysis) Standard Encoding, File and Directory Discovery, Keylogging, Masquerade Task or Service, Process Discovery, Encrypted/Encoded File, File Deletion, System Information Discovery, Systemd Service, Match Legitimate Name or Location, Commonly Used Port, XDG Autostart Entries, Unix Shell
S0161 XAgentOSX (Citation: OSX.Sofacy) (Citation: Symantec APT28 Oct 2018) (Citation: US District Court Indictment GRU Oct 2018) (Citation: XAgentOSX 2017) Keylogging, System Owner/User Discovery, File and Directory Discovery, File Transfer Protocols, Credentials from Web Browsers, Process Discovery, Screen Capture, System Information Discovery, File Deletion, Native API
S0137 CORESHELL (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy) (Citation: SOURFACE) Web Protocols, Mail Protocols, Standard Encoding, System Information Discovery, Binary Padding, Rundll32, Registry Run Keys / Startup Folder, Ingress Tool Transfer, Obfuscated Files or Information, Symmetric Cryptography
S0117 XTunnel (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 2) (Citation: ESET Sednit Part 3) (Citation: Invincea XTunnel) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Symantec APT28 Oct 2018) (Citation: Trojan.Shunnael) (Citation: US District Court Indictment GRU Oct 2018) (Citation: X-Tunnel) (Citation: XAPS) Credentials In Files, Binary Padding, Windows Command Shell, Network Service Discovery, Asymmetric Cryptography, Proxy, Obfuscated Files or Information, Fallback Channels
S0044 JHUHUGIT (Citation: ESET Sednit Part 1) (Citation: F-Secure Sofacy 2015) (Citation: FireEye APT28 January 2017) (Citation: GAMEFISH) (Citation: JKEYSKW) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sednit) (Citation: Seduploader) (Citation: SofacyCarberp) (Citation: Symantec APT28 Oct 2018) (Citation: Talos Seduploader Oct 2017) (Citation: Trojan.Sofacy) (Citation: Unit 42 Sofacy Feb 2018) (Citation: US District Court Indictment GRU Oct 2018) Screen Capture, Fallback Channels, Process Discovery, System Network Configuration Discovery, Scheduled Task, Standard Encoding, Web Protocols, Registry Run Keys / Startup Folder, Logon Script (Windows), Clipboard Data, Windows Command Shell, Exploitation for Privilege Escalation, Component Object Model Hijacking, Encrypted/Encoded File, Windows Service, Process Injection, Rundll32, System Information Discovery, File Deletion, Ingress Tool Transfer
S0243 DealersChoice (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy DealersChoice) Windows Command Shell, Exploitation for Client Execution, Web Protocols
S0193 Forfiles (Citation: Microsoft Forfiles Aug 2016) (Citation: Überwachung APT28 Forfiles June 2015) Indirect Command Execution, Data from Local System, File and Directory Discovery
S0191 Winexe (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Überwachung APT28 Forfiles June 2015) (Citation: Winexe Github Sept 2013) Service Execution
S0502 Drovorub (Citation: NSA/FBI Drovorub August 2020) Web Protocols, Data from Local System, Obfuscated Files or Information, File Deletion, Kernel Modules and Extensions, Non-Application Layer Protocol, Rootkit, Internal Proxy, Unix Shell, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer
S0174 Responder (Citation: FireEye APT28 Hospitality Aug 2017) (Citation: GitHub Responder) (Citation: US District Court Indictment GRU Oct 2018) Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay
S0251 Zebrocy (Citation: Accenture SNAKEMACKEREL Nov 2018) (Citation: CISA Zebrocy Oct 2020) (Citation: CyberScoop APT28 Nov 2018) (Citation: ESET Zebrocy May 2019) (Citation: Palo Alto Sofacy 06-2018) (Citation: Securelist Sofacy Feb 2018) (Citation: Unit42 Cannon Nov 2018) (Citation: Unit42 Sofacy Dec 2018) (Citation: Zekapab) System Time Discovery, Process Discovery, Windows Management Instrumentation, System Network Connections Discovery, Ingress Tool Transfer, Screen Capture, Peripheral Device Discovery, System Owner/User Discovery, Credential API Hooking, Exfiltration Over C2 Channel, System Information Discovery, Mail Protocols, Web Protocols, System Network Configuration Discovery, File and Directory Discovery, Registry Run Keys / Startup Folder, Software Packing, Archive Collected Data, Logon Script (Windows), Windows Command Shell, Asymmetric Cryptography, Local Data Staging, Query Registry, File Deletion, Uncommonly Used Port, Standard Encoding, Custom Command and Control Protocol, Network Share Discovery, Deobfuscate/Decode Files or Information, Automated Collection, Scheduled Task, Credentials from Web Browsers
S0136 USBStealer (Citation: ESET Sednit Part 3) (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) Data from Removable Media, Encrypted/Encoded File, File and Directory Discovery, Exfiltration over USB, Timestomp, Registry Run Keys / Startup Folder, Automated Collection, Match Legitimate Name or Location, Automated Exfiltration, Communication Through Removable Media, Replication Through Removable Media, File Deletion, Peripheral Device Discovery, Local Data Staging
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky Sofacy) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0397 LoJax (Citation: ESET LoJax Sept 2018) Modify Registry, NTFS File Attributes, System Firmware, Registry Run Keys / Startup Folder, System Firmware, Rootkit
S0250 Koadic (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) System Network Configuration Discovery, System Information Discovery, Visual Basic, Mshta, Dynamic-link Library Injection, Regsvr32, System Owner/User Discovery, Hidden Window, Security Account Manager, Ingress Tool Transfer, Web Protocols, Windows Management Instrumentation, PowerShell, Clipboard Data, Bypass User Account Control, Network Service Discovery, Remote Desktop Protocol, Windows Command Shell, File and Directory Discovery, Registry Run Keys / Startup Folder, NTDS, Service Execution, Data from Local System, Asymmetric Cryptography, Network Share Discovery, Rundll32, Scheduled Task
S0023 CHOPSTICK (Citation: Backdoor.SofacyX) (Citation: DOJ GRU Indictment Jul 2018) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: FireEye APT28) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: SPLM) (Citation: Symantec APT28 Oct 2018) (Citation: webhp) (Citation: X-Agent) (Citation: Xagent) Fallback Channels, Communication Through Removable Media, Internal Proxy, Command and Scripting Interpreter, Mail Protocols, Web Protocols, Modify Registry, Virtualization/Sandbox Evasion, Screen Capture, Ingress Tool Transfer, Security Software Discovery, File and Directory Discovery, Fileless Storage, Keylogging, Replication Through Removable Media, Domain Generation Algorithms, Symmetric Cryptography, Asymmetric Cryptography, Query Registry
S0351 Cannon (Citation: Unit42 Cannon Nov 2018) (Citation: Unit42 Sofacy Dec 2018) Process Discovery, Uncommonly Used Port, Screen Capture, System Owner/User Discovery, Exfiltration Over C2 Channel, Mail Protocols, System Time Discovery, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, Winlogon Helper DLL
S0135 HIDEDRV (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016) Rootkit, Dynamic-link Library Injection
S0183 Tor (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) (Citation: Dingledine Tor The Second-Generation Onion Router) Asymmetric Cryptography, Multi-hop Proxy
S0162 Komplex (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) (Citation: Sofacy Komplex Trojan) (Citation: XAgentOSX 2017) File Deletion, System Owner/User Discovery, Process Discovery, Symmetric Cryptography, Web Protocols, Launch Agent, Hidden Files and Directories
S0645 Wevtutil (Citation: Crowdstrike DNC June 2016) (Citation: Wevtutil Microsoft Documentation) Clear Windows Event Logs, Disable Windows Event Logging, Data from Local System
S0045 ADVSTORESHELL (Citation: ESET Sednit Part 2) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) Component Object Model Hijacking, System Information Discovery, Keylogging, Standard Encoding, Rundll32, Registry Run Keys / Startup Folder, Archive Collected Data, File Deletion, Local Data Staging, Scheduled Transfer, Process Discovery, Windows Command Shell, File and Directory Discovery, Symmetric Cryptography, Web Protocols, Query Registry, Peripheral Device Discovery, Modify Registry, Obfuscated Files or Information, Archive via Custom Method, Native API, Commonly Used Port, Asymmetric Cryptography, Exfiltration Over C2 Channel

References

  1. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
  2. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  3. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  4. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  5. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  6. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  7. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  8. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  9. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  10. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  11. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  12. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  13. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  14. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  15. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  16. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  17. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  18. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  19. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  20. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  21. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  22. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  23. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  24. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  25. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  26. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  27. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  28. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  29. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  30. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  31. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  32. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  33. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  34. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  35. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  36. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  37. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
  38. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  39. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  40. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  41. Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.