APT28
Associated Group Descriptions |
|
Name | Description |
---|---|
SNAKEMACKEREL | (Citation: Accenture SNAKEMACKEREL Nov 2018) |
Fancy Bear | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Tsar Team | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
STRONTIUM | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
FROZENLAKE | (Citation: Leonard TAG 2023) |
Forest Blizzard | (Citation: Microsoft Threat Actor Naming July 2023) |
IRON TWILIGHT | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
Threat Group-4127 | (Citation: SecureWorks TG-4127) |
TG-4127 | (Citation: SecureWorks TG-4127) |
Pawn Storm | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) |
Swallowtail | (Citation: Symantec APT28 Oct 2018) |
Group 74 | (Citation: Talos Seduploader Oct 2017) |
Sednit | This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) |
Sofacy | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll) |
Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
APT28 has used a Powershell cmdlet to grant the |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.(Citation: FireEye APT28)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Google TAG Ukraine Threat Landscape March 2022) |
.003 | Acquire Infrastructure: Virtual Private Server |
APT28 hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard TAG 2023) |
||
.006 | Acquire Infrastructure: Web Services |
APT28 has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022) |
||
Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
APT28 has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Storm 2019) |
Enterprise | T1557 | .004 | Adversary-in-the-Middle: Evil Twin |
APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.(Citation: US District Court Indictment GRU Oct 2018) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
.003 | Application Layer Protocol: Mail Protocols |
APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT28 has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020) |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
An APT28 loader Trojan adds the Registry key |
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
.003 | Brute Force: Password Spraying |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT28 downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy 06-2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020) |
||
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
APT28 has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Threat Landscape March 2022) |
Enterprise | T1584 | .008 | Compromise Infrastructure: Network Devices |
APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.(Citation: Leonard TAG 2023) |
Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19) |
.002 | Data Staged: Remote Data Staging |
APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
||
Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
APT28 has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
APT28 has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019) |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
APT28 has used COM hijacking for persistence by replacing the legitimate |
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
APT28 has harvested user's login credentials.(Citation: Microsoft Targeting Elections September 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
APT28 has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
.003 | Hide Artifacts: Hidden Window |
APT28 has used the WindowStyle parameter to conceal PowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017) |
||
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
APT28 has cleared event logs, including by using the commands |
.004 | Indicator Removal: File Deletion |
APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018) |
||
.006 | Indicator Removal: Timestomp |
APT28 has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT28 has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) They have also dumped the LSASS process memory using the MiniDump function.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
.003 | OS Credential Dumping: NTDS |
APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017) |
Enterprise | T1137 | .002 | Office Application Startup: Office Test |
APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
.002 | Phishing: Spearphishing Link |
APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.(Citation: ESET Sednit Part 3) |
Enterprise | T1090 | .002 | Proxy: External Proxy |
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018) |
.003 | Proxy: Multi-hop Proxy |
APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020) |
||
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
APT28 has mapped network drives using Net and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
APT28 executed CHOPSTICK by using rundll32 commands such as |
Enterprise | T1550 | .001 | Use Alternate Authentication Material: Application Access Token |
APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.(Citation: Trend Micro Pawn Storm OAuth 2017) |
.002 | Use Alternate Authentication Material: Pass the Hash |
APT28 has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
.002 | User Execution: Malicious File |
APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
||
Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT28 has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020) |
References
- MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
- NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
- Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
- Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.