← threatfilter.dev / all groups / APT28
APT28
Also known as: IRON TWILIGHT · SNAKEMACKEREL · Swallowtail · Group 74 · Sednit · Sofacy · Pawn Storm · Fancy Bear · STRONTIUM · Tsar Team · Threat Group-4127 · TG-4127 · Forest Blizzard · FROZENLAKE · GruesomeLarch
Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Targets
Government · Military · Security Service
Regions
Afghanistan · Armenia · Asia Pacific Economic Cooperation · Belgium · China · European Commission · France · Georgia · Germany · Hungary · International Association of Athletics Federations · Japan · Jordan · Kazakhstan · Mongolia · NATO · OSCE · Pakistan · Poland · Tajikistan · Turkey · Ukraine · United Kingdom · United States · World Anti-Doping Agency
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203, T1211
- Custom malware/implant development — ATT&CK: 19 attributed custom malware families
TTPs — 93 techniques across 15 tactics
Reconnaissance
-
T1589.001Credentials -
T1591Gather Victim Org Information -
T1595.002Vulnerability Scanning -
T1596Search Open Technical Databases -
T1598Phishing for Information -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1583.006Web Services -
T1584.008Network Devices -
T1586.002Email Accounts -
T1588.002Tool -
T1588.007Artificial Intelligence
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1199Trusted Relationship -
T1566.001Spearphishing Attachment -
T1669Wi-Fi Networks
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange
Persistence
-
T1037.001Logon Script (Windows) -
T1098.002Additional Email Delegate Permissions -
T1133External Remote Services -
T1137.002Office Test -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1014Rootkit -
T1027.013Encrypted/Encoded File -
T1036Masquerading -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1070.006Timestomp -
T1078Valid Accounts -
T1078.004Cloud Accounts -
T1134.001Token Impersonation/Theft -
T1140Deobfuscate/Decode Files or Information -
T1211Exploitation for Stealth -
T1218.011Rundll32 -
T1221Template Injection -
T1542.003Bootkit -
T1564.001Hidden Files and Directories -
T1564.003Hidden Window -
T1684.001Impersonation
Defense Impairment
-
T1685.005Clear Windows Event Logs
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory -
T1003.003NTDS -
T1040Network Sniffing -
T1110Brute Force -
T1110.001Password Guessing -
T1110.003Password Spraying -
T1528Steal Application Access Token -
T1557.004Evil Twin
Discovery
-
T1057Process Discovery -
T1083File and Directory Discovery -
T1120Peripheral Device Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1091Replication Through Removable Media -
T1210Exploitation of Remote Services -
T1550.001Application Access Token -
T1550.002Pass the Hash
Collection
-
T1005Data from Local System -
T1025Data from Removable Media -
T1039Data from Network Shared Drive -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1074.002Remote Data Staging -
T1113Screen Capture -
T1114.002Remote Email Collection -
T1119Automated Collection -
T1213Data from Information Repositories -
T1213.002Sharepoint -
T1560Archive Collected Data -
T1560.001Archive via Utility
Command and Control
-
T1001.001Junk Data -
T1071.001Web Protocols -
T1071.003Mail Protocols -
T1090.002External Proxy -
T1090.003Multi-hop Proxy -
T1092Communication Through Removable Media -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer -
T1573.001Symmetric Cryptography
Exfiltration
Impact
Tools & malware (29)
Wevtutil · certutil · CHOPSTICK · Net · Forfiles · DealersChoice · Mimikatz · ADVSTORESHELL · Cannon · Komplex · HIDEDRV · JHUHUGIT · Koadic · Winexe · Responder · cipher.exe · XTunnel · Drovorub · LAMEHUG · Tor · CORESHELL · OLDBAIT · Downdelph · XAgentOSX · USBStealer · Zebrocy · reGeorg · Fysbis · LoJax
Reporting (3)
- The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access — Koessel, Sean. Adair, Steven. Lancaster, Tom
- How Microsoft names threat actors — Microsoft
- Ukraine remains Russia’s biggest cyber focus in 2023 — Billy Leonard