APT28

Introduction

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. NSA/FBI Drovorub August 2020 Cybersecurity Advisory GRU Brute Force Campaign July 2021 This group has been active since at least 2004. DOJ GRU Indictment Jul 2018 Ars Technica GRU indictment Jul 2018 Crowdstrike DNC June 2016 FireEye APT28 SecureWorks TG-4127 FireEye APT28 January 2017 GRIZZLY STEPPE JAR Sofacy DealersChoice Palo Alto Sofacy 06-2018 Symantec APT28 Oct 2018 ESET Zebrocy May 2019 APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. Crowdstrike DNC June 2016 In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. US District Court Indictment GRU Oct 2018 Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Activities and Tactics

Targeted Sectors: Government, Military, Media, Government, Administration, Security Service

Country of Origin: 🇷🇺 Russia

Risk Level: High

First Seen: 2007

Last Activity: 2024

Incident Type: Espionage

Suspected Victims: Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO…

Notable Campaigns

• APT28 Nearest Neighbor Campaign (C0051): APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28

Tactics, Techniques, and Procedures (TTPs)

• T1003.003 NTDS
• T1589.001 Credentials
• T1591 Gather Victim Org Information
• T1564.001 Hidden Files and Directories
• T1583.003 Virtual Private Server
• T1596 Search Open Technical Databases
• T1583.001 Domains
• T1070.006 Timestomp
• T1090.002 External Proxy
• T1566.001 Spearphishing Attachment
• T1059.001 PowerShell
• T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
• T1547.001 Registry Run Keys / Startup Folder
• T1027.013 Encrypted/Encoded File
• T1203 Exploitation for Client Execution
• T1586.002 Email Accounts
• T1114.002 Remote Email Collection
• T1505.003 Web Shell
• T1584.008 Network Devices
• T1550.002 Pass the Hash
• T1037.001 Logon Script (Windows)
• T1588.002 Tool
• T1564.003 Hidden Window
• T1090.003 Multi-hop Proxy
• T1567 Exfiltration Over Web Service
• T1056.001 Keylogging
• T1083 File and Directory Discovery
• T1190 Exploit Public-Facing Application
• T1669 Wi-Fi Networks
• T1039 Data from Network Shared Drive
• T1113 Screen Capture
• T1110.001 Password Guessing
• T1583.006 Web Services
• T1057 Process Discovery
• T1189 Drive-by Compromise
• T1595.002 Vulnerability Scanning
• T1546.015 Component Object Model Hijacking
• T1199 Trusted Relationship
• T1120 Peripheral Device Discovery
• T1059.003 Windows Command Shell
• T1557.004 Evil Twin
• T1498 Network Denial of Service
• T1070.004 File Deletion
• T1560 Archive Collected Data
• T1105 Ingress Tool Transfer
• T1598 Phishing for Information
• T1559.002 Dynamic Data Exchange
• T1036.005 Match Legitimate Resource Name or Location
• T1119 Automated Collection
• T1078.004 Cloud Accounts
• T1221 Template Injection
• T1005 Data from Local System
• T1213.002 Sharepoint
• T1078 Valid Accounts
• T1025 Data from Removable Media
• T1071.001 Web Protocols
• T1213 Data from Information Repositories
• T1218.011 Rundll32
• T1560.001 Archive via Utility
• T1140 Deobfuscate/Decode Files or Information
• T1598.003 Spearphishing Link
• T1542.003 Bootkit
• T1071.003 Mail Protocols
• T1036 Masquerading
• T1210 Exploitation of Remote Services
• T1014 Rootkit
• T1204.002 Malicious File
• T1550.001 Application Access Token
• T1030 Data Transfer Size Limits
• T1134.001 Token Impersonation/Theft
• T1074.002 Remote Data Staging
• T1092 Communication Through Removable Media
• T1098.002 Additional Email Delegate Permissions
• T1003 OS Credential Dumping
• T1040 Network Sniffing
• T1068 Exploitation for Privilege Escalation
• T1137.002 Office Test
• T1528 Steal Application Access Token
• T1110.003 Password Spraying
• T1204.001 Malicious Link
• T1133 External Remote Services
• T1102.002 Bidirectional Communication
• T1001.001 Junk Data
• T1685.005 Clear Windows Event Logs
• T1211 Exploitation for Stealth
• T1003.001 LSASS Memory
• T1573.001 Symmetric Cryptography
• T1074.001 Local Data Staging
• T1091 Replication Through Removable Media
• T1588.007 Artificial Intelligence
• T1110 Brute Force
• T1684.001 Impersonation
• T1021.002 SMB/Windows Admin Shares

ATT&CK technique IDs (denormalized)

• T1001.001
• T1003
• T1003.001
• T1003.003
• T1005
• T1014
• T1021.002
• T1025
• T1027.013
• T1030
• T1036
• T1036.005
• T1037.001
• T1039
• T1040
• T1048.002
• T1056.001
• T1057
• T1059.001
• T1059.003
• T1068
• T1070.004
• T1070.006
• T1071.001
• T1071.003
• T1074.001
• T1074.002
• T1078
• T1078.004
• T1083
• T1090.002
• T1090.003
• T1091
• T1092
• T1098.002
• T1102.002
• T1105
• T1110
• T1110.001
• T1110.003
• T1113
• T1114.002
• T1119
• T1120
• T1133
• T1134.001
• T1137.002
• T1140
• T1189
• T1190
• T1199
• T1203
• T1204.001
• T1204.002
• T1210
• T1211
• T1213
• T1213.002
• T1218.011
• T1221
• T1498
• T1505.003
• T1528
• T1542.003
• T1546.015
• T1547.001
• T1550.001
• T1550.002
• T1557.004
• T1559.002
• T1560
• T1560.001
• T1564.001
• T1564.003
• T1566.001
• T1567
• T1573.001
• T1583.001
• T1583.003
• T1583.006
• T1584.008
• T1586.002
• T1588.002
• T1588.007
• T1589.001
• T1591
• T1595.002
• T1596
• T1598
• T1598.003
• T1669
• T1684.001
• T1685.005

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 18 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• CyberGate
• Cyber Eye RAT
• X-Agent
• Komplex
• ArguePatch
• Cannon
• DriveOcean
• Unidentified 114 (APT28 InfoStealer)
• XP PrivEsc (CVE-2014-4076)
• X-Tunnel (.NET)
• Zebrocy (AutoIT)
• LoJax
• CredoMap
• Mocky LNK
• OCEANMAP
• SpyPress
• STEELHOOK
• MASEPIE
• LAMEHUG
• CaddyWiper
• Computrace
• Coreshell
• Downdelph
• FusionDrive
• GooseEgg
• Graphite
• Koadic
• OLDBAIT
• PocoDown
• Sedreco
• Seduploader
• Unidentified 078 (Zebrocy Nim Loader?)
• Zebrocy
• GONEPOSTAL
• BadPaw
• BEARDSHELL
• SLIMAGENT
• XTunnel
• Unidentified JS 007 (Zimbra Stealer)
• PixyNetLoader
• CHOPSTICK:
• CORESHELL:
• Winexe:
• SOURFACE:
• OLDBAIT:
• Sofacy:
• XAgent:
• XTunnel:
• WinIDS:
• Foozer:
• DownRange:
• Sedreco Dropper:
• Komplex:
• DealersChoice:
• Downdelph:
• Sednit:
• USBStealer:
• Sedkit:
• HideDrv (Rootkit):
• LoJax:
• SeduUploader:
• Promptsteal:
• Promptflux:

MITRE ATT&CK Software

• Wevtutil (S0645) — tool
• certutil (S0160) — tool
• CHOPSTICK (S0023) — malware
• Net (S0039) — tool
• Forfiles (S0193) — tool
• DealersChoice (S0243) — malware
• Mimikatz (S0002) — tool
• ADVSTORESHELL (S0045) — malware
• Cannon (S0351) — malware
• Komplex (S0162) — malware
• HIDEDRV (S0135) — malware
• JHUHUGIT (S0044) — malware
• Koadic (S0250) — tool
• Winexe (S0191) — tool
• Responder (S0174) — tool
• cipher.exe (S1205) — tool
• XTunnel (S0117) — malware
• Drovorub (S0502) — malware
• LAMEHUG (S9035) — malware
• Tor (S0183) — tool
• CORESHELL (S0137) — malware
• OLDBAIT (S0138) — malware
• Downdelph (S0134) — malware
• XAgentOSX (S0161) — malware
• USBStealer (S0136) — malware
• Zebrocy (S0251) — malware
• reGeorg (S1187) — malware
• Fysbis (S0410) — malware
• LoJax (S0397) — malware
• X-Agent for Android (S0314) — malware

Russian APT Tool Matrix observations

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] mitre-attack [16] Accenture SNAKEMACKEREL Nov 2018 Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. [17] Crowdstrike DNC June 2016 Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. [18] Leonard TAG 2023 Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. [19] US District Court Indictment GRU Oct 2018 Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. [20] GRIZZLY STEPPE JAR Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. [21] ESET Zebrocy May 2019 ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. [22] ESET Sednit Part 3 ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. [23] Sofacy DealersChoice Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. [24] FireEye APT28 January 2017 FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. [25] FireEye APT28 FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. [26] Ars Technica GRU indictment Jul 2018 Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. [27] TrendMicro Pawn Storm Dec 2020 Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. [28] Securelist Sofacy Feb 2018 Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. [29] Kaspersky Sofacy Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. [30] Nearest Neighbor Volexity Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. [31] Palo Alto Sofacy 06-2018 Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. [32] Talos Seduploader Oct 2017 Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. [33] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [34] Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. [35] Microsoft STRONTIUM Aug 2019 MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. [36] DOJ GRU Indictment Jul 2018 Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. [37] Cybersecurity Advisory GRU Brute Force Campaign July 2021 NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. [38] NSA/FBI Drovorub August 2020 NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. [39] SecureWorks TG-4127 SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. [40] Secureworks IRON TWILIGHT Active Measures March 2017 Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. [41] Secureworks IRON TWILIGHT Profile Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. [42] Symantec APT28 Oct 2018 Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.