APT28 / Fancy Bear: Russian State Sponsored APT

APT28, aka Fancy Bear, a Russian GRU-linked group, conducts sophisticated espionage and information theft campaigns globally, targeting governments and critical infrastructure.
APT28 / Fancy Bear: Russian State Sponsored APT
Table of Contents
    Add a header to begin generating the table of contents

    Overview

    APT28, also known as Fancy Bear, is a sophisticated and prolific advanced persistent threat (APT) group strongly linked to the Russian Main Intelligence Directorate (GRU). Active since at least 2004, the group’s operations are characterized by persistent, long-term campaigns focused on espionage and information theft, targeting governments, military organizations, the energy sector, and media outlets. While initially focusing on geopolitical targets, APT28’s activities broadened to include high-profile attacks aimed at influencing elections and disseminating stolen information. Recent activity shows a renewed focus on Ukraine and its allies following the 2022 Russian invasion. While not primarily a ransomware group, understanding their tactics and techniques is crucial due to their advanced capabilities and potential for adaptation.

    Known Aliases

    APT28, Pawn Storm, Fancy Bear, Sednit, SNAKEMACKEREL, TsarTeam, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, APT-C-20, UAC-0028, FROZENLAKE, Sofacy, Forest Blizzard, BlueDelta, Group-4127, Grey-Cloud, T-APT12, TAG-0700, Threat Group-4127

    Country of Origin

    Russian Federation. Evidence points to a strong affiliation with Unit 26165 of the GRU, Russia’s military intelligence agency.

    Known High-Profile Victims/Most Recent Attacks of APT28 Ransomware

    Common Methods of Infiltration of APT28 Ransomware

    APT28 primarily uses spearphishing campaigns as the initial vector for infiltration. These campaigns often involve emails containing malicious attachments (Microsoft Office documents, RAR archives) or links leading to malicious websites. Once initial access is gained, the group leverages various techniques to move laterally within the network, escalate privileges, and exfiltrate data. The malware strains listed above are used in various stages of their attacks.

    MITRE ATT&CK Tactics and Techniques Used by APT28 Ransomware

    APT28 utilizes a wide range of MITRE ATT&CK tactics and techniques, demonstrating a high level of sophistication and adaptability. Some key techniques include:

    TacticTechniqueTechnique IDDescription
    Initial AccessSpearphishing AttachmentT1566.001APT28 uses malicious attachments in phishing emails to deliver malware.
    Initial AccessSpearphishing LinkT1566.002Delivers malware via links in phishing emails.
    ExecutionCommand and Scripting InterpreterT1059Executes scripts via cmd, PowerShell, and other interpreters.
    ExecutionUser ExecutionT1204Requires user interaction, such as opening a file or link.
    PersistenceBoot or Logon Autostart ExecutionT1547Creates entries to run malware on startup.
    PersistenceScheduled Task/JobT1053Creates scheduled tasks for persistence or execution.
    PersistenceRegistry Run Keys / Startup FolderT1547.001Uses registry keys to maintain persistence.
    Privilege EscalationExploitation for Privilege EscalationT1068Exploits software vulnerabilities to elevate privileges.
    Defense EvasionObfuscated Files or InformationT1027Uses obfuscation to hide malicious code.
    Defense EvasionMasqueradingT1036Masquerades files or processes as legitimate ones.
    Credential AccessCredential DumpingT1003Dumps credentials from LSASS and other sources.
    Credential AccessBrute ForceT1110Attempts to brute force passwords for accounts.
    DiscoverySystem Information DiscoveryT1082Gathers host configuration and system information.
    DiscoveryProcess DiscoveryT1057Enumerates running processes.
    DiscoveryFile and Directory DiscoveryT1083Searches for files and directories of interest.
    Lateral MovementRemote ServicesT1021Uses RDP, SMB, and other services to move laterally.
    Lateral MovementRemote Desktop ProtocolT1021.001Specifically uses RDP for lateral movement.
    CollectionScreen CaptureT1113Takes screenshots of user activity.
    CollectionInput CaptureT1056Captures user input via keyloggers or other tools.
    Command and ControlApplication Layer ProtocolT1071Uses common protocols (HTTP/S, DNS) for C2.
    Command and ControlWeb ProtocolsT1071.001Leverages HTTP/HTTPS for C2 communication.
    ExfiltrationExfiltration Over Web ServiceT1567.002Exfiltrates data using web services.
    ImpactData Encrypted for ImpactT1486Encrypts files to disrupt system availability.

    Malware Strains Used by APT28 Ransomware

    APT28 employs a diverse arsenal of malware, including both custom-developed tools and publicly available tools. Some examples include:

    • ADVSTORESHELL: A modular backdoor with various capabilities.
    • Cannon: A Trojan used in spearphishing attacks.
    • CHOPSTICK: A modular implant using HTTP, HTTPS, and other channels for C2.
    • CORESHELL: A backdoor with data exfiltration capabilities.
    • DealersChoice: Malware used in attacks against European government agencies.
    • Downdelph: A backdoor with a bootkit for persistence.
    • Drovorub: Malware used in attacks against various targets.
    • Fysbis: A Linux backdoor.
    • JHUHUGIT: A backdoor with various capabilities.
    • Koadic: A post-exploitation framework.
    • Komplex: A macOS Trojan.
    • LoJax: A UEFI rootkit.
    • Mimikatz: A credential-dumping tool.
    • reGeorg: A web shell.
    • Responder: A tool for NetBIOS Name Service poisoning.
    • USBStealer: A tool for data exfiltration via USB drives.
    • XAgentOSX: A macOS malware.
    • XTunnel: A tool for proxy and obfuscation.
    • Zebrocy: Malware with various capabilities.

    Related Posts