Overview
APT28, also known as Fancy Bear, is a sophisticated and prolific advanced persistent threat (APT) group strongly linked to the Russian Main Intelligence Directorate (GRU). Active since at least 2004, the group’s operations are characterized by persistent, long-term campaigns focused on espionage and information theft, targeting governments, military organizations, the energy sector, and media outlets. While initially focusing on geopolitical targets, APT28’s activities broadened to include high-profile attacks aimed at influencing elections and disseminating stolen information. Recent activity shows a renewed focus on Ukraine and its allies following the 2022 Russian invasion. While not primarily a ransomware group, understanding their tactics and techniques is crucial due to their advanced capabilities and potential for adaptation.
Known Aliases
APT28, Pawn Storm, Fancy Bear, Sednit, SNAKEMACKEREL, TsarTeam, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, APT-C-20, UAC-0028, FROZENLAKE, Sofacy, Forest Blizzard, BlueDelta, Group-4127, Grey-Cloud, T-APT12, TAG-0700, Threat Group-4127
Country of Origin
Russian Federation. Evidence points to a strong affiliation with Unit 26165 of the GRU, Russia’s military intelligence agency.
Known High-Profile Victims/Most Recent Attacks of APT28 Ransomware
- 2016 US Presidential Election Interference
- APT28 compromised the Democratic National Committee (DNC) and other related organizations, stealing and leaking sensitive information. This is considered one of their most notorious attacks.
- World Anti-Doping Agency (WADA) Breach (2016)
- The group infiltrated WADA’s database, releasing medical data of numerous Olympic athletes, including Simone Biles and the Williams sisters.
- Attacks against the Georgian government (post-2008 war)
- APT28 targeted the Ministry of Internal Affairs and Ministry of Defence to gather intelligence on diplomatic relations and security strategy.
- Attacks against the Dutch Safety Board (DSB) and Bellingcat (2015–2016)
- Attempts were made to gather information related to the investigation of the MH17 tragedy. These attempts are believed to have been unsuccessful.
- Attempts to interfere in the 2017 Dutch elections
- Hundreds of Dutch government employees were targeted with phishing emails during a campaign of electoral interference.
- Attack against the Organization for the Prohibition of Chemical Weapons (OPCW) (2018)
- This attempted intrusion by APT28 was thwarted by Dutch intelligence services, who intercepted four Russian operatives near OPCW headquarters.
- Exploitation of the “Follina” vulnerability (CVE-2022-30190) (2022)
- APT28 leveraged the Follina vulnerability to distribute the CredoMap credential stealer, targeting Ukraine and its allies through malicious documents.
- APT28 Nearest Neighbor Campaign (2022–2024)
- This campaign involved the use of nearby Wi-Fi networks for covert system access, using techniques like password spraying and credential harvesting.
Common Methods of Infiltration of APT28 Ransomware
APT28 primarily uses spearphishing campaigns as the initial vector for infiltration. These campaigns often involve emails containing malicious attachments (Microsoft Office documents, RAR archives) or links leading to malicious websites. Once initial access is gained, the group leverages various techniques to move laterally within the network, escalate privileges, and exfiltrate data. The malware strains listed above are used in various stages of their attacks.
MITRE ATT&CK Tactics and Techniques Used by APT28 Ransomware
APT28 utilizes a wide range of MITRE ATT&CK tactics and techniques, demonstrating a high level of sophistication and adaptability. Some key techniques include:
| Tactic | Technique | Technique ID | Description |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | APT28 uses malicious attachments in phishing emails to deliver malware. |
| Initial Access | Spearphishing Link | T1566.002 | Delivers malware via links in phishing emails. |
| Execution | Command and Scripting Interpreter | T1059 | Executes scripts via cmd, PowerShell, and other interpreters. |
| Execution | User Execution | T1204 | Requires user interaction, such as opening a file or link. |
| Persistence | Boot or Logon Autostart Execution | T1547 | Creates entries to run malware on startup. |
| Persistence | Scheduled Task/Job | T1053 | Creates scheduled tasks for persistence or execution. |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | Uses registry keys to maintain persistence. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Exploits software vulnerabilities to elevate privileges. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Uses obfuscation to hide malicious code. |
| Defense Evasion | Masquerading | T1036 | Masquerades files or processes as legitimate ones. |
| Credential Access | Credential Dumping | T1003 | Dumps credentials from LSASS and other sources. |
| Credential Access | Brute Force | T1110 | Attempts to brute force passwords for accounts. |
| Discovery | System Information Discovery | T1082 | Gathers host configuration and system information. |
| Discovery | Process Discovery | T1057 | Enumerates running processes. |
| Discovery | File and Directory Discovery | T1083 | Searches for files and directories of interest. |
| Lateral Movement | Remote Services | T1021 | Uses RDP, SMB, and other services to move laterally. |
| Lateral Movement | Remote Desktop Protocol | T1021.001 | Specifically uses RDP for lateral movement. |
| Collection | Screen Capture | T1113 | Takes screenshots of user activity. |
| Collection | Input Capture | T1056 | Captures user input via keyloggers or other tools. |
| Command and Control | Application Layer Protocol | T1071 | Uses common protocols (HTTP/S, DNS) for C2. |
| Command and Control | Web Protocols | T1071.001 | Leverages HTTP/HTTPS for C2 communication. |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | Exfiltrates data using web services. |
| Impact | Data Encrypted for Impact | T1486 | Encrypts files to disrupt system availability. |
Malware Strains Used by APT28 Ransomware
APT28 employs a diverse arsenal of malware, including both custom-developed tools and publicly available tools. Some examples include:
- ADVSTORESHELL: A modular backdoor with various capabilities.
- Cannon: A Trojan used in spearphishing attacks.
- CHOPSTICK: A modular implant using HTTP, HTTPS, and other channels for C2.
- CORESHELL: A backdoor with data exfiltration capabilities.
- DealersChoice: Malware used in attacks against European government agencies.
- Downdelph: A backdoor with a bootkit for persistence.
- Drovorub: Malware used in attacks against various targets.
- Fysbis: A Linux backdoor.
- JHUHUGIT: A backdoor with various capabilities.
- Koadic: A post-exploitation framework.
- Komplex: A macOS Trojan.
- LoJax: A UEFI rootkit.
- Mimikatz: A credential-dumping tool.
- reGeorg: A web shell.
- Responder: A tool for NetBIOS Name Service poisoning.
- USBStealer: A tool for data exfiltration via USB drives.
- XAgentOSX: A macOS malware.
- XTunnel: A tool for proxy and obfuscation.
- Zebrocy: Malware with various capabilities.
