APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Name | Description |
---|---|
IRON TWILIGHT | |
SNAKEMACKEREL | |
Swallowtail | |
Group 74 | |
Sednit |
This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.[8][7][19][4] |
Sofacy |
This designation has been used in reporting both to refer to the threat group and its associated malware.[6][7][5][20][4][18] |
Pawn Storm | |
Fancy Bear | |
STRONTIUM | |
Tsar Team | |
Threat Group-4127 | |
TG-4127 |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[25] |
Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
APT28 has used a Powershell cmdlet to grant the |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.[6][14][26] |
.006 | Acquire Infrastructure: Web Services |
APT28 has used newly-created Blogspot pages for credential harvesting operations.[26] |
||
Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
APT28 has performed large-scale scans in an attempt to find vulnerable servers.[27] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.[6][2] |
.003 | Application Layer Protocol: Mail Protocols |
APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.[6][2] |
||
Enterprise | T1560 | Archive Collected Data |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3] |
|
.001 | Archive via Utility |
APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.[2] |
||
Enterprise | T1119 | Automated Collection |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT28 has deployed malware that has copied itself to the startup directory for persistence.[21] |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
An APT28 loader Trojan adds the Registry key |
Enterprise | T1110 | Brute Force |
APT28 can perform brute force attacks to obtain credentials.[27][21][29] |
|
.001 | Password Guessing |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[24] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.[2] |
||
.003 | Password Spraying |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[24][29] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.[2] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[11][21][2] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[28] The group has also used macros to execute payloads.[18][30][17][21] |
||
Enterprise | T1092 | Communication Through Removable Media |
APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[31] |
|
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
APT28 has used compromised email accounts to send credential phishing emails.[26] |
Enterprise | T1213 | Data from Information Repositories |
APT28 has collected files from various information repositories.[2] |
|
.002 | Sharepoint |
APT28 has collected information from Microsoft SharePoint services within target networks.[32] |
||
Enterprise | T1005 | Data from Local System |
APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.[33][3][27][2] |
|
Enterprise | T1039 | Data from Network Shared Drive | ||
Enterprise | T1025 | Data from Removable Media |
An APT28 backdoor may collect the entire contents of an inserted USB device.[31] |
|
Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[6] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT28 has stored captured credential information in a file named pi.log.[31] |
.002 | Data Staged: Remote Data Staging |
APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.[2] |
||
Enterprise | T1030 | Data Transfer Size Limits |
APT28 has split archived exfiltration files into chunks smaller than 1MB.[2] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
An APT28 macro uses the command |
|
Enterprise | T1189 | Drive-by Compromise |
APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.[16] |
|
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
APT28 has collected emails from victim Microsoft Exchange servers.[3][2] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[13] |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
APT28 has used COM hijacking for persistence by replacing the legitimate |
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.[2] |
Enterprise | T1567 | Exfiltration Over Web Service | ||
Enterprise | T1190 | Exploit Public-Facing Application |
APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.[14][2] |
|
Enterprise | T1203 | Exploitation for Client Execution |
APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[22] |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
APT28 has used CVE-2015-4902 to bypass security features.[36][31] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.[36][31][22] |
|
Enterprise | T1210 | Exploitation of Remote Services |
APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.[6][37][38] |
|
Enterprise | T1133 | External Remote Services |
APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts.[2] |
|
Enterprise | T1083 | File and Directory Discovery |
APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[33][3] |
|
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials | |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories | |
.003 | Hide Artifacts: Hidden Window |
APT28 has used the WindowStyle parameter to conceal PowerShell windows.[11] [39] |
||
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs |
APT28 has cleared event logs, including by using the commands |
.004 | Indicator Removal on Host: File Deletion |
APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[3] |
||
.006 | Indicator Removal on Host: Timestomp | |||
Enterprise | T1105 | Ingress Tool Transfer |
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[36][28][17][21][2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[39][40][11] |
Enterprise | T1036 | Masquerading | ||
.005 | Match Legitimate Name or Location |
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[2] |
||
Enterprise | T1498 | Network Denial of Service |
In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.[14] |
|
Enterprise | T1040 | Network Sniffing |
APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[6][37] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[14] |
|
Enterprise | T1027 | Obfuscated Files or Information |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[36][34][11][18][17] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.[11][22][37] |
Enterprise | T1137 | .002 | Office Application Startup: Office Test |
APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key |
Enterprise | T1003 | OS Credential Dumping |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[42][3][14] |
|
.001 | LSASS Memory |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[42][3] They have also dumped the LSASS process memory using the MiniDump function.[2] |
||
.003 | NTDS |
APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.[2] |
||
Enterprise | T1120 | Peripheral Device Discovery |
APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[31] |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.[34][10][11][3][22][17][21][16] |
.002 | Phishing: Spearphishing Link |
APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[3][13][14][16] |
||
Enterprise | T1598 | Phishing for Information |
APT28 has used spearphishing to compromise credentials.[29][16] |
|
.003 | Spearphishing Link |
APT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains.[26] |
||
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[20] |
Enterprise | T1057 | Process Discovery |
An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[28] |
|
Enterprise | T1090 | .002 | Proxy: External Proxy |
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[6][36][3] |
.003 | Proxy: Multi-hop Proxy |
APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[21] |
||
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
APT28 has mapped network drives using Net and administrator credentials.[2] |
Enterprise | T1091 | Replication Through Removable Media |
APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[31] |
|
Enterprise | T1014 | Rootkit |
APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[12][43] |
|
Enterprise | T1113 | Screen Capture |
APT28 has used tools to take screenshots from victims.[42][44][3][16] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.[2] |
Enterprise | T1528 | Steal Application Access Token |
APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".[45] |
|
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
APT28 executed CHOPSTICK by using rundll32 commands such as |
Enterprise | T1221 | Template Injection |
APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [46] |
|
Enterprise | T1199 | Trusted Relationship |
Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[3] |
|
Enterprise | T1550 | .001 | Use Alternate Authentication Material: Application Access Token |
APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.[45] |
.002 | Use Alternate Authentication Material: Pass the Hash | |||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[14][16] |
.002 | User Execution: Malicious File |
APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[34][17][16] |
||
Enterprise | T1078 | Valid Accounts |
APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.[47][3][23][2] |
|
.004 | Cloud Accounts |
APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.[2] |
||
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |