1. Home
  2. Groups
  3. APT28

APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

ID: G0007
Associated Groups: IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Contributors: Sébastien Ruel, CGI; Drew Church, Splunk; Emily Ratliff, IBM; Richard Gold, Digital Shadows
Version: 5.2
Created: 31 May 2017
Last Modified: 10 March 2025

Associated Group Descriptions

Name Description
IRON TWILIGHT

[15][16]
SNAKEMACKEREL

[17]
Swallowtail

[12]
Group 74

[18]
Sednit

This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.[8][7][19][4]
Sofacy

This designation has been used in reporting both to refer to the threat group and its associated malware.[6][7][5][20][4][18]
Pawn Storm

[7][20][21]

Fancy Bear

[5][19][20][4][18][12][22][2]
STRONTIUM

[19][20][23][24][21][2]
Tsar Team

[20][18][18]
Threat Group-4127

[7]
TG-4127

[7]
Forest Blizzard

[25]
FROZENLAKE

[26]
GruesomeLarch

[27]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[12][28]
Enterprise T1557 .004 中间人攻击: Evil Twin

APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.[14]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

APT28 has performed large-scale scans in an attempt to find vulnerable servers.[29]
Enterprise T1546 .015 事件触发执行: Component Object Model Hijacking

APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.[30][13]
Enterprise T1213 从信息存储库获取数据

APT28 has collected files from various information repositories.[2]
.002 Sharepoint

APT28 has collected information from Microsoft SharePoint services within target networks.[31]
Enterprise T1025 从可移动介质获取数据

An APT28 backdoor may collect the entire contents of an inserted USB device.[32]
Enterprise T1005 从本地系统获取数据

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.[33][3][29][2]
Enterprise T1039 从网络共享驱动器获取数据

APT28 has collected files from network shared drives.[2]
Enterprise T1090 .002 代理: External Proxy

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[6][34][3]
.003 代理: Multi-hop Proxy

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[21]
Enterprise T1036 伪装

APT28 has renamed the WinRAR utility to avoid detection.[2]
.005 Match Legitimate Name or Location

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[2]
Enterprise T1550 .001 使用备用认证材料: Application Access Token

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.[35]
.002 使用备用认证材料: Pass the Hash

APT28 has used pass the hash for lateral movement.[32]
Enterprise T1199 信任关系

Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[3]
Enterprise T1598 信息钓鱼

APT28 has used spearphishing to compromise credentials.[36][16]
.003 Spearphishing Link

APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.[37][3][13][14][16]
Enterprise T1190 利用公开应用程序漏洞

APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.[14][2]
Enterprise T1137 .002 办公应用启动: Office Test

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.[38]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[13]
Enterprise T1140 反混淆/解码文件或信息

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[39][11]
Enterprise T1037 .001 启动或登录初始化脚本: Logon Script (Windows)

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[40]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT28 has deployed malware that has copied itself to the startup directory for persistence.[21]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[11][21][2]
.003 命令与脚本解释器: Windows Command Shell

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[40] The group has also used macros to execute payloads.[18][41][17][21]
Enterprise T1584 .008 基础设施妥协: Network Devices

APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.[26]
Enterprise T1120 外围设备发现

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[32]
Enterprise T1133 外部远程服务

APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts.[2]
Enterprise T1203 客户端执行漏洞利用

APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[22]
Enterprise T1113 屏幕捕获

APT28 has used tools to take screenshots from victims.[42][43][3][16]
Enterprise T1071 .001 应用层协议: Web Protocols

Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.[6][2]
.003 应用层协议: Mail Protocols

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.[6][2]
Enterprise T1560 归档收集数据

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3]
.001 Archive via Utility

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.[2]
Enterprise T1003 操作系统凭证转储

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[42][3][14]

.001 LSASS Memory

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[42][3] They have also dumped the LSASS process memory using the MiniDump function.[2]
.003 NTDS

APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.[2]
Enterprise T1589 .001 收集受害者身份信息: Credentials

APT28 has harvested user's login credentials.[36]
Enterprise T1030 数据传输大小限制

APT28 has split archived exfiltration files into chunks smaller than 1MB.[2]
Enterprise T1074 .001 数据分段: Local Data Staging

APT28 has stored captured credential information in a file named pi.log.[32]
.002 数据分段: Remote Data Staging

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.[2]
Enterprise T1001 .001 数据混淆: Junk Data

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[6]
Enterprise T1083 文件和目录发现

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[33][3]
Enterprise T1110 暴力破解

APT28 can perform brute force attacks to obtain credentials.[29][21][36]
.001 Password Guessing

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[24] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.[2]
.003 Password Spraying

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[24][36] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.[2]
Enterprise T1048 .002 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.[2]
Enterprise T1078 有效账户

APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.[44][3][23][2]
.004 Cloud Accounts

APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.[2]
Enterprise T1505 .003 服务器软件组件: Web Shell

APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.[2]
Enterprise T1068 权限提升漏洞利用

APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.[34][32][22]
Enterprise T1221 模板注入

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [45]
Enterprise T1189 浏览器攻击

APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.[16] APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.[26]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[34][39][11][18][17]
Enterprise T1204 .001 用户执行: Malicious Link

APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[14][16]
.002 用户执行: Malicious File

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[39][17][16]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

APT28 has collected emails from victim Microsoft Exchange servers.[3][2]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.[5][3]
.004 移除指标: File Deletion

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[3]
.006 移除指标: Timestomp

APT28 has performed timestomping on victim files.[5]
Enterprise T1528 窃取应用访问令牌

APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".[35]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[5][34][11][40][13][2]
Enterprise T1040 网络嗅探

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[6][46] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[14]
Enterprise T1498 网络拒绝服务

In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.[14]
Enterprise T1102 .002 网络服务: Bidirectional Communication

APT28 has used Google Drive for C2.[21]
Enterprise T1119 自动化收集

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3]
Enterprise T1583 .001 获取基础设施: Domains

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.[6][14][37]
.003 获取基础设施: Virtual Private Server

APT28 hosted phishing domains on free services for brief periods of time during campaigns.[26]
.006 获取基础设施: Web Services

APT28 has used newly-created Blogspot pages for credential harvesting operations.[37]
Enterprise T1588 .002 获取能力: Tool

APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.[11][22][46]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[47]
Enterprise T1586 .002 账号妥协: Email Accounts

APT28 has used compromised email accounts to send credential phishing emails.[37]
Enterprise T1098 .002 账号操控: Additional Email Delegate Permissions

APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.[2]
Enterprise T1105 输入工具传输

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[34][40][17][21][2]
Enterprise T1056 .001 输入捕获: Keylogging

APT28 has used tools to perform keylogging.[32][3][21]
Enterprise T1057 进程发现

An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[40]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[48][49][11]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

APT28 has mapped network drives using Net and administrator credentials.[2]
Enterprise T1210 远程服务漏洞利用

APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.[6][46][50]
Enterprise T1091 通过可移动媒体复制

APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[32]
Enterprise T1092 通过可移动媒体通信

APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[32]
Enterprise T1567 通过网络服务渗出

APT28 can exfiltrate data over Google Drive.[21]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.[39][10][11][3][22][17][21][16]
Enterprise T1211 防御规避漏洞利用

APT28 has used CVE-2015-4902 to bypass security features.[34][32]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

APT28 has saved files with hidden file attributes.[18][18]
.003 隐藏伪装: Hidden Window

APT28 has used the WindowStyle parameter to conceal PowerShell windows.[11] [48]
Enterprise T1542 .003 预操作系统引导: Bootkit

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[20]

Software

ID Name References Techniques
S0045 ADVSTORESHELL [19][22] 事件触发执行: Component Object Model Hijacking, 修改注册表, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 应用层协议: Web Protocols, 归档收集数据, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 预定传输
S0351 Cannon [41][45] 启动或登录自动启动执行: Winlogon Helper DLL, 屏幕捕获, 应用层协议: Mail Protocols, 文件和目录发现, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 输入工具传输, 进程发现, 通过C2信道渗出
S0160 certutil [39][2] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0023 CHOPSTICK [6][19][22][16] 代理: Internal Proxy, 修改注册表, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 动态解析: Domain Generation Algorithms, 命令与脚本解释器, 回退信道, 屏幕捕获, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 文件和目录发现, 查询注册表, 混淆文件或信息: Fileless Storage, 虚拟化/沙盒规避, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 通过可移动媒体复制, 通过可移动媒体通信
S0137 CORESHELL [6][16] 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 应用层协议: Mail Protocols, 数据编码: Standard Encoding, 混淆文件或信息: Binary Padding, 混淆文件或信息, 系统二进制代理执行: Rundll32, 系统信息发现, 输入工具传输
S0243 DealersChoice [10][16] 命令与脚本解释器: Windows Command Shell, 客户端执行漏洞利用, 应用层协议: Web Protocols
S0134 Downdelph [20][16] 加密通道: Symmetric Cryptography, 劫持执行流: DLL Search Order Hijacking, 数据混淆: Junk Data, 滥用权限提升控制机制: Bypass User Account Control, 输入工具传输
S0502 Drovorub [1] Rootkit, 从本地系统获取数据, 代理: Internal Proxy, 反混淆/解码文件或信息, 启动或登录自动启动执行: Kernel Modules and Extensions, 命令与脚本解释器: Unix Shell, 应用层协议: Web Protocols, 混淆文件或信息, 移除指标: File Deletion, 输入工具传输, 通过C2信道渗出, 非应用层协议
S0193 Forfiles [33] 从本地系统获取数据, 文件和目录发现, 间接命令执行
S0410 Fysbis [51] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Systemd Service, 启动或登录自动启动执行: XDG Autostart Entries, 命令与脚本解释器: Unix Shell, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 输入捕获: Keylogging, 进程发现
S0135 HIDEDRV [20] Rootkit, 进程注入: Dynamic-link Library Injection
S0044 JHUHUGIT [8][19][22][14][16] 事件触发执行: Component Object Model Hijacking, 创建或修改系统进程: Windows Service, 剪贴板数据, 启动或登录初始化脚本: Logon Script (Windows), 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 回退信道, 屏幕捕获, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 权限提升漏洞利用, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 预定任务/作业: Scheduled Task
S0250 Koadic [11] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control, 系统二进制代理执行: Mshta, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 网络服务发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0162 Komplex [43][52][16] 创建或修改系统进程: Launch Agent, 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols, 移除指标: File Deletion, 系统所有者/用户发现, 进程发现, 隐藏伪装: Hidden Files and Directories
S0397 LoJax [28] Rootkit, 修改注册表, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 隐藏伪装: NTFS File Attributes, 预操作系统引导: System Firmware
S0002 Mimikatz [19] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0138 OLDBAIT [6] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 伪装: Match Legitimate Name or Location, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 混淆文件或信息
S0174 Responder [46][14] 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 网络嗅探
S0183 Tor [2] 代理: Multi-hop Proxy, 加密通道: Asymmetric Cryptography
S0136 USBStealer [20] 从可移动介质获取数据, 伪装: Match Legitimate Name or Location, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 外围设备发现, 数据分段: Local Data Staging, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: Timestomp, 移除指标: File Deletion, 自动化收集, 自动化渗出, 通过可移动媒体复制, 通过可移动媒体通信, 通过物理介质渗出: Exfiltration over USB
S0645 Wevtutil [5] 从本地系统获取数据, 妨碍防御: Disable Windows Event Logging, 移除指标: Clear Windows Event Logs
S0191 Winexe [33][16] 系统服务: Service Execution
S0314 X-Agent for Android [53] Location Tracking, Masquerading: Match Legitimate Name or Location
S0161 XAgentOSX [43][12][14] 从密码存储中获取凭证: Credentials from Web Browsers, 屏幕捕获, 应用层协议: File Transfer Protocols, 文件和目录发现, 本机API, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 输入捕获: Keylogging, 进程发现
S0117 XTunnel [20][12][14][16] 代理, 加密通道: Asymmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 回退信道, 未加密凭证: Credentials In Files, 混淆文件或信息: Binary Padding, 混淆文件或信息, 网络服务发现
S0251 Zebrocy [11][41][22][45][13] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 启动或登录初始化脚本: Logon Script (Windows), 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 屏幕捕获, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 归档收集数据, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 查询注册表, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 自动化收集, 输入工具传输, 输入捕获: Credential API Hooking, 进程发现, 通过C2信道渗出, 预定任务/作业: Scheduled Task

References

  1. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  2. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  3. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  4. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
  5. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  6. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  7. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  8. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
  9. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  10. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  11. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  12. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  13. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  14. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  15. Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
  16. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  17. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  18. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  19. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  20. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  21. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  22. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  23. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
  24. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  25. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  26. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  27. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  1. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  2. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.
  3. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  4. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  5. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  6. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  7. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  8. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
  9. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  10. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  11. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  12. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  13. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  14. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  15. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  16. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  17. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  18. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  19. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  20. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  21. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  22. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
  23. Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
  24. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  25. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  26. CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.