G0007 · 92 ATT&CK techniques · 7 correlated reports

APT28

Aliases: IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Open interactive actor investigation

ATT&CK techniques

T1003.003
NTDS T1589.001
Credentials T1564.001
Hidden Files and Directories T1583.003
Virtual Private Server T1583.001
Domains T1070.006
Timestomp T1090.002
External Proxy T1566.001
Spearphishing Attachment T1059.001
PowerShell T1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1547.001
Registry Run Keys / Startup Folder T1027.013
Encrypted/Encoded File T1203
Exploitation for Client Execution T1586.002
Email Accounts T1114.002
Remote Email Collection T1505.003
Web Shell T1584.008
Network Devices T1550.002
Pass the Hash T1037.001
Logon Script (Windows)T1588.002
Tool T1564.003
Hidden Window T1090.003
Multi-hop Proxy T1567
Exfiltration Over Web Service T1056.001
Keylogging T1083
File and Directory Discovery T1190
Exploit Public-Facing Application T1039
Data from Network Shared Drive T1113
Screen Capture T1110.001
Password Guessing T1070.001
Clear Windows Event Logs T1583.006
Web Services T1057
Process Discovery T1189
Drive-by Compromise T1595.002
Vulnerability Scanning T1546.015
Component Object Model Hijacking T1199
Trusted Relationship T1120
Peripheral Device Discovery T1059.003
Windows Command Shell T1557.004
Evil Twin T1498
Network Denial of Service T1070.004
File Deletion T1560
Archive Collected Data T1105
Ingress Tool Transfer T1598
Phishing for Information T1559.002
Dynamic Data Exchange T1036.005
Match Legitimate Name or Location T1119
Automated Collection T1078.004
Cloud Accounts T1221
Template Injection T1005
Data from Local System T1213.002
Sharepoint T1078
Valid Accounts T1025
Data from Removable Media T1071.001
Web Protocols T1213
Data from Information Repositories T1218.011
Rundll32 T1560.001
Archive via Utility T1140
Deobfuscate/Decode Files or Information T1598.003
Spearphishing Link T1542.003
Bootkit T1071.003
Mail Protocols T1036
Masquerading T1210
Exploitation of Remote Services T1014
Rootkit T1204.002
Malicious File T1550.001
Application Access Token T1030
Data Transfer Size Limits T1134.001
Token Impersonation/Theft T1074.002
Remote Data Staging T1092
Communication Through Removable Media T1098.002
Additional Email Delegate Permissions T1003
OS Credential Dumping T1040
Network Sniffing T1068
Exploitation for Privilege Escalation T1137.002
Office Test T1528
Steal Application Access Token T1110.003
Password Spraying T1204.001
Malicious Link T1133
External Remote Services T1102.002
Bidirectional Communication T1001.001
Junk Data T1211
Exploitation for Defense Evasion T1003.001
LSASS Memory T1573.001
Symmetric Cryptography T1074.001
Local Data Staging T1091
Replication Through Removable Media T1110
Brute Force T1021.002
SMB/Windows Admin Shares T1566.002
Spearphishing Link T1059
Command and Scripting Interpreter T1082
System Information Discovery T1033
System Owner/User Discovery

Correlated CTI and IR reports

AI in Offensive Operations: How Threat Actors Use Artificial Intelligence
1200km CTI repository · explicit report mention Attribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mention CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention CTI Kill Chain An Analyst Guide With Real World Evidence
1200km Medium · authored report mention CTI Research Sandworm APT44
1200km Medium · authored report mention Comprehensive Guide to DoS and DDoS Attacks with MITRE ATT CK
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research