Skip to content

G0007 APT28

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.2322 This group has been active since at least 2004.21112102495816276

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.2 In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.4 Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Item Value
ID G0007
Associated Names IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Version 5.2
Created 31 May 2017
Last Modified 10 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IRON TWILIGHT 2625
SNAKEMACKEREL 1
Swallowtail 27
Group 74 17
Sednit This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.9241411
Sofacy This designation has been used in reporting both to refer to the threat group and its associated malware.1024271117
Pawn Storm 24712
Fancy Bear 21471117271322
STRONTIUM 14720191222
Tsar Team 71717
Threat Group-4127 24
TG-4127 24
Forest Blizzard 18
FROZENLAKE 3
GruesomeLarch 15

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.52
enterprise T1098 Account Manipulation -
enterprise T1098.002 Additional Email Delegate Permissions APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.22
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.10431
enterprise T1583.003 Virtual Private Server APT28 hosted phishing domains on free services for brief periods of time during campaigns.3
enterprise T1583.006 Web Services APT28 has used newly-created Blogspot pages for credential harvesting operations.31
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning APT28 has performed large-scale scans in an attempt to find vulnerable servers.42
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.004 Evil Twin APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.1022
enterprise T1071.003 Mail Protocols APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.1022
enterprise T1560 Archive Collected Data APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.21
enterprise T1560.001 Archive via Utility APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.22
enterprise T1119 Automated Collection APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.21
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT28 has deployed malware that has copied itself to the startup directory for persistence.12
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.35
enterprise T1110 Brute Force APT28 can perform brute force attacks to obtain credentials.421228
enterprise T1110.001 Password Guessing APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.19 APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.22
enterprise T1110.003 Password Spraying APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.1928 APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.22
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT28 downloads and executes PowerShell scripts and performs PowerShell commands.161222
enterprise T1059.003 Windows Command Shell An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.35 The group has also used macros to execute payloads.1744112
enterprise T1092 Communication Through Removable Media APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.34
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts APT28 has used compromised email accounts to send credential phishing emails.31
enterprise T1584 Compromise Infrastructure During APT28 Nearest Neighbor Campaign, APT28 compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities.15
enterprise T1584.008 Network Devices APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.3
enterprise T1213 Data from Information Repositories APT28 has collected files from various information repositories.22
enterprise T1213.002 Sharepoint APT28 has collected information from Microsoft SharePoint services within target networks.47
enterprise T1005 Data from Local System APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.38214222
enterprise T1039 Data from Network Shared Drive APT28 has collected files from network shared drives.22
enterprise T1025 Data from Removable Media An APT28 backdoor may collect the entire contents of an inserted USB device.34
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data APT28 added “junk data” to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a “junk length” value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.10
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging APT28 has stored captured credential information in a file named pi.log.34
enterprise T1074.002 Remote Data Staging APT28 has staged archives of collected data on a target’s Outlook Web Access (OWA) server.22
enterprise T1030 Data Transfer Size Limits APT28 has split archived exfiltration files into chunks smaller than 1MB.22
enterprise T1140 Deobfuscate/Decode Files or Information An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.3316
enterprise T1006 Direct Volume Access During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file.15
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe During APT28 Nearest Neighbor Campaign, APT28 used the native Microsoft utility cipher.exe to securely wipe files and folders – overwriting the deleted data using cmd.exe /c cipher /W:C.15
enterprise T1189 Drive-by Compromise APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.25 APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.3
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection APT28 has collected emails from victim Microsoft Exchange servers.2122
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.6
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.436
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol APT28 has exfiltrated archives of collected data previously staged on a target’s OWA server via HTTPS.22
enterprise T1567 Exfiltration Over Web Service APT28 can exfiltrate data over Google Drive.12
enterprise T1190 Exploit Public-Facing Application APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.422
enterprise T1203 Exploitation for Client Execution APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.13
enterprise T1211 Exploitation for Defense Evasion APT28 has used CVE-2015-4902 to bypass security features.3234
enterprise T1068 Exploitation for Privilege Escalation APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges.32341315
enterprise T1210 Exploitation of Remote Services APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.103649
enterprise T1133 External Remote Services APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts.22
enterprise T1083 File and Directory Discovery APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.3821
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.001 Credentials APT28 has harvested user’s login credentials.28
enterprise T1591 Gather Victim Org Information APT28 has used large language models (LLMs) to gather information about satellite capabilities.2930
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories APT28 has saved files with hidden file attributes.1717
enterprise T1564.003 Hidden Window APT28 has used the WindowStyle parameter to conceal PowerShell windows.16 37
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall During APT28 Nearest Neighbor Campaign, APT28 added rules to a victim’s Windows firewall to set up a series of port-forwards allowing traffic to target systems.15
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.221
enterprise T1070.004 File Deletion APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.21
enterprise T1070.006 Timestomp APT28 has performed timestomping on victim files.2
enterprise T1105 Ingress Tool Transfer APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.323511222
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT28 has used tools to perform keylogging.342112
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.374516
enterprise T1036 Masquerading APT28 has renamed the WinRAR utility to avoid detection.22
enterprise T1036.005 Match Legitimate Resource Name or Location APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.22
enterprise T1498 Network Denial of Service In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.4
enterprise T1040 Network Sniffing APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.1036 APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.4
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.323316171
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.161336
enterprise T1137 Office Application Startup -
enterprise T1137.002 Office Test APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.53
enterprise T1003 OS Credential Dumping APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.40214
enterprise T1003.001 LSASS Memory APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.4021 They have also dumped the LSASS process memory using the MiniDump function.22
enterprise T1003.002 Security Account Manager During APT28 Nearest Neighbor Campaign, APT28 used the following commands to dump SAM, SYSTEM, and SECURITY hives: reg save hklm\sam, reg save hklm\system, and reg save hklm\security.15
enterprise T1003.003 NTDS APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.22
enterprise T1120 Peripheral Device Discovery APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.34
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.33816211311225
enterprise T1598 Phishing for Information APT28 has used spearphishing to compromise credentials.2825
enterprise T1598.003 Spearphishing Link APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.31216425
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.7
enterprise T1057 Process Discovery An APT28 loader Trojan will enumerate the victim’s processes searching for explorer.exe if its current process does not have necessary permissions.35
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy During APT28 Nearest Neighbor Campaign, APT28 used the built-in netsh portproxy command to create internal proxies on compromised systems.15
enterprise T1090.002 External Proxy APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.103221
enterprise T1090.003 Multi-hop Proxy APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.12
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol During APT28 Nearest Neighbor Campaign, APT28 used RDP for lateral movement.15
enterprise T1021.002 SMB/Windows Admin Shares APT28 has mapped network drives using Net and administrator credentials.22
enterprise T1091 Replication Through Removable Media APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.34
enterprise T1014 Rootkit APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.2750
enterprise T1113 Screen Capture APT28 has used tools to take screenshots from victims.40412125
enterprise T1596 Search Open Technical Databases APT28 has used large language models (LLMs) to assist in script development and deployment.2930
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target’s Outlook Web Access (OWA) server.22
enterprise T1528 Steal Application Access Token APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as “Google Defender” “Google Email Protection,” and “Google Scanner” for Gmail users. They also targeted Yahoo users with applications masquerading as “Delivery Service” and “McAfee Email Protection”.51
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.2321635622
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.002 Wi-Fi Discovery During APT28 Nearest Neighbor Campaign, APT28 collected information on wireless interfaces within range of a compromised system.15
enterprise T1221 Template Injection APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. 46
enterprise T1199 Trusted Relationship Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.21
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.51
enterprise T1550.002 Pass the Hash APT28 has used pass the hash for lateral movement.34
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.425
enterprise T1204.002 Malicious File APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.33125
enterprise T1078 Valid Accounts APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer’s passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.48212022
enterprise T1078.004 Cloud Accounts APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.22
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication APT28 has used Google Drive for C2.12
enterprise T1669 Wi-Fi Networks APT28 has exploited open Wi-Fi access points for initial access to target devices using the network.1539

Software

ID Name References Techniques
S0045 ADVSTORESHELL 1413 Web Protocols:Application Layer Protocol Archive Collected Data Archive via Custom Method:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Keylogging:Input Capture Modify Registry Native API Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Scheduled Transfer Rundll32:System Binary Proxy Execution System Information Discovery
S0351 Cannon 4446 Mail Protocols:Application Layer Protocol Winlogon Helper DLL:Boot or Logon Autostart Execution Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Local Storage Discovery Process Discovery Screen Capture System Information Discovery System Owner/User Discovery System Time Discovery
S0160 certutil 3322 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0023 CHOPSTICK 10141325 Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Command and Scripting Interpreter Communication Through Removable Media Domain Generation Algorithms:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Modify Registry Fileless Storage:Obfuscated Files or Information Internal Proxy:Proxy Query Registry Replication Through Removable Media Screen Capture Security Software Discovery:Software Discovery Virtualization/Sandbox Evasion
S1205 cipher.exe 15 Disk Content Wipe:Disk Wipe
S0137 CORESHELL 1025 Web Protocols:Application Layer Protocol Mail Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Local Storage Discovery Junk Code Insertion:Obfuscated Files or Information Obfuscated Files or Information Rundll32:System Binary Proxy Execution System Information Discovery
S0243 DealersChoice 825 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Exploitation for Client Execution
S0134 Downdelph 725 Bypass User Account Control:Abuse Elevation Control Mechanism Junk Data:Data Obfuscation Symmetric Cryptography:Encrypted Channel DLL:Hijack Execution Flow Ingress Tool Transfer
S0502 Drovorub 23 Web Protocols:Application Layer Protocol Kernel Modules and Extensions:Boot or Logon Autostart Execution Unix Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Internal Proxy:Proxy Rootkit
S0193 Forfiles 38 Data from Local System File and Directory Discovery Indirect Command Execution
S0410 Fysbis 56 XDG Autostart Entries:Boot or Logon Autostart Execution Unix Shell:Command and Scripting Interpreter Systemd Service:Create or Modify System Process Standard Encoding:Data Encoding File and Directory Discovery File Deletion:Indicator Removal Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Process Discovery System Information Discovery
S0135 HIDEDRV 7 Dynamic-link Library Injection:Process Injection Rootkit
S0044 JHUHUGIT 91413425 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Logon Script (Windows):Boot or Logon Initialization Scripts Clipboard Data Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Component Object Model Hijacking:Event Triggered Execution Exploitation for Privilege Escalation Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Local Storage Discovery Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Rundll32:System Binary Proxy Execution System Network Configuration Discovery
S0250 Koadic 16 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Service Discovery Network Share Discovery Security Account Manager:OS Credential Dumping NTDS:OS Credential Dumping Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Mshta:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services Windows Management Instrumentation
S0162 Komplex 415425 Web Protocols:Application Layer Protocol Launch Agent:Create or Modify System Process Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Process Discovery System Owner/User Discovery
S0397 LoJax 50 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution NTFS File Attributes:Hide Artifacts Modify Registry System Firmware:Pre-OS Boot Rootkit
S0002 Mimikatz 14 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net 22 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh APT2815
APT28 Nearest Neighbor Campaign15
Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0138 OLDBAIT 10 Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Match Legitimate Resource Name or Location:Masquerading Obfuscated Files or Information
S1187 reGeorg 55 Web Protocols:Application Layer Protocol Python:Command and Scripting Interpreter Ingress Tool Transfer Non-Application Layer Protocol Protocol Tunneling Proxy Remote Desktop Protocol:Remote Services SSH:Remote Services SMB/Windows Admin Shares:Remote Services Web Shell:Server Software Component
S0174 Responder 364 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing
S0183 Tor 22 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy
S0136 USBStealer 7 Automated Collection Automated Exfiltration Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Communication Through Removable Media Data from Removable Media Local Data Staging:Data Staged Exfiltration over USB:Exfiltration Over Physical Medium File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Replication Through Removable Media
S0645 Wevtutil 2 Data from Local System Disable Windows Event Logging:Impair Defenses Clear Windows Event Logs:Indicator Removal
S0191 Winexe 3825 Service Execution:System Services
S0314 X-Agent for Android 57 Location Tracking Match Legitimate Name or Location:Masquerading
S0161 XAgentOSX 41274 File Transfer Protocols:Application Layer Protocol Credentials from Web Browsers:Credentials from Password Stores File and Directory Discovery File Deletion:Indicator Removal Keylogging:Input Capture Native API Process Discovery Screen Capture System Information Discovery System Owner/User Discovery
S0117 XTunnel 727425 Windows Command Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Fallback Channels Network Service Discovery Junk Code Insertion:Obfuscated Files or Information Obfuscated Files or Information Proxy Credentials In Files:Unsecured Credentials
S0251 Zebrocy 164413466 Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Logon Script (Windows):Boot or Logon Initialization Scripts Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Local Storage Discovery Network Share Discovery Software Packing:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Windows Management Instrumentation

References

  1. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  2. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  3. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. 

  4. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  5. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. 

  6. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  7. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  8. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. 

  9. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. 

  10. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  11. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. 

  12. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  13. Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. 

  14. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  15. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. 

  16. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  17. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  18. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  19. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. 

  20. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. 

  21. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. 

  22. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  23. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  24. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. 

  25. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. 

  26. Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. 

  27. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. 

  28. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. 

  29. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024. 

  30. OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024. 

  31. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022. 

  32. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  33. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  34. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  35. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  36. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved November 17, 2024. 

  37. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017. 

  38. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. 

  39. U.S. Department of Justice. (2018, October 4). U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations. Retrieved February 25, 2025. 

  40. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  41. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  42. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. 

  43. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  44. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  45. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017. 

  46. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  47. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018. 

  48. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017. 

  49. Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017. 

  50. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. 

  51. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. 

  52. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017. 

  53. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. 

  54. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  55. Paganini, P. (2023, October 27). France agency ANSSI warns of Russia-linked APT28 attacks on French entities. Retrieved December 3, 2024. 

  56. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. 

  57. CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.