APT28

APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. APT28 has been active since at least 2004.[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

ID: G0007
Associated Groups: SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127
Contributors: Drew Church, Splunk; Emily Ratliff, IBM; Richard Gold, Digital Shadows
Version: 2.3
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
SNAKEMACKEREL [15]
Swallowtail [10]
Group 74 [18]
Sednit This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. [6] [5] [37] [2]
Sofacy This designation has been used in reporting both to refer to the threat group and its associated malware. [4] [5] [3] [27] [2][18]
Pawn Storm [5] [27]
Fancy Bear [3] [37] [27] [2][18][10][24]
STRONTIUM [37] [27] [30]
Tsar Team [27][18][18]
Threat Group-4127 [5]
TG-4127 [5]

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1328 Buy domain name

APT28 registered domains imitating NATO and OSCE security websites and Caucasus information resources.[4]

PRE-ATT&CK T1346 Obtain/re-use payloads

APT28 reused the SOURFACE downloader as the payload of a lure document.[4]

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[28]

Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims.[4]

.001 Application Layer Protocol: Web Protocols

Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP and other legitimate channels for C2, depending on module configuration.[4]

Enterprise T1560 Archive Collected Data

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[1]

Enterprise T1119 Automated Collection

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[1]

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[14]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT28 downloads and executes PowerShell scripts.[9]

.003 Command and Scripting Interpreter: Windows Command Shell

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[14] The group has also used macros to execute payloads.[18][32][15]

Enterprise T1092 Communication Through Removable Media

APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[12]

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

APT28 has collected information from Microsoft SharePoint services within target networks.[25]

Enterprise T1005 Data from Local System

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before.[21][1]

Enterprise T1025 Data from Removable Media

An APT28 backdoor may collect the entire contents of an inserted USB device.[12]

Enterprise T1001 .001 Data Obfuscation: Junk Data

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[4]

Enterprise T1074 .001 Data Staged: Local Data Staging

APT28 has stored captured credential information in a file named pi.log.[12]

Enterprise T1140 Deobfuscate/Decode Files or Information

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[22][9]

Enterprise T1114 .002 Email Collection: Remote Email Collection

APT28 has collected emails from victim Microsoft Exchange servers.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[11]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.[23][11]

Enterprise T1203 Exploitation for Client Execution

APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[24]

Enterprise T1211 Exploitation for Defense Evasion

APT28 has used CVE-2015-4902 to bypass security features.[13][12]

Enterprise T1068 Exploitation for Privilege Escalation

APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.[13][12][24]

Enterprise T1210 Exploitation of Remote Services

APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.[4][26][33]

Enterprise T1083 File and Directory Discovery

APT28 has used Forfiles to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.[21][1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

APT28 has saved files with hidden file attributes.[18][18]

.003 Hide Artifacts: Hidden Window

APT28 has used the WindowStyle parameter to conceal PowerShell windows.[9] [16]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

APT28 has performed timestomping on victim files.[3]

.001 Indicator Removal on Host: Clear Windows Event Logs

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.[3][1]

.004 Indicator Removal on Host: File Deletion

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[1]

Enterprise T1105 Ingress Tool Transfer

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[13][14][15]

Enterprise T1056 .001 Input Capture: Keylogging

APT28 has used tools to perform keylogging.[12][1]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[16][17][9]

Enterprise T1040 Network Sniffing

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[4][26]

Enterprise T1027 Obfuscated Files or Information

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[13][22][9][18][15]

Enterprise T1137 .002 Office Application Startup: Office Test

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.[34]

Enterprise T1003 OS Credential Dumping

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[19][1]

.001 LSASS Memory

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[19][1]

Enterprise T1120 Peripheral Device Discovery

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[12]

Enterprise T1566 .002 Phishing: Spearphishing Link

APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[1][11]

.001 Phishing: Spearphishing Attachment

APT28 sent spearphishing emails containing malicious Microsoft Office attachments.[22][8][9][1][24][15]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[27]

Enterprise T1057 Process Discovery

An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[14]

Enterprise T1090 .002 Proxy: External Proxy

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[4][13][1]

Enterprise T1091 Replication Through Removable Media

APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[12]

Enterprise T1014 Rootkit

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[10][31]

Enterprise T1113 Screen Capture

APT28 has used tools to take screenshots from victims.[19][20][1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[3][13][9][14][11]

Enterprise T1528 Steal Application Access Token

APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".[36]

Enterprise T1221 Template Injection

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [35]

Enterprise T1199 Trusted Relationship

Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

APT28 has used pass the hash for lateral movement.[12]

.001 Use Alternate Authentication Material: Application Access Token

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.[36]

Enterprise T1204 .002 User Execution: Malicious File

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[22][15]

Enterprise T1078 Valid Accounts

APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.[29][1][30]

Software

ID Name References Techniques
S0045 ADVSTORESHELL

[37][24]

Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Query Registry, Scheduled Transfer, Signed Binary Proxy Execution: Rundll32, System Information Discovery
S0351 Cannon

[32][35]

Application Layer Protocol: Mail Protocols, Boot or Logon Autostart Execution: Winlogon Helper DLL, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery, System Time Discovery
S0160 certutil

[22]

Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0023 CHOPSTICK

[4][37][24]

Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Command and Scripting Interpreter, Communication Through Removable Media, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy: Internal Proxy, Query Registry, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, Virtualization/Sandbox Evasion
S0137 CORESHELL

[4]

Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Signed Binary Proxy Execution: Rundll32, System Information Discovery
S0243 DealersChoice

[8]

Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Exploitation for Client Execution
S0134 Downdelph

[27]

Abuse Elevation Control Mechanism: Bypass User Access Control, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer
S0193 Forfiles

[21]

Data from Local System, File and Directory Discovery, Indirect Command Execution
S0410 Fysbis

[39]

Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Create or Modify System Process: Systemd Service, Data Encoding: Standard Encoding, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Process Discovery, System Information Discovery
S0135 HIDEDRV

[27]

Process Injection: Dynamic-link Library Injection, Rootkit
S0044 JHUHUGIT

[6][37][24]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Initialization Scripts: Logon Script (Windows), Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Event Triggered Execution: Component Object Model Hijacking, Exploitation for Privilege Escalation, Fallback Channels, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Process Discovery, Process Injection, Scheduled Task/Job: Scheduled Task, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery
S0250 Koadic

[9]

Abuse Elevation Control Mechanism: Bypass User Access Control, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data from Local System, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Network Service Scanning, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Signed Binary Proxy Execution: Rundll32, Signed Binary Proxy Execution: Mshta, Signed Binary Proxy Execution: Regsvr32, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0162 Komplex

[20][38]

Application Layer Protocol: Web Protocols, Create or Modify System Process: Launch Agent, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Process Discovery, System Owner/User Discovery
S0397 LoJax

[31]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Hide Artifacts: NTFS File Attributes, Modify Registry, Pre-OS Boot: System Firmware, Rootkit
S0002 Mimikatz

[37]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0138 OLDBAIT

[4]

Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information
S0174 Responder

[26]

Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing
S0136 USBStealer

[27]

Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Communication Through Removable Media, Data from Removable Media, Data Staged: Local Data Staging, Exfiltration Over Physical Medium: Exfiltration over USB, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Peripheral Device Discovery, Replication Through Removable Media
S0191 Winexe

[21]

System Services: Service Execution
S0314 X-Agent for Android

[40]

Location Tracking, Masquerade as Legitimate Application
S0161 XAgentOSX

[20][10]

Application Layer Protocol: File Transfer Protocols, Credentials from Password Stores: Credentials from Web Browsers, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Native API, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery
S0117 XTunnel

[27][10]

Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, Network Service Scanning, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Proxy, Unsecured Credentials: Credentials In Files
S0251 Zebrocy

[9][32][24][35][11]

Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Initialization Scripts: Logon Script (Windows), Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Network Share Discovery, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Process Discovery, Query Registry, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, Windows Management Instrumentation

References

  1. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  2. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
  3. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  4. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  5. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  6. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  7. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  8. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  9. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  10. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  11. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  12. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  13. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  14. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  15. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  16. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  17. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
  18. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  19. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  20. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  1. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  2. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  3. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  4. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  5. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  6. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  7. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  8. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  9. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  10. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
  11. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  12. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  13. Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
  14. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  15. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  16. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
  17. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  18. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  19. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  20. CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.