APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. APT28 has been active since at least 2004.          
Associated Group Descriptions
|Sednit||This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.    |
|Sofacy||This designation has been used in reporting both to refer to the threat group and its associated malware.     |
|Pawn Storm|| |
|Fancy Bear||   |
|STRONTIUM||  |
|PRE-ATT&CK||T1328||Buy domain name|
|Enterprise||T1134||.001||Access Token Manipulation: Token Impersonation/Theft|
|Enterprise||T1071||.003||Application Layer Protocol: Mail Protocols|
|.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1560||Archive Collected Data|
|Enterprise||T1037||.001||Boot or Logon Initialization Scripts: Logon Script (Windows)|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell|
|.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1092||Communication Through Removable Media|
|Enterprise||T1213||.002||Data from Information Repositories: Sharepoint|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1025||Data from Removable Media|
|Enterprise||T1001||.001||Data Obfuscation: Junk Data||
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.
|Enterprise||T1074||.001||Data Staged: Local Data Staging|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1114||.002||Email Collection: Remote Email Collection|
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||T1546||.015||Event Triggered Execution: Component Object Model Hijacking|
|Enterprise||T1203||Exploitation for Client Execution|
|Enterprise||T1211||Exploitation for Defense Evasion|
|Enterprise||T1068||Exploitation for Privilege Escalation|
|Enterprise||T1210||Exploitation of Remote Services|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories|
|.003||Hide Artifacts: Hidden Window|
|Enterprise||T1070||.006||Indicator Removal on Host: Timestomp|
|.001||Indicator Removal on Host: Clear Windows Event Logs|
|.004||Indicator Removal on Host: File Deletion|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1559||.002||Inter-Process Communication: Dynamic Data Exchange|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1137||.002||Office Application Startup: Office Test|
|Enterprise||T1003||OS Credential Dumping|
|Enterprise||T1120||Peripheral Device Discovery|
|Enterprise||T1566||.002||Phishing: Spearphishing Link|
|.001||Phishing: Spearphishing Attachment|
|Enterprise||T1542||.003||Pre-OS Boot: Bootkit|
|Enterprise||T1090||.002||Proxy: External Proxy||
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.
|Enterprise||T1091||Replication Through Removable Media|
|Enterprise||T1218||.011||Signed Binary Proxy Execution: Rundll32||
APT28 executed CHOPSTICK by using rundll32 commands such as
|Enterprise||T1528||Steal Application Access Token||
APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".
|Enterprise||T1550||.002||Use Alternate Authentication Material: Pass the Hash|
|.001||Use Alternate Authentication Material: Application Access Token|
|Enterprise||T1204||.002||User Execution: Malicious File|
APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
- Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
- Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
- MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
- CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.