Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

APT28

APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [1] [2] [3] [4] [5] [6] [7] [8] [9]

ID: G0007
Aliases: APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127
Contributors: Richard Gold, Digital Shadows

Version: 1.0

Alias Descriptions

NameDescription
APT28[4] [5] [3] [28] [12] [2]
SednitThis designation has been used in reporting both to refer to the threat group and its associated malware. [6] [5] [28] [2]
SofacyThis designation has been used in reporting both to refer to the threat group and its associated malware. [4] [5] [3] [12] [2]
Pawn Storm[5] [12]
Fancy Bear[3] [28] [12] [2]
STRONTIUM[28] [12]
Tsar Team[12]
Threat Group-4127[5]
TG-4127[5]

Techniques Used

DomainIDNameUse
PRE-ATT&CKT1328Buy domain nameAPT28 registered domains imitating NATO and OSCE security websites and Caucasus information resources.[4]
PRE-ATT&CKT1346Obtain/re-use payloadsAPT28 reused the SOURFACE downloader as the payload of a lure document.[4]
EnterpriseT1134Access Token ManipulationAPT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[11]
EnterpriseT1119Automated CollectionAPT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[1]
EnterpriseT1067BootkitAPT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[12]
EnterpriseT1059Command-Line InterfaceAPT28 uses cmd.exe to execute commands.[9]
EnterpriseT1092Communication Through Removable MediaAPT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[13]
EnterpriseT1122Component Object Model HijackingAPT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.[14]
EnterpriseT1090Connection ProxyAPT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[4][15][1]
EnterpriseT1003Credential DumpingAPT28 regularly deploys both publicly available and custom password retrieval tools on victims.[16][1]
EnterpriseT1002Data CompressedAPT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[1]
EnterpriseT1213Data from Information RepositoriesAPT28 has collected information from Microsoft SharePoint services within target networks.[17]
EnterpriseT1005Data from Local SystemAPT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before.[18][1]
EnterpriseT1025Data from Removable MediaAn APT28 backdoor may collect the entire contents of an inserted USB device.[13]
EnterpriseT1001Data ObfuscationAPT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[4]
EnterpriseT1074Data StagedAPT28 has stored captured credential information in a file named pi.log.[13]
EnterpriseT1140Deobfuscate/Decode Files or InformationAn APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[19][9]
EnterpriseT1173Dynamic Data ExchangeAPT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[20][21][9]
EnterpriseT1114Email CollectionAPT28 has collected emails from victim Microsoft Exchange servers.[1]
EnterpriseT1211Exploitation for Defense EvasionAPT28 has used CVE-2015-4902 to bypass security features.[15][13]
EnterpriseT1068Exploitation for Privilege EscalationAPT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges.[15][13]
EnterpriseT1210Exploitation of Remote ServicesAPT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.[4][22][23]
EnterpriseT1083File and Directory DiscoveryAPT28 has used Forfiles to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.[18][1]
EnterpriseT1107File DeletionAPT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[1]
EnterpriseT1158Hidden Files and DirectoriesAn APT28 loader Trojan saves its payload with hidden file attributes.[24]
EnterpriseT1070Indicator Removal on HostAPT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.[3][1]
EnterpriseT1056Input CaptureAPT28 has used tools to perform keylogging.[13][1]
EnterpriseT1037Logon ScriptsAn APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[24]
EnterpriseT1040Network SniffingAPT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[4][22]
EnterpriseT1027Obfuscated Files or InformationAPT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[15][19][9]
EnterpriseT1137Office Application StartupAPT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.[25]
EnterpriseT1075Pass the HashAPT28 has used pass the hash for lateral movement.[13]
EnterpriseT1120Peripheral Device DiscoveryAPT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[13]
EnterpriseT1086PowerShellAPT28 downloads and executes PowerShell scripts.[9]
EnterpriseT1057Process DiscoveryAn APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[24]
EnterpriseT1105Remote File CopyAPT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[15][24]
EnterpriseT1091Replication Through Removable MediaAPT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[13]
EnterpriseT1085Rundll32APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[3][15][9][24]
EnterpriseT1113Screen CaptureAPT28 has used tools to take screenshots from victims.[16][26][1]
EnterpriseT1064ScriptingAn APT28 loader Trojan uses a batch script to run its payload.[24]
EnterpriseT1193Spearphishing AttachmentAPT28 sent spearphishing emails containing malicious Microsoft Office attachments.[19][8][9][1]
EnterpriseT1192Spearphishing LinkAPT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[1]
EnterpriseT1071Standard Application Layer ProtocolAPT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.[4]
EnterpriseT1099TimestompAPT28 has performed timestomping on victim files.[3]
EnterpriseT1199Trusted RelationshipOnce APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[1]
EnterpriseT1204User ExecutionAPT28 attempted to get users to click on Microsoft Excel attachments containing malicious macro scripts.[19]
EnterpriseT1078Valid AccountsAPT28 has used legitimate credentials to maintain access to a victim network and exfiltrate data. The group also used credentials stolen through a spearphishing email to login to the DCCC network.[27][1]

Software

IDNameTechniques
S0045ADVSTORESHELLCommand-Line Interface, Commonly Used Port, Component Object Model Hijacking, Data Compressed, Data Encoding, Data Encrypted, Data Staged, Execution through API, Exfiltration Over Command and Control Channel, File and Directory Discovery, File Deletion, Input Capture, Modify Registry, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Rundll32, Scheduled Transfer, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery
S0160certutilDeobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0023CHOPSTICKCommand-Line Interface, Communication Through Removable Media, Connection Proxy, Fallback Channels, File and Directory Discovery, Input Capture, Modify Registry, Query Registry, Remote File Copy, Replication Through Removable Media, Screen Capture, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0137CORESHELLBinary Padding, Custom Cryptographic Protocol, Data Encoding, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Standard Application Layer Protocol, System Information Discovery
S0243DealersChoiceExploitation for Client Execution, Scripting, Standard Application Layer Protocol
S0193ForfilesData from Local System, File and Directory Discovery, Indirect Command Execution
S0135HIDEDRVProcess Injection, Rootkit
S0044JHUHUGITClipboard Data, Component Object Model Hijacking, Data Encoding, Exploitation for Privilege Escalation, Fallback Channels, File Deletion, Logon Scripts, New Service, Obfuscated Files or Information, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Scheduled Task, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery
S0250KoadicBypass User Account Control, Clipboard Data, Command-Line Interface, Credential Dumping, Data from Local System, Mshta, Network Service Scanning, Network Share Discovery, Process Injection, Regsvr32, Remote Desktop Protocol, Remote File Copy, Rundll32, Scripting, Service Execution, Standard Cryptographic Protocol, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0162KomplexCustom Cryptographic Protocol, File Deletion, Hidden Files and Directories, Launch Agent, Process Discovery, Standard Application Layer Protocol, System Owner/User Discovery
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0138OLDBAITCredential Dumping, Masquerading, Obfuscated Files or Information, Standard Application Layer Protocol
S0174ResponderLLMNR/NBT-NS Poisoning, Network Sniffing
S0136USBStealerAutomated Collection, Automated Exfiltration, Communication Through Removable Media, Data from Removable Media, Data Staged, Exfiltration Over Physical Medium, File and Directory Discovery, File Deletion, Masquerading, Obfuscated Files or Information, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Replication Through Removable Media, Timestomp
S0191WinexeService Execution
S0314X-Agent for AndroidLocation Tracking, Repackaged Application
S0161XAgentOSXCredentials in Files, Execution through API, File and Directory Discovery, File Deletion, Input Capture, Peripheral Device Discovery, Process Discovery, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery
S0117XTunnelBinary Padding, Command-Line Interface, Connection Proxy, Credentials in Files, Fallback Channels, Network Service Scanning, Obfuscated Files or Information, Remote File Copy, Standard Cryptographic Protocol
S0251ZebrocyCustom Command and Control Protocol, Remote File Copy, Standard Application Layer Protocol, System Information Discovery

References

  1. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  2. Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
  3. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  4. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  5. SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  6. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  7. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  8. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  9. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  10. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  11. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  12. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  13. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  14. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  1. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  4. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  5. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  6. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  7. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
  8. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  9. Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
  10. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  11. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  12. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  13. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  14. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.