Group: APT28, Sednit, ...

Jump to: navigation, search
APT28, Sednit, ...
ID G0007
Aliases APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127

APT28 is a threat group that has been attributed to the Russian government.1234 This group reportedly compromised the Democratic National Committee in April 2016.5

Alias Descriptions

  • Sednit - has been used in reporting both to refer to the threat group and its associated malware.3
  • Sofacy - has been used in reporting both to refer to the threat group and its associated malware.1

Techniques Used

  • Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
  • Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.6
  • Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • Remote File Copy - After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.7 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.6
  • Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.6
  • Timestomp - APT28 has performed timestomping on victim files.5
  • Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.8
  • Screen Capture - APT28 regularly deploys a custom tool to take regular screenshots of victims.8
  • Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.9
  • Exploitation of Vulnerability - APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges, as well as CVE-2015-4902 to bypass security features.611
  • Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.11
  • Data Staged - APT28 has stored captured credential information in a file named pi.log.11