Group: APT28, Sednit, ...
|APT28, Sednit, ...|
|Aliases||APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127|
- Sednit - has been used in reporting both to refer to the threat group and its associated malware.3
- Sofacy - has been used in reporting both to refer to the threat group and its associated malware.1
- Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
- Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.6
- Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
- Remote File Copy - After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.7 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.6
- Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as
rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.6
- Indicator Removal on Host - APT28 has cleared event logs using the commands
wevtutil cl Systemand
wevtutil cl Security.5
- Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.8
- Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.10
- Component Object Model Hijacking - APT28 has used COM hijacking for persistence by replacing the legitimate
MMDeviceEnumeratorobject with a payload.11
- Exploitation of Vulnerability - APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges, as well as CVE-2015-4902 to bypass security features.612
- Obfuscated Files or Information - APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.6
- Replication Through Removable Media - APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.12
- Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.12
- Data from Removable Media - A APT28 backdoor may collect the entire contents of an inserted USB device.12
- Peripheral Device Discovery - APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.12 They have also looked for the presence of iOS devices by looking for their backups 9.
- Access Token Manipulation - APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.13
- Valid Accounts - APT28 has used legitimate credentials to maintain access to a victim network and exfiltrate data.14
- Office Application Startup - APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key
HKCU\Software\Microsoft\Office test\Special\Perfto execute code.15
- System Owner/User Discovery - APT28 has queried information on machines to determine the current user or system owner 9.
- Process Discovery - APT28 has used built-in tools like
ps auxon macOS to determine which processes are running 9.
- System Information Discovery - APT28 has enumerated installed applications on macOS devices with built-in utilities such as
ls -al /Applications9.
- File Deletion - APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 9.
- Credentials in Files - APT28 has been known to specifically look for Firefox passwords on the file system 9
- File and Directory Discovery - APT28 has a utility to list detailed information about files and directories 9
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
- Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.