Group: APT28, Sednit, ...

From enterprise
Jump to: navigation, search
APT28, Sednit, ...
ID G0007
Aliases APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127

APT28 is a threat group that has been attributed to the Russian government.1234 This group reportedly compromised the Democratic National Committee in April 2016.5

Alias Descriptions

  • Sednit - has been used in reporting both to refer to the threat group and its associated malware.3
  • Sofacy - has been used in reporting both to refer to the threat group and its associated malware.1

Techniques Used

  • Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
  • Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.6
  • Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • Remote File Copy - After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.7 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.6
  • Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.6
  • Timestomp - APT28 has performed timestomping on victim files.5
  • Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.8
  • Screen Capture - APT28 regularly deploys a custom tool to take regular screenshots of victims.89
  • Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.10
  • Exploitation of Vulnerability - APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges, as well as CVE-2015-4902 to bypass security features.612
  • Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.12
  • Data Staged - APT28 has stored captured credential information in a file named pi.log.12
  • Peripheral Device Discovery - APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.12 They have also looked for the presence of iOS devices by looking for their backups 9.
  • Access Token Manipulation - APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.13
  • Valid Accounts - APT28 has used legitimate credentials to maintain access to a victim network and exfiltrate data.14
  • Office Application Startup - APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.15
  • Process Discovery - APT28 has used built-in tools like ps aux on macOS to determine which processes are running 9.
  • System Information Discovery - APT28 has enumerated installed applications on macOS devices with built-in utilities such as ls -al /Applications9.
  • File Deletion - APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 9.
  • Credentials in Files - APT28 has been known to specifically look for Firefox passwords on the file system 9