Group: APT28, Sednit, ...
|APT28, Sednit, ...|
|Aliases||APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127|
- Sednit - has been used in reporting both to refer to the threat group and its associated malware.3
- Sofacy - has been used in reporting both to refer to the threat group and its associated malware.1
- Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
- Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.6
- Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
- Remote File Copy - After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.7 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.6
- Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as
rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.6
- Indicator Removal on Host - APT28 has cleared event logs using the commands
wevtutil cl Systemand
wevtutil cl Security.5
- Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.8
- Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.9
- Component Object Model Hijacking - APT28 has used COM hijacking for persistence by replacing the legitimate
MMDeviceEnumeratorobject with a payload.10
- Exploitation of Vulnerability - APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges, as well as CVE-2015-4902 to bypass security features.611
- Obfuscated Files or Information - APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.6
- Replication Through Removable Media - APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.11
- Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.11
- Data from Removable Media - A APT28 backdoor may collect the entire contents of an inserted USB device.11
- Peripheral Device Discovery - APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.11
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.