Group: APT28, Sednit, ...
|APT28, Sednit, ...|
|Aliases||APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127|
- APT28 - 12567
- Sednit - This designation has been used in reporting both to refer to the threat group and its associated malware.326
- Sofacy - This designation has been used in reporting both to refer to the threat group and its associated malware.1257
- Pawn Storm - 27
- Fancy Bear - 567
- STRONTIUM - 67
- Tsar Team - 7
- Threat Group-4127 - 2
- TG-4127 - 2
- Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
- Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.8
- Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
- Remote File Copy - APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.89
- Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as
rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.8 An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.9
- Indicator Removal on Host - APT28 has cleared event logs using the commands
wevtutil cl Systemand
wevtutil cl Security.5
- Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.10
- Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.7
- Component Object Model Hijacking - APT28 has used COM hijacking for persistence by replacing the legitimate
MMDeviceEnumeratorobject with a payload.12
- Exploitation for Privilege Escalation - APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges.813
- Obfuscated Files or Information - APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.8 APT28 has also obfuscated payloads with base64 and XOR.14
- Replication Through Removable Media - APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.13
- Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.13
- Data from Removable Media - An APT28 backdoor may collect the entire contents of an inserted USB device.13
- Peripheral Device Discovery - APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.13 They have also looked for the presence of iOS devices by looking for their backups 11.
- Access Token Manipulation - APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.15
- Valid Accounts - APT28 has used legitimate credentials to maintain access to a victim network and exfiltrate data.16
- Office Application Startup - APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key
HKCU\Software\Microsoft\Office test\Special\Perfto execute code.17
- System Owner/User Discovery - APT28 has queried information on machines to determine the current user or system owner 11.
- Process Discovery - APT28 has used built-in tools like
ps auxon macOS to determine which processes are running.11 An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.9
- System Information Discovery - APT28 has enumerated installed applications on macOS devices with built-in utilities such as
ls -al /Applications11.
- File Deletion - APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 11.
- Credentials in Files - APT28 has been known to specifically look for Firefox passwords on the file system 11
- Network Sniffing - APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.18
- Dynamic Data Exchange - APT28 has delivered JHUHUGIT by executing PowerShell commands through DDE in Word documents. 1920
- File and Directory Discovery - APT28 has used Forfiles to locate PDF, Excel, and Word documents during Collection.21 APT28 has a utility to list detailed information about files and directories 11
- Hidden Files and Directories - An APT28 loader Trojan saves its payload with hidden file attributes.9
- Logon Scripts - An APT28 loader Trojan adds the Registry key
HKCU\Environment\UserInitMprLogonScriptto establish persistence.9
- Spearphishing Attachment - APT28 sent spearphishing emails with Microsoft Excel attachments containing malicious macro scripts.14
- Deobfuscate/Decode Files or Information - An APT28 macro uses the command
certutil -decodeto decode contents of a .txt file storing the base64 encoded payload.14
- Exploitation of Remote Services - APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.1822
- Data from Information Repositories - APT28 has collected information from Microsoft SharePoint services within target networks.23
- User Execution - APT28 attempted to get users to click on Microsoft Excel attachments containing malicious macro scripts.14
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Unit 42. (2018, February 28). Unit 42 Playbook Viewer - Sofacy. Retrieved March 15, 2018.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
- Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
- Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
- Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
- Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
- Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.