Group: APT28, Sednit, ...

From enterprise
Jump to: navigation, search
APT28, Sednit, ...
ID G0007
Aliases APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127

APT28 is a threat group that has been attributed to the Russian government.1234 This group reportedly compromised the Democratic National Committee in April 2016.5

Alias Descriptions

  • APT28 - 12567
  • Sednit - This designation has been used in reporting both to refer to the threat group and its associated malware.326
  • Sofacy - This designation has been used in reporting both to refer to the threat group and its associated malware.1257
  • Pawn Storm - 27
  • Fancy Bear - 567
  • STRONTIUM - 67
  • Tsar Team - 7
  • Threat Group-4127 - 2
  • TG-4127 - 2

Techniques Used

  • Data Obfuscation - APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.1
  • Connection Proxy - APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.1 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.8
  • Standard Application Layer Protocol - APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • Remote File Copy - APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.89
  • Rundll32 - APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.5 APT28 also executed a .dll for a first stage dropper using rundll32.exe.8 An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.9
  • Timestomp - APT28 has performed timestomping on victim files.5
  • Credential Dumping - APT28 regularly deploys both publicly available and custom password retrieval tools on victims.10
  • Screen Capture - APT28 regularly deploys a custom tool to take regular screenshots of victims.1011
  • Bootkit - APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.7
  • Communication Through Removable Media - APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.13
  • Data Staged - APT28 has stored captured credential information in a file named pi.log.13
  • Peripheral Device Discovery - APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.13 They have also looked for the presence of iOS devices by looking for their backups 11.
  • Access Token Manipulation - APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.15
  • Valid Accounts - APT28 has used legitimate credentials to maintain access to a victim network and exfiltrate data.16
  • Office Application Startup - APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.17
  • Process Discovery - APT28 has used built-in tools like ps aux on macOS to determine which processes are running.11 An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.9
  • File Deletion - APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 11.
  • Network Sniffing - APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.18
  • Scripting - An APT28 loader Trojan uses a batch script to run its payload.9
  • Logon Scripts - An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.9
  • Spearphishing Attachment - APT28 sent spearphishing emails with Microsoft Excel attachments containing malicious macro scripts.14
  • User Execution - APT28 attempted to get users to click on Microsoft Excel attachments containing malicious macro scripts.14



  1. a b c d e f g h i  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. a b c d e f g  SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
  3. a b c  FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  4. ^  Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  5. a b c d e f g  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  6. a b c d e f g h  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  7. a b c d e f g h i j  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  8. a b c d e f  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  9. a b c d e f  Unit 42. (2018, February 28). Unit 42 Playbook Viewer - Sofacy. Retrieved March 15, 2018.
  10. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  11. a b c d e f g h i j  Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  12. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  1. a b c d e f g h i  Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  2. a b c d e  Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  3. ^  FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  4. ^  Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  5. ^  Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  6. a b c  Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  7. ^  Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  8. ^  Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
  9. a b c d  Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  10. ^  Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
  11. ^  Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
  12. ^  Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.