APT28

Threat Actor updated 2 hours ago (2024-11-21T11:31:44.058Z)
Download STIX
Preview STIX
APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) during the 2016 US Presidential Elections, the SolarWinds supply chain attack that affected over 18,000 customer organizations in 2020, and an offensive PowerShell framework operation to capture NTLM hashes and exfiltrate data. APT28's activities extend globally, targeting various sectors such as security, defense, and energy, with a recent surge in attacks detected by Ukraine's State Service of Special Communications and Information Protection. Recently, APT28 has implemented new malware in its phishing campaigns, prompting formal condemnation from international entities such as NATO and the EU. This new wave of cyber espionage has targeted think tanks across Europe, with the French Cyber Agency issuing warnings about APT28's activities and the German Federal Office for Information Security disclosing investigations into a campaign that used a domain mimicking a German think tank. Additionally, the Polish government attributed a malware campaign against its own institutions to APT28. The threat posed by APT28 continues to evolve, with the group often adapting its methods and targets. Despite numerous disruptions, including the Department of Justice's disruption of a Russian military intelligence botnet that APT28 utilized for global cyber espionage, the group remains active. No threat actor has yet claimed responsibility for the most recent attacks suspected to be instigated by APT28, demonstrating the ongoing challenge in attributing and combating these sophisticated cyber threats.
Description last updated: 2024-11-21T10:31:00.368Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sednit is a possible alias for APT28. Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. Sedn
9
Forest Blizzard is a possible alias for APT28. Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
9
Fancy Bear is a possible alias for APT28. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
8
Pawn Storm is a possible alias for APT28. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g
7
Sandworm is a possible alias for APT28. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
7
STRONTIUM is a possible alias for APT28. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's
6
Sofacy is a possible alias for APT28. Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
6
Fighting Ursa is a possible alias for APT28. Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Oly
5
Sofacy Group is a possible alias for APT28. The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a well-established threat actor that has been active since at least 2007. This group, which could be an individual, a private company, or part of a government entity, has targeted governments, militar
4
Ursa is a possible alias for APT28. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar
3
Fancybear is a possible alias for APT28. Fancybear, also known as APT28, Forest Blizzard, or Strontium, is a threat actor linked to Russia that has been involved in various cyber espionage operations. These operations have targeted European countries and have been condemned by both NATO and the European Union. This group has demonstrated a
3
Itg05 is a possible alias for APT28. ITG05, also known as Fancy Bear, Forest Blizzard, and APT28, among other aliases, is a sophisticated threat actor that has been involved in several cyber operations with malicious intent. The group has been leveraging the Israel-Hamas conflict to deliver Headlace malware, targeting non-governmental
2
Regeorg is a possible alias for APT28. Regeorg is a threat actor known for its malicious activities, primarily involving the use of ReGeorg or Neo-reGeorg to set up a proxy and tunnel network traffic following the compromise of a victim website. This group also employs ProxyChains to run Nmap within the compromised network. In one instan
2
IRON TWILIGHT is a possible alias for APT28. IRON TWILIGHT is a threat actor believed to be associated with the GRU, Russia's military intelligence agency. This association has been suggested by various researchers, including those from CrowdStrike and CTU, based on the characteristics of the group's activities. The group became particularly a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Windows
Russia
Reconnaissance
Ukraine
Zero Day
State Sponso...
Espionage
roundcube
Cisco
Microsoft
Gooseegg
exploited
Spearphishing
Exploits
Backdoor
Polish
NCSC
Google
Vpn
Ios
PowerShell
flaw
exploitation
WinRAR
Lateral Move...
Linux
Blizzard
Mandiant
Proxy
Trojan
Decoy
Government
russian
Ukrainian
Tool
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Moobot Malware is associated with APT28. Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dathas used
4
The Zebrocy Malware is associated with APT28. Zebrocy is a malicious software (malware) known for its capability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The Zebrocy Trojan, a varianhas used
3
The Steelhook Malware is associated with APT28. Steelhook is a malicious PowerShell script used by the Russia-linked Advanced Persistent Threat group, APT28, to steal sensitive information from compromised systems. The malware was discovered as part of a phishing campaign orchestrated by APT28, as reported by the Computer Emergency Response Team Unspecified
2
The NotPetya Malware is associated with APT28. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no officialUnspecified
2
The Octopus Malware is associated with APT28. Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for Unspecified
2
The OCEANMAP Malware is associated with APT28. OceanMap is a C#-based malware used by APT28, a Russia-linked group, as part of a sophisticated cyber attack campaign that started in 2020. The malware is designed to execute base64-encoded commands via cmd.exe, providing persistent and remote access to the targeted endpoint. Once a command is execuUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT29 Threat Actor is associated with APT28. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw is related to
6
The Frozenlake Threat Actor is associated with APT28. Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vulnhas used
5
The Gamaredon Threat Actor is associated with APT28. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement ois related to
4
The Cozy Bear Threat Actor is associated with APT28. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy Unspecified
3
The APT40 Threat Actor is associated with APT28. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest Unspecified
2
The Winter Vivern Threat Actor is associated with APT28. Winter Vivern, a malicious threat actor, has been identified as the entity behind recent cyberattacks targeting several European government organizations. The group exploited a zero-day vulnerability in the Roundcube webmail software, using it to launch their offensive operations. This advanced persExploited
2
The Apt44 Threat Actor is associated with APT28. APT44, also known as Sandworm, is a threat actor newly designated by Mandiant and associated with the Russian military intelligence hacking team. This group has been active since the start of 2023, conducting campaigns leveraging Sandworm malware, primarily targeting Ukraine, Eastern Europe, and invUnspecified
2
The Midnight Blizzard Threat Actor is associated with APT28. Midnight Blizzard, also known as APT29 and Cozy Bear, is a Russia-linked threat actor group believed to be tied to the country's Foreign Intelligence Service (SVR). The group has been implicated in several high-profile cyber attacks, including breaches of Microsoft and Hewlett Packard Enterprise (HPUnspecified
2
The The Dukes Threat Actor is associated with APT28. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeUnspecified
2
The NOBELIUM Threat Actor is associated with APT28. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group, also known under various aliases such as APT29, SVR group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been actively involved in large-scale cyber espionage campaigns. The threat actor has been targeting French diplomaUnspecified
2
The Lapsus Threat Actor is associated with APT28. Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passworUnspecified
2
The UNC2589 Threat Actor is associated with APT28. UNC2589, also known as Frozenvista, is a threat actor that emerged as a significant cybersecurity concern in 2021. Notably linked to the Russian Armed Forces' Main Directorate of the General Staff (GRU), this group started deploying phishing attacks against Ukrainian organizations from April 2021, aUnspecified
2
The FIN7 Threat Actor is associated with APT28. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
The Turla Threat Actor is associated with APT28. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
The Lazarus Group Threat Actor is associated with APT28. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with APT28. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilTargets
4
The vulnerability CVE-2022-38028 is associated with APT28. Unspecified
4
The CVE-2020-35730 Vulnerability is associated with APT28. CVE-2020-35730 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, first discovered three years ago. The flaw has been actively exploited by threat actors in various campaigns. In the BlueDelta and APT28 campaigns, spear-phishing techniques were employed, with email attachments desigTargets
3
The CVE-2020-12641 Vulnerability is associated with APT28. CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulneTargets
3
The vulnerability CVE-2017-6742 is associated with APT28. Targets
3
The vulnerability CVE-2021-44026 is associated with APT28. Targets
3
The vulnerability CVE-2021-40444 is associated with APT28. Unspecified
2
The Follina Vulnerability is associated with APT28. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Targets
2
The CVE-2022-30190 Vulnerability is associated with APT28. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized itUnspecified
2
Source Document References
Information about the APT28 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 hours ago
Securityaffairs
22 days ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago
Checkpoint
2 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Unit42
4 months ago
CERT-EU
9 months ago
CERT-EU
8 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago