Forest Blizzard

Threat Actor updated 5 months ago (2024-05-10T17:17:31.875Z)

Download STIX

Preview STIX

Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which have been strongly condemned by NATO and the European Union. In April 2022, Forest Blizzard gained access to the Moobot botnet and utilized it for their operations. This group is known for its advanced persistent threat (APT) tactics, techniques, and procedures (TTPs), demonstrating consistent and long-lasting repetitions in its activities. The group exploited a Microsoft Outlook flaw, identified as CVE-2023-23397, which escalated privileges within the system. They also used a hacking tool named GooseEgg to exploit the Windows Print Spooler flaw CVE-2022-38028, which was disclosed by Microsoft in October 2022. Forest Blizzard had been using GooseEgg since at least June 2020, but the discovery of this new vulnerability allowed them to find a new pathway into Windows systems. Following these incidents, Microsoft recommended users apply the CVE-2022-38028 security update to mitigate the GooseEgg threat, with the Microsoft Defender Antivirus specifically detecting the Forest Blizzard capability as HackTool:Win64/GooseEgg. This Russia-linked threat actor's actions have attracted international attention, with observations from US agencies and partners from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. Despite efforts to dismantle the botnets and patch vulnerabilities, Forest Blizzard continues to pose a significant threat due to its ability to adapt and utilize publicly available exploits. It is critical for organizations to remain vigilant, apply necessary security updates, and monitor for potential threats associated with this group.

Description last updated: 2024-05-10T17:15:52.733Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Forest Blizzard. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on th	9
STRONTIUM is a possible alias for Forest Blizzard. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's	4
Pawn Storm is a possible alias for Forest Blizzard. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g	4
Ta422 is a possible alias for Forest Blizzard. TA422, also known under aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, is a threat actor attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). Since March 2023, cybersecurity researchers at Proofpoint have obs	2
Sednit is a possible alias for Forest Blizzard. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, Se	2
Itg05 is a possible alias for Forest Blizzard. ITG05, also known as Fancy Bear, Forest Blizzard, and APT28, among other aliases, is a sophisticated threat actor that has been involved in several cyber operations with malicious intent. The group has been leveraging the Israel-Hamas conflict to deliver Headlace malware, targeting non-governmental	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Russia

Microsoft

Vulnerability

Gooseegg

Ukraine

Apt

Exploit

Windows

Botnet

Outlook

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Moobot Malware is associated with Forest Blizzard. Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Frozenlake Threat Actor is associated with Forest Blizzard. Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln	has used	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2022-38028 is associated with Forest Blizzard.	Unspecified	4

Source Document References

Information about the Forest Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	7 months ago	Russian hackers unleash sophisticated phishing campaigns across the globe
SecurityIntelligence.com	5 months ago	Threat intelligence to protect vulnerable communities
Securityaffairs	5 months ago	Pro-Russia hackers targeted Kosovo government websites
Securityaffairs	5 months ago	Russia-linked APT28 targets government Polish institutions
Securityaffairs	5 months ago	NATO and the EU formally condemned APT28 cyber espionage
BankInfoSecurity	5 months ago	Russian GRU Hackers Compromised German, Czech Targets
Securityaffairs	5 months ago	Russia-linked APT28 and crooks are still using the Moobot botnet
Trend Micro	6 months ago	Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
Securityaffairs	6 months ago	CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
BankInfoSecurity	6 months ago	Russian Hackers Exploiting Windows Print Spooler Vuln
DARKReading	6 months ago	Russia's Fancy Bear Pummels Windows Print Spooler Bug
InfoSecurity-magazine	6 months ago	Russian APT28 Group in New “GooseEgg” Hacking Campaign
Securityaffairs	6 months ago	Russia-linked APT28 used tool GooseEgg for to exploit Win bug
CERT-EU	7 months ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Russian Midnight Blizzard Hackers Breached Microsoft Source Code \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Russian Military Botnet Dismantled
CERT-EU	8 months ago	Ubiquiti router users urged to secure devices targeted by Russian hackers
CERT-EU	8 months ago	FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
CERT-EU	8 months ago	Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
CERT-EU	8 months ago	Microsoft, OpenAI move to fend off genAI-aided hackers — for now