Forest Blizzard

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which have been strongly condemned by NATO and the European Union. In April 2022, Forest Blizzard gained access to the Moobot botnet and utilized it for their operations. This group is known for its advanced persistent threat (APT) tactics, techniques, and procedures (TTPs), demonstrating consistent and long-lasting repetitions in its activities. The group exploited a Microsoft Outlook flaw, identified as CVE-2023-23397, which escalated privileges within the system. They also used a hacking tool named GooseEgg to exploit the Windows Print Spooler flaw CVE-2022-38028, which was disclosed by Microsoft in October 2022. Forest Blizzard had been using GooseEgg since at least June 2020, but the discovery of this new vulnerability allowed them to find a new pathway into Windows systems. Following these incidents, Microsoft recommended users apply the CVE-2022-38028 security update to mitigate the GooseEgg threat, with the Microsoft Defender Antivirus specifically detecting the Forest Blizzard capability as HackTool:Win64/GooseEgg. This Russia-linked threat actor's actions have attracted international attention, with observations from US agencies and partners from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. Despite efforts to dismantle the botnets and patch vulnerabilities, Forest Blizzard continues to pose a significant threat due to its ability to adapt and utilize publicly available exploits. It is critical for organizations to remain vigilant, apply necessary security updates, and monitor for potential threats associated with this group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
8
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group linked to Russia that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide. Recently, APT28 has been identified a
STRONTIUM
4
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and other aliases, is a threat actor linked to Russia that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide, carrying out cyber espionage operations with malicious i
Pawn Storm
4
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since 2007. This group has targeted governments, militaries, and security organizations worldwide, employing a variety of sophisticated techniques to execute its malici
Ta422
2
TA422, also known under various aliases such as APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, is a threat actor attributed to the Russian General Staff Main Intelligence Directorate (GRU) by the United States Intelligence Community. This group has been active in exploiting vulnerabi
Itg05
2
ITG05, also known by various aliases including APT28, Fancy Bear, and Forest Blizzard, is a sophisticated malware that has been targeting non-governmental organizations (NGOs) through phishing lures. This harmful software, designed to exploit and damage computer systems, infects systems primarily th
Sednit
2
Sednit, also known as APT28, Fancy Bear, Sofacy Group, Forest Blizzard, Pawn Storm, Strontium, and BlueDelta, is a threat actor linked to Russia's military intelligence. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide with cyber espio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Russia
Microsoft
Vulnerability
Outlook
Apt
Exploit
Ukraine
Botnet
Windows
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MoobotUnspecified
2
Moobot is a form of malware, a harmful program designed to exploit and damage computer systems. This malicious software has been active since at least 2016, infecting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Moobot can steal pers
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Frozenlakehas used
2
Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-38028Unspecified
4
None
Source Document References
Information about the Forest Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
22 days ago
CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
DARKReading
24 days ago
Russia's Fancy Bear Pummels Windows Print Spooler Bug
CERT-EU
5 months ago
Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
CERT-EU
4 months ago
Microsoft Executives' Emails Breached by Russia Hackers
Recorded Future
a year ago
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
BankInfoSecurity
3 months ago
Moscow Military Hackers Used Microsoft Outlook Vulnerability
BankInfoSecurity
5 months ago
Russian GRU Hackers Exploit Critical Patched Vulnerabilities
DARKReading
3 months ago
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
CERT-EU
3 months ago
Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
CERT-EU
3 months ago
Microsoft, OpenAI move to fend off genAI-aided hackers — for now
CERT-EU
2 months ago
Russian Military Botnet Dismantled
InfoSecurity-magazine
7 months ago
China Poised to Disrupt US Critical Infrastructure with Cyber-Attacks,
CERT-EU
5 months ago
Russian hackers use old Outlook vulnerability to target Polish orgs (CVE-2023-23397) - Help Net Security
CERT-EU
5 months ago
Russian hackers use old Outlook vulnerability to target Polish orgs (CVE-2023-23397)
CERT-EU
a year ago
Russia sent its reserve team to wipe Ukrainian hard drives
CERT-EU
5 months ago
Fancy Bear hackers still exploiting Microsoft Exchange flaw | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Microsoft blames Russia for ongoing hacks of 9-month-old Exchange bug
BankInfoSecurity
5 months ago
Russian GRU Hackers Target Polish Outlook Inboxes
InfoSecurity-magazine
3 months ago
Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI
DARKReading
a year ago
Threat Actor Names Proliferate, Adding Confusion