Sednit

Threat Actor updated a month ago (2024-09-05T13:18:04.947Z)
Download STIX
Preview STIX
Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, Sednit was identified using a malicious downloader written in Nim as early as 2019. The group's activities are characterized by sophisticated techniques and the exploitation of vulnerabilities in various systems, including an old XSS vulnerability in Roundcube. ESET, a cybersecurity firm, has extensively studied the tactics and procedures of Sednit, shedding light on the commands used by their preferred backdoor. The group is also known for its use of the first UEFI rootkit found in the wild, dubbed "LoJax". This advanced level of threat activity underscores the significant capability of Sednit to compromise high-value targets and maintain persistence within their networks. In January 2024, a court-authorized operation neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, another alias of Sednit, had used to conceal and enable a variety of crimes. This network of Ubiquiti Edge OS routers, infected with Moobot malware, was under the control of the threat actor. The operation added firewall rules to prevent Sednit from regaining control of the devices, demonstrating a proactive approach to countering this persistent threat.
Description last updated: 2024-09-05T13:16:21.308Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT28 is a possible alias for Sednit. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on th
9
Sofacy is a possible alias for Sednit. Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
4
Pawn Storm is a possible alias for Sednit. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g
3
Forest Blizzard is a possible alias for Sednit. Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
2
Fancy Bear is a possible alias for Sednit. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
2
STRONTIUM is a possible alias for Sednit. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's
2
Sofacy Group is a possible alias for Sednit. The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a well-established threat actor that has been active since at least 2007. This group, which could be an individual, a private company, or part of a government entity, has targeted governments, militar
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Exploit
Backdoor
Rootkit
Malware
Vulnerability
Phishing
Windows
Implant
roundcube
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The LoJax Malware is associated with Sednit. LoJax is a unique and sophisticated piece of malware that targets the Unified Extensible Firmware Interface (UEFI) of a computer. First detected in 2018, LoJax was attributed to the Sednit group, also known as Fancy Bear, and it represented a significant leap in malware technology by being the firstUnspecified
4
The Zebrocy Malware is associated with Sednit. Zebrocy is a malicious software (malware) known for its capability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The Zebrocy Trojan, a varianUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Sednit. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
3
The The Dukes Threat Actor is associated with Sednit. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor associated with the Russian government that has been active since at least 2008. Notably, this group was implicated in the 2015 attack on the American Democratic National Committee (DNC). The FBI alerted thUnspecified
2
Source Document References
Information about the Sednit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
Securityaffairs
4 months ago
ESET
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
CERT-EU
7 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
Flashpoint
8 months ago
DARKReading
8 months ago
Unit42
8 months ago
Securityaffairs
8 months ago
Securityaffairs
10 months ago
Unit42
10 months ago
Securityaffairs
10 months ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago