Sednit

Threat Actor updated 13 days ago (2024-11-08T13:23:52.539Z)
Download STIX
Preview STIX
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. Sednit is known for its focus on targets of Russian interest, particularly those of military significance. The group has been implicated in a variety of sophisticated cyber-attacks, including the exploitation of XSS vulnerabilities in Roundcube, an open-source webmail system, and the deployment of the first UEFI rootkit found in the wild. ESET, a cybersecurity firm, has shed light on the commands used by Sednit's preferred backdoor methods. As far back as 2019, Sednit was identified using a malicious downloader written in Nim, indicating their early adoption of emerging technologies to further their objectives. In addition to these tactics, Sednit was responsible for the deployment of LoJax, the first UEFI rootkit found in the wild, which presents significant threats due to its persistence and ability to survive operating system reinstallation or hard disk replacement. In recent years, Sednit has continued to pose a significant threat. The group has been linked to a network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware, controlled by GRU Military Unit 26165, another alias for Sednit. In response, authorities have taken action to disrupt Sednit's control over these devices, adding firewall rules to prevent the group from regaining control. Despite these efforts, Sednit remains a potent threat actor, demonstrating both a high level of technical sophistication and a clear strategic focus on targets of national and international significance.
Description last updated: 2024-11-08T10:02:16.232Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT28 is a possible alias for Sednit. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)
9
Sofacy is a possible alias for Sednit. Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
4
Pawn Storm is a possible alias for Sednit. Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. The group is notorious for its complex operations that steal victims' credentials to enable surveillance or intrusion operations. It has targeted g
3
Forest Blizzard is a possible alias for Sednit. Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
2
Fancy Bear is a possible alias for Sednit. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
2
STRONTIUM is a possible alias for Sednit. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's
2
Sofacy Group is a possible alias for Sednit. The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a well-established threat actor that has been active since at least 2007. This group, which could be an individual, a private company, or part of a government entity, has targeted governments, militar
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Exploit
Malware
Rootkit
Vulnerability
roundcube
Backdoor
Phishing
Windows
Implant
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The LoJax Malware is associated with Sednit. LoJax is a unique and sophisticated piece of malware that targets the Unified Extensible Firmware Interface (UEFI) of a computer. First detected in 2018, LoJax was attributed to the Sednit group, also known as Fancy Bear, and it represented a significant leap in malware technology by being the firstUnspecified
4
The Zebrocy Malware is associated with Sednit. Zebrocy is a malicious software (malware) known for its capability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The Zebrocy Trojan, a varianUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Sednit. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
3
The The Dukes Threat Actor is associated with Sednit. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeUnspecified
2
Source Document References
Information about the Sednit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
13 days ago
Securityaffairs
3 months ago
Securityaffairs
6 months ago
ESET
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Flashpoint
9 months ago
DARKReading
9 months ago
Unit42
9 months ago
Securityaffairs
9 months ago
Securityaffairs
a year ago
Unit42
a year ago
Securityaffairs
a year ago
InfoSecurity-magazine
a year ago