Sednit

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed light on the commands used by Sednit's favorite backdoor, and it has been noted that Sednit exploits old XSS vulnerabilities in Roundcube, sometimes against the same targets. As far back as 2019, Sednit was spotted using a malicious downloader written in Nim. The group gained notoriety for its use of the first UEFI rootkit found in the wild, courtesy of the Sednit group. This advanced form of malware, dubbed LoJax, resides in the firmware of the infected device, making it particularly resilient to detection and removal. It is indicative of Sednit's sophisticated capabilities and willingness to deploy novel attack vectors. The group is well-known for its focus on targets of Russian interest, especially those of military significance. In January 2024, a court-authorized operation neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, another name for Sednit, used to conceal and enable various crimes. The operation added firewall rules to prevent APT28 from regaining control of the devices. This action signifies an escalation in efforts to counter the threat posed by Sednit and similar groups, highlighting the ongoing struggle between cybersecurity entities and persistent threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
8
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sofacy
4
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
Pawn Storm
3
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. In recent years, the methods employed by Pawn
Sofacy Group
2
The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit
STRONTIUM
2
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Forest Blizzard
2
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Fancy Bear
2
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Frozenlake
1
Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln
Ursa
1
URSA is a harmful malware, typically delivered as an archive attachment to phishing emails. It operates as a backdoor into the infected system, enabling unauthorized access and exploitation. The malware has been particularly active in Latin America, where it's known as the Mispadu banking trojan. Si
Fighting Ursa
1
Fighting Ursa, also known as APT28 or Fancy Bear, is a malicious software (malware) group notorious for conducting attacks on behalf of Russia's military. The group has been involved in numerous cyber campaigns exploiting various vulnerabilities, with the most recent being the Microsoft Outlook vuln
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Exploit
Vulnerability
Rootkit
Backdoor
Malware
roundcube
Phishing
Eset
Windows
Implant
Zimbra
Downloader
Spearphishing
Espionage
Decoy
WinRAR
Outlook
Exploit Kit
Russia
Cybercrimes
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LoJaxUnspecified
4
LoJax is a sophisticated malware discovered in 2018, attributed to the Sednit group, also known as Fancy Bear. It is notable for being the first UEFI (Unified Extensible Firmware Interface) rootkit found in the wild, displaying a new level of sophistication in cyber threats. LoJax operates like a ro
ZebrocyUnspecified
2
Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits i
KONNIUnspecified
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
MoobotUnspecified
1
Moobot is a malicious software (malware) that has been causing significant disruption in the digital world. The malware, which can infiltrate systems through various methods such as suspicious downloads, emails, or websites, is known for its capability to steal personal information, disrupt operatio
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
3
Sandworm, a threat actor linked to Russia, has been identified as a significant cybersecurity risk. Known for its sophisticated and malicious activities, Sandworm has notably compromised 11 Ukrainian telecommunications providers, disrupting services and posing a substantial threat to the digital inf
The DukesUnspecified
2
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
Winter VivernUnspecified
1
Winter Vivern is a threat actor group that has recently been active in the cybersecurity landscape. This group, which is believed to align with the interests of Belarus, has been involved in a series of malicious activities targeting different entities. They have notably exploited a zero-day vulnera
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Russian Military UnitUnspecified
1
None
Source Document References
Information about the Sednit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
APT28 targets key networks in Europe with HeadLace malware
ESET
2 months ago
Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries
Securityaffairs
2 months ago
Russia-linked APT28 targets government Polish institutions
Securityaffairs
3 months ago
NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs
3 months ago
Russia-linked APT28 used tool GooseEgg for to exploit Win bug
CERT-EU
5 months ago
Russian Military Botnet Dismantled
CERT-EU
5 months ago
Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
FBI warns Russian hackers are using 'compromised' routers to launch stealthy cyberattacks in America - here's how YOU can protect yourself | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
CERT-EU
5 months ago
Hackers Backed By Russia and China Are Infecting SOHO Routers Like Yours, FBI Warns - Slashdot
Flashpoint
5 months ago
COURT DOC: Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
DARKReading
5 months ago
DoJ Breaks Russian Military Botnet in Fancy Bear Takedown
Unit42
5 months ago
Diving Into Glupteba's UEFI Bootkit
Securityaffairs
5 months ago
US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
Securityaffairs
8 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
Unit42
8 months ago
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Securityaffairs
8 months ago
Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
InfoSecurity-magazine
8 months ago
Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit
CERT-EU
8 months ago
Advanced threat predictions for 2024 – GIXtools
Securelist
8 months ago
Kaspersky Security Bulletin: APT predictions 2024