APT28, also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team, is a highly sophisticated threat actor that has been active since at least 2007. This group is believed to be sponsored by the Russian government, specifically the GRU (Russia’s Main Intelligence Directorate). APT28 primarily targets government, military, and security organizations, especially those in countries or organizations that are perceived to be in opposition to Russia’s political and military goals.

Tactics, Techniques, and Procedures (TTPs)

APT28 is known for its sophisticated and evolving TTPs. The group is particularly adept at spear-phishing campaigns and the use of both zero-day and unpatched vulnerabilities to compromise their targets. They have been known to use a variety of malware families and tools, including X-Agent, X-Tunnel, and ADVSTORESHELL.

Some of the MITRE ATT&CK techniques used by APT28 include:

Known Vulnerabilities Exploited

APT28 has been known to exploit several vulnerabilities, including:

Indicators of Compromise (IOCs)

APT28 has been associated with a number of IOCs, including:


APT28 is a highly sophisticated and persistent threat actor that poses a significant risk to governments, military organizations, and private sector entities that are perceived to be in opposition to Russian political and military interests. The group’s use of advanced TTPs, exploitation of both zero-day and unpatched vulnerabilities, and its ability to remain undetected makes it a formidable adversary in the cyber landscape.

Further Reading

For more detailed information on APT28, consider the following resources: