Threat Actor Profile: APT28

APT28, also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team, is a highly sophisticated threat actor that has been active since at least 2007. This group is believed to be sponsored by the Russian government, specifically the GRU (Russia’s Main Intelligence Directorate). APT28 primarily targets government, military, and security organizations, especially those in countries or organizations that are perceived to be in opposition to Russia’s political and military goals.

Tactics, Techniques, and Procedures (TTPs)

APT28 is known for its sophisticated and evolving TTPs. The group is particularly adept at spear-phishing campaigns and the use of both zero-day and unpatched vulnerabilities to compromise their targets. They have been known to use a variety of malware families and tools, including X-Agent, X-Tunnel, and ADVSTORESHELL.

Some of the MITRE ATT&CK techniques used by APT28 include:

• T1566.001 – Spearphishing Attachment
• T1566.002 – Spearphishing Link
• T1071.001 – Web Protocols
• T1059.003 – Windows Command Shell
• T1059.001 – PowerShell
• T1105 – Ingress Tool Transfer

Known Vulnerabilities Exploited

APT28 has been known to exploit several vulnerabilities, including:

• CVE-2023-23397 – A zero-day vulnerability in Microsoft Outlook that was exploited by APT28.
• CVE-2020-35730, CVE-2021-44026, CVE-2020-12641 – APT28 was found to be exploiting these vulnerabilities in Roundcube, an open-source webmail software.

Indicators of Compromise (IOCs)

APT28 has been associated with a number of IOCs, including:

• MD5: d5ab587aaa4bf24d17ab42179b798b10
• SHA-256: e6d3217f89dc53f97989f05188b19f090dbbe1510a17c31398bcfeafa2fe7cb
• SHA-1: b27311413076be38dd8a115061edda9cd0ba51b3
• URLs:
  • https://run.mocky.io/v3/1e88179a-3105-4a5c-9eb3-aebea36e9c21/
  • http://mockbin.org/bin/e8bfd045-2b14-4afc-9372-b723f7d76918

Summary

APT28 is a highly sophisticated and persistent threat actor that poses a significant risk to governments, military organizations, and private sector entities that are perceived to be in opposition to Russian political and military interests. The group’s use of advanced TTPs, exploitation of both zero-day and unpatched vulnerabilities, and its ability to remain undetected makes it a formidable adversary in the cyber landscape.

Further Reading

For more detailed information on APT28, consider the following resources:

• APT28: At the Center of the Storm | Mandiant
• Connect the Dots on State-Sponsored Cyber Incidents – APT 28 | Council on Foreign Relations