APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1] This group has been active since at least 2004.[2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [4] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[13] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Associated Group Descriptions
Name | Description |
---|---|
SNAKEMACKEREL | |
Swallowtail | |
Group 74 | |
Sednit |
This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. [7] [6] [16] [3] |
Sofacy |
This designation has been used in reporting both to refer to the threat group and its associated malware. [5] [6] [4] [17] [3][15] |
Pawn Storm | |
Fancy Bear | |
STRONTIUM | |
Tsar Team | |
Threat Group-4127 | |
TG-4127 |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[21] |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources and other organizations.[5] [13] |
Enterprise | T1071 | .003 | Application Layer Protocol: Mail Protocols |
APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims.[5] |
.001 | Application Layer Protocol: Web Protocols |
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP and other legitimate channels for C2, depending on module configuration.[5] |
||
Enterprise | T1560 | Archive Collected Data |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[2] |
|
Enterprise | T1119 | Automated Collection |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[2] |
|
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
An APT28 loader Trojan adds the Registry key |
Enterprise | T1110 | .003 | Brute Force: Password Spraying |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[20] |
.001 | Brute Force: Password Guessing |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[20] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
.003 | Command and Scripting Interpreter: Windows Command Shell |
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[22] The group has also used macros to execute payloads.[15][23][14] |
||
Enterprise | T1092 | Communication Through Removable Media |
APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[24] |
|
Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
APT28 has collected information from Microsoft SharePoint services within target networks.[25] |
Enterprise | T1005 | Data from Local System |
APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.[26][2] |
|
Enterprise | T1025 | Data from Removable Media |
An APT28 backdoor may collect the entire contents of an inserted USB device.[24] |
|
Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[5] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT28 has stored captured credential information in a file named pi.log.[24] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
An APT28 macro uses the command |
|
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
APT28 has collected emails from victim Microsoft Exchange servers.[2] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[12] |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
APT28 has used COM hijacking for persistence by replacing the legitimate |
Enterprise | T1190 | Exploit Public-Facing Application |
APT28 has conducted SQL injection attacks against organizations' external websites.[13] |
|
Enterprise | T1203 | Exploitation for Client Execution |
APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[18] |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
APT28 has used CVE-2015-4902 to bypass security features.[29][24] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.[29][24][18] |
|
Enterprise | T1210 | Exploitation of Remote Services |
APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.[5][30][31] |
|
Enterprise | T1083 | File and Directory Discovery |
APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[26][2] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories | |
.003 | Hide Artifacts: Hidden Window |
APT28 has used the WindowStyle parameter to conceal PowerShell windows.[10] [32] |
||
Enterprise | T1070 | .006 | Indicator Removal on Host: Timestomp | |
.001 | Indicator Removal on Host: Clear Windows Event Logs |
APT28 has cleared event logs, including by using the commands |
||
.004 | Indicator Removal on Host: File Deletion |
APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[2] |
||
Enterprise | T1105 | Ingress Tool Transfer |
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[29][22][14] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[32][33][10] |
Enterprise | T1498 | Network Denial of Service |
In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.[13] |
|
Enterprise | T1040 | Network Sniffing |
APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[5][30] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[13] |
|
Enterprise | T1027 | Obfuscated Files or Information |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[29][27][10][15][14] |
|
Enterprise | T1137 | .002 | Office Application Startup: Office Test |
APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key |
Enterprise | T1003 | OS Credential Dumping |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[35][2][13] |
|
.001 | LSASS Memory |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[35][2] |
||
Enterprise | T1120 | Peripheral Device Discovery |
APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[24] |
|
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[2][12][13] |
.001 | Phishing: Spearphishing Attachment |
APT28 sent spearphishing emails containing malicious Microsoft Office attachments.[27][9][10][2][18][14] |
||
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[17] |
Enterprise | T1057 | Process Discovery |
An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.[22] |
|
Enterprise | T1090 | .002 | Proxy: External Proxy |
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[5][29][2] |
Enterprise | T1091 | Replication Through Removable Media |
APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[24] |
|
Enterprise | T1014 | Rootkit |
APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[11][36] |
|
Enterprise | T1113 | Screen Capture |
APT28 has used tools to take screenshots from victims.[35][37][2] |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
APT28 executed CHOPSTICK by using rundll32 commands such as |
Enterprise | T1528 | Steal Application Access Token |
APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".[38] |
|
Enterprise | T1221 | Template Injection |
APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [39] |
|
Enterprise | T1199 | Trusted Relationship |
Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[2] |
|
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash | |
.001 | Use Alternate Authentication Material: Application Access Token |
APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.[38] |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[27][14] |
Enterprise | T1078 | Valid Accounts |
APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.[40][2][19] |
Software
References
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
- Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
- FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.
- Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.
- Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
- Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
- Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.