Last updated on January 2nd, 2023 at 02:53 pm
Table of Contents
- Group’s Mission and Vision
- Group’s Country of Origin and Known Aliases
- Targeted Countries and Industries
- Activities by Year
- 2013 MiniDuke Mystery
- 2014 Cyber Attacks on the German Parliament
- 2015 EFF Spoof, White House and NATO Attacks
- 2016 Pawn Storm Attack Campaign Adds Turkey To Its Target List
- 2017 Dealer’s Choice Phishing Campaign
- 2018 Cyber Attacks Targeting the US and Romanian Foreign Ministries
- 2019 Pawn Storm Target’s Defense Companies in the Middle East
- 2020 APT28 Distributes Zebrocy Malware in NATO-Themed Attack Campaign
- 2021 APT28 Exploited MSHTML Vulnerability in Espionage Against Government and Defense Targets
- Cyber Attack Lifecycles and TTPs (MITRE ATT&CK)
The apt group, known as APT28 or FANCY BEAR, is a threat group attributed to the Main Intelligence of the Russian Joint Chiefs of Staff, according to the July 2018 US Justice indictment. It is known that it has been operating since 2004. It targets various sectors and institutions from all over the world.
Group’s Mission and Vision
Among the main objectives of the group, its targets are to gather security and policy-oriented intelligence, and this information is considered by Russia to provide an opportunity for highly influential people to influence public opinion and make predictions about future policies.
In addition, because Russia sees security organizations such as NATO and OSCE across Europe as a constant threat to itself, attacks are carried out in which such organizations and individuals affiliated with these institutions are among the targets. The group actively engages in information theft and espionage.
Group’s Country of Origin and Known Aliases
FANCY BEAR is known by various security vendors by the following definitions.
- Sofacy (Kaspersky)
- APT 28 (Mandiant)
- Fancy Bear (CrowdStrike)
- Sednit (ESET)
- Group 74 (Talos)
- Pawn Storm (Trend Micro)
- Strontium (Microsoft)
- Swallowtail (Symantec)
- SIG40 (NSA)
- Iron Twilight (SecureWorks)
- ITG05 (IBM)
- Grizzly Steppe (US Government)
Targeted Countries and Industries
Russia sees European security organizations such as NATO and OSCE as a threat to them. For this reason, it targets both the member states of such organizations and the individuals affiliated with these organizations.
APT28 is known to target many industries. These sectors are shared below;
- Information technologies
- Other (automotive and construction…)
Activities by Year
2013 MiniDuke Mystery
APT28 was found to be hacked in 2013 using the Adobe Reader 0-day exploit, code CVE-2013-0640, with PDF files specially created to distribute a previously unknown piece of advanced malware called ItaDuke. The PDF files used in the attacks have well-prepared content-themed human rights seminar information, Ukrainian foreign policy, and NATO membership plans.
2014 Cyber Attacks on the German Parliament
The APT28 group is held responsible for carrying out targeted phishing attacks over email against German parliamentarians. It is also known that the attackers make extensive use of Trojan software to increase their access to the Parlacom network.
2015 EFF Spoof, White House and NATO Attacks
APT28 targeted NATO members, US Defense, and White House officials with Java 0-day exploit and targeted attacks. This attack, which is considered part of a wider campaign called Pawn Storm; is aimed to deceive the target users by imitating the domain name of the Electronic Frontier Foundation (EFF).
2016 Pawn Storm Attack Campaign Adds Turkey To Its Target List
The long-running Pawn Storm attack campaign, targeting the armed forces, diplomats, software developers, journalists, and dissidents, has added several government offices, including the Turkish parliament and the Prime Ministry, to its target list.
The common feature of the assets in the target list is that they have the potential to threaten Russia. However, the possible reasons for Turkey to be included in the target list are shared below.
- Disputes after the Turkish Air Force shot down a Russian jet over Syria in 2015
- Internal conflicts with Kurdish groups
- Refugee groups trying to enter Europe through Turkey
2017 Dealer’s Choice Phishing Campaign
It was determined that APT28 carried out phishing attacks targeting NATO member states, including Turkey and Azerbaijan, as well as Ukraine, in early 2017.
2018 Cyber Attacks Targeting the US and Romanian Foreign Ministries
In 2018, APT28 targeted two unaffiliated US and Romanian government organizations outside its mandate. The first attack vector for the campaign carried out is the phishing e-mail with the subject “Upcoming Defense event February 2018”.
The text intended to deceive Targeted Users included instructions on the email attachment being a calendar of events for the targeted organizations and actions to take in case of an error in viewing the document.
2019 Pawn Storm Target’s Defense Companies in the Middle East
The Pawn Storm group has continued to send spam emails to carry out phishing attacks since 2019. It has been observed that the majority of the compromised e-mails used in the attacks are from defense companies in the Middle East.
By monitoring Microsoft Exchange Autodiscover and e-mail servers around the world, the attackers; discovered vulnerable systems by using user account information already leaked to the internet in Brute Force attacks.
2020 APT28 Distributes Zebrocy Malware in NATO-Themed Attack Campaign
The malware used by the APT28 group in this attack is the Zebrocy Delphi version with a very low detection rate. The detected C2 infrastructure associated with the malware is hosted in France. The theme of NATO’s Upcoming Training was used as bait in the campaign to distribute the malware.
2021 APT28 Exploited MSHTML Vulnerability in Espionage Against Government and Defense Targets
APT28 is aimed at employees in the defense industry and high-level power users overseeing security policies in West Asia.
The group used the OneDrive service as the command and control server. Thanks to this type of communication approach, it has been possible to perform spying activities on target systems since no suspicious network traffic is logged.
Cyber Attack Lifecycles and TTPs (MITRE ATT&CK)
It defines the techniques, tactics (TTPs), and procedures identified as being used in attacks carried out by the APT28 threat group.
|Tactical ID||Tactics||Technical ID||Technical|
Gather Victim Identity Information
Phishing for Information
|TA0042||Resource Development||T1583||Acquire Infrastructure
|TA0001||Initial Access||T1190||Exploit Public-Facing Application
External Remote Services
Replication Through Removable Media
|TA0002||Execution||T1059||Command and Scripting Interpreter
Exploitation for Client Execution
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Event Triggered Execution
External Remote Services
Office Application Startup
Server Software Component
|TA0003||Privilege Escalation||T1134||Access Token Manipulation
Event Triggered Execution
Exploitation for Privilege Escalation
|TA0005||Defense Evasion||T1134||Access Token Manipulation
Deobfuscate/Decode Files or Information
Exploitation for Defense Evasion
Indicator Removal on Host
Obfuscated Files or Information
Signed Binary Proxy Execution
Use Alternate Authentication Material
|TA0006||Credential Access||T1110||Brute Force
OS Credential Dumping
Steal Application Access Token
|TA0007||Discovery||T1083||File and Directory Discovery
Peripheral Device Discovery
|TA0008||Lateral Movement||T1210||Exploitation of Remote Services
Replication through Removable Media
Use Alternate Authentication Material
|TA0009||Collection||T1560||Archive Collected Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
|TA0011||Command and Control||T1071||Application Layer Protocol
Communication Through Removable Media
Ingress Tool Transfer
|TA0010||Exfiltration||T1030||Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
|TA0040||Impact||T1498||Network Denial of Service|
Group’s Malware / Utility
Malware and utilities used by FANCY BEAR are shared below;
- X-Agent for Android
Leaking Information of Group Members
In a post from the darknet, it was claimed that the information of some of the group members was leaked.
Wound rules are used to classify malware and identify malicious code. We can obtain information about which malware family a detected malware belongs to or which hacker group is used by the Yara rules.
You can find the wound rules written for APT 28 below;
Examining the cases encountered, the group mostly sought to gain initial access. Phishing attacks use and security in existing systems found to take advantage of its vulnerabilities. In this context, by APT28 Attack vectors used to protect against possible attacks precautions should be taken.
To protect assets in the digital world, security vulnerabilities and important device recommendations to minimize the risk of exploitation arising from its configuration are shared below.
- Make sure that users in the system have the least privileges/authorities they need.
- Shared IoCs should be added to security solutions.
- Multi-factor authentication (MFA) must be used, including privileged accounts and all users.
- IDS/IPS systems that use network signatures should be used to identify network traffic generated by malware
- Antivirus/Antimalware software should be used to automatically quarantine suspicious files.
- As far as possible, the use of removable media devices such as USBs should not be allowed or restricted within the organization.
- Web Proxy to block the use of web-based external services should be used.
- Web Application Firewall (WAF) should be used to prevent exploit traffic from reaching the target application.
- The patches published for the external software used should be followed and updated regularly.