Advanced Persistent Threat 28 (APT28), also known as Fancy Bear, is a notorious cyber espionage group linked to a Russian military intelligence unit that has repeatedly captured global attention with their brazen cyber assaults. These attacks have targeted a wide range of entities, including government institutions, military organizations, media outlets, and private corporations. Believed to be connected to Russian military intelligence, APT28 has orchestrated numerous high-profile attacks with motives deeply intertwined with global political agendas.
This article provides the latest updates on APT28 and recaps what it is and does. It also explores the origin and history of the infamous Fancy Bear, its engagement in state-sponsored operations, its involvement in landmark cyber attacks, its modus operandi, and the broader impact of its activities on international security.
What is APT28?
APT28 is one of the most significant Russian-based advanced persistent threat groups that is believed to have commenced its operations in the mid-2000s, with a primary focus on exploiting governmental, military, and geopolitical targets across the western, Transcaucasian and NATO-aligned states nations. The technical sophistication and volume of their cyber attacks indicate a well-funded and highly skilled organization, suggesting solid connections with state apparatuses. Cybersecurity experts have closely monitored their activities, which consistently point back to Russia.
Geopolitical Interests of APT28
The operations of Fancy Bear often reflect broader Russian geopolitical interests. Similar to other Russian threat groups like APT29, their targets are predominantly political rivals of the Russian state, including NATO members and European Union countries. Through cyber espionage, disinformation campaigns, and targeted leaks, Fancy Bear works to advance Russian strategic goals, including undermining adversaries’ political stability, shaping public opinion, and disrupting international alliances.
Evidence strongly suggests that Fancy Bear is a state-sponsored entity, closely linked to Russia’s military intelligence agency, the GRU. Their operations exhibit a level of sophistication and resource allocation that typical cybercriminal groups can rarely achieve independently. Moreover, the strategic nature of their targets and alignment with Russian geopolitical interests further substantiates their state-sponsored status. In recent years, US law enforcement agencies have issued multiple warnings regarding the increasing threat of Russian threat actors to the country’s critical infrastructure.
Russia-Ukraine War and Role of APT28
Especially with the Russia-Ukraine war, APT28’s operations have escalated tensions between Russia and other nations, particularly those supporting Ukraine. These cyber activities have led to increased international condemnation and have prompted enhanced cybersecurity measures and cooperation among Western allies. The group’s persistent cyber warfare against NATO countries increased and highlights the evolving nature of modern conflicts, where information and cyber warfare play a crucial role alongside traditional military actions.
APT28 Nomenclature – Attribution and Challenges
Various cybersecurity firms have given the group’s nomenclature. APT28 was assigned by Mandiant, Fancy Bear by Crowdstrike, Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team (by FireEye), G0007 by Mitre, and STRONTIUM or Forest Blizzard (by Microsoft). Each firm has assigned a unique name to the same group to establish its presence and significance over the other. However, there has always been confusion in the cybersecurity community due to multiple nomenclatures for the same threat group. However, this attribution to the threat group is based on various factors, including the group’s choice of targets, working hours aligning with Russian time zones, and linguistic analysis of the malware code, which often includes Russian language settings.
Attributing cyberattacks to specific threat actors like APT28 is a complex task. While technical indicators and patterns of behaviour provide valuable clues, definitive attribution often relies on a combination of technical, contextual, and intelligence analysis. The difficulty of attribution allows state-sponsored groups to operate with a degree of plausible deniability, complicating efforts to hold them accountable.
How Does APT28 Work?
Over the years, Fancy Bear has refined its tactics, developing a vast arsenal of techniques and tools to exploit vulnerabilities in the establishments and harvest critical data. Here are some of the significant ways that the APT28 works:
APT28 Agendas and Objectives
- Escalating Geopolitical Tensions and Undermining International Alliances:
- Escalating Geopolitical Tensions: APT28’s activities have contributed to escalating tensions between Russia and other countries, particularly the United States and European nations. The group’s involvement in high-profile incidents fuels accusations of election interference and cyber warfare. These tensions have led to diplomatic repercussions, including sanctions and retaliatory measures.
- NATO and EU: APT28 targets NATO and European Union member states to weaken these alliances, sow discord among member countries, and reduce their collective effectiveness in countering Russian influence.
- Target International Organizations: Attacks on international organizations, such as the United Nations and the Organization for Security and Co-operation in Europe (OSCE), aim to disrupt their operations and reduce their ability to mediate conflicts or enforce international norms.
- Intellectual Property Theft:
- Economic Advantage: By stealing proprietary information, trade secrets, and intellectual property from corporations, research institutions, and technology firms, APT28 aims to provide Russian entities with a competitive edge in various industries, including aerospace, defense, pharmaceuticals, and energy.
- Innovation Sabotage: The group may also target research and development projects to sabotage innovation in other countries, slowing their technological progress while advancing Russia’s capabilities.
- Military and Defense Intelligence:
- Operational Insight: APT28 targets military and defense organizations to gain insights into operational plans, strategies, and capabilities. This information helps the Russian military in planning and executing its own operations and countering adversary strategies.
- Technological Advantage: By exfiltrating information about advanced military technologies and weapon systems, the group aims to enhance Russia’s defense capabilities and close technological gaps with other military powers.
- Political Espionage:
- Policy Influence: APT28 conducts cyber espionage against government officials, diplomats, and political organizations to gather intelligence on policy-making processes, diplomatic negotiations, and strategic decisions. This information enables Russia to influence international relations and geopolitical dynamics.
- Election Interference: Beyond direct attacks on electoral infrastructure, the group gathers intelligence on political parties, candidates, and their strategies to manipulate election outcomes and sow discord among political entities.
- Economic Disruption:
- Financial Systems: APT28 targets financial institutions, stock exchanges, and payment systems to disrupt economic stability, potentially causing financial loss and undermining confidence in financial systems.
- Critical Infrastructure: Attacks on critical infrastructure, such as power grids, transportation systems, and communication networks, can cause significant economic disruption and create leverage for geopolitical negotiations.
- Surveillance and Data Gathering:
- Mass Surveillance: The group conducts mass data collection operations to monitor communications, track individuals of interest, and gather bulk intelligence on populations. This data can be used for both strategic and tactical purposes.
- Target Profiling: Detailed profiling of individuals, organizations, and institutions helps in identifying vulnerabilities, planning future operations, and creating detailed intelligence dossiers.
- Disinformation and Psychological Operations:
- Information Warfare: APT28’s use of cyberattacks to influence public opinion and discredit adversaries is a prime example of information warfare. By leaking stolen data and spreading disinformation, the group seeks to manipulate narratives and undermine trust in institutions. This tactic has far-reaching implications for democratic processes and the integrity of information in the digital age.
- Narrative Control: By spreading disinformation and manipulating public discourse, APT28 aims to control narratives, shape public opinion, and create confusion and mistrust within societies.
- Cognitive Warfare: Psychological operations are designed to demoralize adversaries, erode social cohesion, and create internal divisions, thereby weakening the target society’s ability to respond effectively to crises.
- Cyber Warfare Preparation:
- Capability Development: Through its operations, APT28 continuously hones its cyber capabilities, testing new tools, techniques, and procedures. This ongoing development ensures the group remains at the forefront of cyber warfare tactics.
- Battlefield Preparation: By infiltrating critical infrastructure and strategic systems in potential adversary states, the group prepares the battlefield for future conflicts, ensuring Russia can launch crippling cyberattacks if conventional warfare breaks out.
- Counter-Intelligence:
- Neutralizing Threats: APT28 targets foreign intelligence agencies and counter-intelligence units to identify and neutralize threats to Russian operations. This includes uncovering spies, disrupting intelligence-sharing alliances, and compromising counter-intelligence efforts.
- Defensive Espionage: Gathering intelligence on adversary intelligence operations helps Russia defend against espionage, sabotage, and other covert activities targeting its interests.
APT28 Attacks List
APT28 has been linked to several high-profile cyber espionage campaigns and disruptive attacks over the years. These incidents illustrate the group’s capability to conduct complex operations with far-reaching consequences. Some of the most notable incidents in recent times include:
List of Notable APT28 Cyber Attacks:
- In June 2024, Mandiant reported that of the seven Russia-backed groups observed targeting Brazil, over 95% of the phishing activity targeting users in Brazil comes from one group, APT28 (aka FROZENLAKE).
- In May 2024, the United States condemned the malicious cyber activity targeting Germany, Czechia, and Other EU Member States. According to the U.S. Department of Justice, APT28 leveraged a network of hundreds of small office/home office routers to conceal and carry out malicious activity, including the exploitation of CVE-2023-23397 against targets in Germany.
- A January 2024 SEC filing reported by Microsoft revealed that the company detected a cyber incident that began in late November 2023. A nation-state-sponsored threat actor had gained access to and exfiltrated information from Microsoft employees’ email accounts, including members of our senior leadership team and employees in cybersecurity, legal, and other functions.
- In April 2023, the UK’s National Cyber Security Center (NCSC UK) and its US counterpart, CISA, warned about APT28 actors exploiting poorly maintained Cisco routers. According to the warnings, APT28 exploits known vulnerabilities to carry out reconnaissance and deploy malware on Cisco routers. APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.
- APT28 was also known in the past for its involvement in a wide range of malign cyber activities, including cyber activities aimed at interfering in the 2016 U.S. presidential elections and sustained hack-and-leak operations targeting the World Anti-Doping Agency (WADA) that intended to undermine and sow doubt in the organization’s integrity.
- As per online reports, In January 2018, the Fancy Bear hack team leaked stolen details allegedly associated with the International Olympic Committee (IOC) and the U.S. Olympic Committee.
- FireEye, now Mandiant, reported in 2014 that the APT28 group is involved in targeting Journalists and high-profile individuals across NATO countries.
APT28 Mitre Attack TTPs (Tactics Techniques and Procedures)
Fancy Bear employs a diverse set of techniques, including spear-phishing, malware deployment, and exploiting zero-day vulnerabilities. Their arsenal includes custom-developed malware like Sofacy, X-Agent, and GAMEFISH, designed to infiltrate, persist, and exfiltrate data from targeted systems. This group’s ability to adapt and adopt new cyber strategies and tools makes it a formidable opponent in the cyber domain.
The MITRE ATT&CK framework categorizes tactics, techniques, and procedures (TTPs) used by adversaries in cyber operations. APT28 (Fancy Bear), employs a wide range of TTPs across the various stages of an attack lifecycle. The group’s activities cover a wide range of tactics, demonstrating their sophisticated and persistent nature in cyber operations. Below is an extensive list of TTPs attributed to APT28, formatted in a table according to the MITRE ATT&CK framework:
MITRE ATT&CK TTPs for APT28 (Fancy Bear):
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1566.001 | Spear Phishing Attachment | APT28 uses spear-phishing emails with malicious attachments to gain initial access. |
| T1078 | Valid Accounts | APT28 uses stolen credentials to gain access to target systems. | |
| T1190 | Exploit Public-Facing Application | Exploits vulnerabilities in public-facing applications to gain access. | |
| T1133 | External Remote Services | Uses external remote services like VPNs and RDP for initial access. | |
| Execution | T1059.001 | PowerShell | Executes malicious scripts using PowerShell. |
| T1059.003 | Windows Command Shell | Uses cmd.exe to execute commands on Windows systems. | |
| T1203 | Exploitation for Client Execution | Exploits software vulnerabilities to execute code. | |
| T1105 | Ingress Tool Transfer | Transfers tools from external systems to compromised hosts. | |
| Persistence | T1053.005 | Scheduled Task | Uses scheduled tasks for persistent access. |
| T1547.001 | Registry Run Keys / Startup Folder | Modifies registry run keys or startup folders to achieve persistence. | |
| T1078 | Valid Accounts | Maintains access using stolen credentials. | |
| T1136.001 | Create Account: Local Account | Creates new local user accounts for persistence. | |
| Privilege Escalation | T1055.012 | Process Injection: Process Hollowing | Injects malicious code into legitimate processes to escalate privileges. |
| T1068 | Exploitation for Privilege Escalation | Exploits vulnerabilities to gain higher privileges. | |
| T1078 | Valid Accounts | Uses stolen credentials with higher privileges. | |
| Defense Evasion | T1070.006 | Timestamp | Modifies file timestamps to evade detection. |
| T1070.004 | File Deletion | Deletes files to cover tracks. | |
| T1140 | Deobfuscate/Decode Files or Information | Uses deobfuscation or decoding to conceal malicious activities. | |
| T1027 | Obfuscated Files or Information | Uses obfuscation techniques to evade detection. | |
| T1562.001 | Disable or Modify Tools: Disable Security Tools | Disables security tools to avoid detection. | |
| Credential Access | T1003.001 | LSASS Memory | Dumps credentials from LSASS memory. |
| T1555.003 | Credentials from Web Browsers | Extracts stored credentials from web browsers. | |
| T1110.001 | Password Guessing | Uses brute force or password guessing techniques to obtain credentials. | |
| T1552.001 | Unsecured Credentials: Credentials in Files | Searches for credentials stored in files on compromised hosts. | |
| Discovery | T1083 | File and Directory Discovery | Enumerates files and directories on compromised hosts. |
| T1016 | System Network Configuration Discovery | Gathers network configuration information. | |
| T1046 | Network Service Scanning | Scans for open network services. | |
| T1082 | System Information Discovery | Collects system information such as OS, hardware, etc. | |
| T1057 | Process Discovery | Enumerates running processes on a system. | |
| T1018 | Remote System Discovery | Identifies remote systems on a network. | |
| Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol (RDP) | Uses RDP for lateral movement. |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | Uses SMB and Windows admin shares for lateral movement. | |
| T1075 | Pass the Hash | Uses hash values to authenticate and move laterally. | |
| T1091 | Replication Through Removable Media | Spreads malware via removable media. | |
| Collection | T1005 | Data from Local System | Collects data stored on local systems. |
| T1074.001 | Data Staged: Local Data Staging | Stages collected data on local systems before exfiltration. | |
| T1119 | Automated Collection | Uses automated scripts or tools to collect data. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Exfiltrates data through command and control channels. |
| T1567.002 | Exfiltration Over Web Service | Uses web services for data exfiltration. | |
| T1020 | Automated Exfiltration | Automatically exfiltrates collected data. | |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | Uses HTTP/HTTPS for command and control communication. |
| T1090.001 | Proxy: Internal Proxy | Uses internal proxies to relay C2 traffic. | |
| T1105 | Ingress Tool Transfer | Downloads additional tools from external servers. | |
| T1008 | Fallback Channels | Uses multiple C2 channels to ensure communication redundancy. | |
| Impact | T1485 | Data Destruction | Deletes or destroys data on compromised systems. |
| T1499 | Endpoint Denial of Service | Disrupts the availability of endpoints. | |
| T1565.001 | Data Manipulation: Stored Data Manipulation | Alters data stored on compromised systems. |
Table: APT28 Mitre Att&ck TTPs
In addition, see the below figure for the APT28 (Fancy Bear) TTPs in the Mitre Att&ck matrix view.
APT28 IOCs
Several law enforcement agencies issued advisories related to APT28 IOCs, and here are some of those IOCs consolidated from various sources, including NCSC UK, Logpoint, Mandiant, US CISA, etc.
IP Address attributed to APT28
- 139[.]5[.]177[.]205
- 80[.]255[.]6[.]15
- 89[.]34[.]111[.]107
- 86[.]106[.]131[.]229
- 139[.]5[.]177[.]206
- 185[.]181[.]102[.]203
- 185[.]181[.]102[.]204
- 169[.]239[.]129[.]31
- 213[.]252[.]247[.]112
- 185[.]86[.]148[.]15
- 89[.]45[.]67[.]110
- 185[.]86[.]150[.]205
- 193[.]37[.]255[.]10
- 195[.]12[.]50[.]171
- 51[.]38[.]128[.]110
- 185[.]144[.]83[.]124
- 185[.]216[.]35[.]10
- 185[.]94[.]192[.]122
- 185[.]216[.]35[.]7
- 103[.]253[.]41[.]124
- 185[.]189[.]112[.]195
- 185[.]230[.]124[.]246
- 87[.]120[.]254[.]106
- 77[.]81[.]98[.]122
- 89[.]34[.]111[.]132
- 46[.]21[.]147[.]55
- 103[.]208[.]86[.]57
- 185[.]128[.]24[.]104
- 145[.]239[.]67[.]8
- 185[.]210[.]219[.]250
- 86[.]105[.]9[.]174
- 89[.]34[.]111[.]107
Domains attributed to APT28
- malaytravelgroup[.]com
- worldimagebucket[.]com
- fundseats[.]com
- globaltechengineers[.]org
- beststreammusic[.]com
- thepiratecinemaclub[.]org
- coindmarket[.]com
- creekcounty[.]net
- virtsvc[.]com
- moderntips[.]org
- daysheduler[.]org
- escochart[.]com
- loungecinemaclub[.]com
- genericnetworkaddress[.]com
- bulgariatripholidays[.]com
- georgia-travel[.]org
- bbcweather[.]org
- politicweekend[.]com
- truefashionnews[.]com
- protonhardstorage[.]com
- moldtravelgroup[.]com
- iboxmit[.]com
- brownvelocity[.]org
- pointtk[.]com
- narrowpass[.]net
- powernoderesources[.]com
- topcinemaclub[.]com
- fundseats[.]com
- kavkazcentr[.]info
- rnil[.]am
- standartnevvs[.]com
- novinitie[.]com
- n0vinite[.]com
- qov[.]hu[.]com
- q0v[.]pl
- mail[.]g0v[.]pl
- poczta[.]mon[.]q0v[.]pl
- baltichost[.]org
- nato[.]nshq[.]in
- natoexhibitionff14[.]com
- login-osce[.]org
- smigroup-online[.]co[.]uk
Vulnerabilities (CVEs) exploited by APT28
- CVE-2017-0144
- CVE-2013-3897
- CVE-2014-1776
- CVE-2012-0158
- CVE-2015-5119
- CVE-2013-3906
- CVE-2015-7645
- CVE-2015-2387
- CVE-2010-3333
- CVE-2015-1641
- CVE-2013-1347
- CVE-2015-3043
- CVE-2015-1642
- CVE-2015-2590
- CVE-2015-1701
- CVE-2015-4902
- CVE-2017-0262
- CVE-2017-6742
- CVE-2017-0263
- CVE-2014-4076
- CVE-2014-0515
- CVE-2022-30190
- CVE-2021-34527
- CVE-2021-1675
- CVE-2022-38028
- CVE-2023-23397
- CVE-2023-38831
Note that the IOCs evolve from time to time so monitor the threat landscape regularly for the latest TTPs and IOCs related to cyber threats.
Impact of APT28 Cyber Attacks?
APT28’s activities have far-reaching implications for global cybersecurity, geopolitics, and international relations. The group’s actions highlight the growing trend of state-sponsored cyber espionage and its potential to disrupt democratic processes, steal intellectual property, and compromise national security. APT28’s cyber espionage campaigns have exposed vulnerabilities in the cybersecurity defences of numerous countries and organizations. The group’s ability to infiltrate high-value targets and exfiltrate sensitive data underscores the need for robust cybersecurity measures. Governments and organizations must invest in advanced threat detection and response capabilities to defend against such sophisticated adversaries.
Fancy Bear’s aggressive strategies and operations significantly impact global security. By compromising critical infrastructures and political entities, they destabilize target nations, erode trust in democratic processes, and foster global insecurity. Their activities have led to increased tensions among nations, prompted extensive diplomatic confrontations, and underscored the urgent need for improved global cybersecurity protocols.
Fancy Bear, or APT28, epitomizes the convergence of cyber capabilities and geopolitical aspirations. Their sophisticated operations, likely state-sponsored backing, and significant impact on global affairs underscore their status as a major player in the field of cyber espionage. The international community must remain vigilant and collaborative in developing defences to mitigate the threats posed by such advanced persistent threats, ensuring a more secure and stable global cyber environment.
How to Prevent APT28 Cyber Attacks?
Preventing cyber attacks is imperative to organizations globally, and it is recommended that companies take necessary measures to tackle such sophisticated cyber threats. Following are some of the recommended measures to prevent APT28 cyber attacks:
- Implement strong password policies
- Adopt the principle of lease privilege and Zero Trust
- Deploy mandatory enterprise-wise multi-factor authentication (MFA)
- Regularly audit privileged accounts
- Train employees about social engineering and phishing attacks
- Perform regular phishing email simulations
- Conduct regular tabletop exercises and incident response readiness drills
- Implement a robust backup strategy
- Patch vulnerabilities and update software regularly
- Deploy adequate security solutions that can detect and trace the complete tracks of intrusion without any gaps in detection.
- Adopt a proactive security mindset by encouraging threat intelligence and threat hunting to understand the cyber threat landscape.
See our recent article “How Can Cyber Attacks Be Prevented in 2024?” to understand various measures you can take to prevent cyber attacks.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.