APT28 | APT Profile

Description

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).

Techniques Used (TTPs)

T1003.003 — NTDS (credential-access)
T1589.001 — Credentials (reconnaissance)
T1591 — Gather Victim Org Information (reconnaissance)
T1564.001 — Hidden Files and Directories (defense-evasion)
T1583.003 — Virtual Private Server (resource-development)
T1596 — Search Open Technical Databases (reconnaissance)
T1583.001 — Domains (resource-development)
T1070.006 — Timestomp (defense-evasion)
T1090.002 — External Proxy (command-and-control)
T1566.001 — Spearphishing Attachment (initial-access)
T1059.001 — PowerShell (execution)
T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (exfiltration)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1203 — Exploitation for Client Execution (execution)
T1586.002 — Email Accounts (resource-development)
T1114.002 — Remote Email Collection (collection)
T1505.003 — Web Shell (persistence)
T1584.008 — Network Devices (resource-development)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1037.001 — Logon Script (Windows) (persistence, privilege-escalation)
T1588.002 — Tool (resource-development)
T1564.003 — Hidden Window (defense-evasion)
T1090.003 — Multi-hop Proxy (command-and-control)
T1567 — Exfiltration Over Web Service (exfiltration)
T1056.001 — Keylogging (collection, credential-access)
T1083 — File and Directory Discovery (discovery)
T1190 — Exploit Public-Facing Application (initial-access)
T1669 — Wi-Fi Networks (initial-access)
T1039 — Data from Network Shared Drive (collection)
T1113 — Screen Capture (collection)
T1110.001 — Password Guessing (credential-access)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1583.006 — Web Services (resource-development)
T1057 — Process Discovery (discovery)
T1189 — Drive-by Compromise (initial-access)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1546.015 — Component Object Model Hijacking (privilege-escalation, persistence)
T1199 — Trusted Relationship (initial-access)
T1120 — Peripheral Device Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1557.004 — Evil Twin (credential-access, collection)
T1498 — Network Denial of Service (impact)
T1070.004 — File Deletion (defense-evasion)
T1560 — Archive Collected Data (collection)
T1105 — Ingress Tool Transfer (command-and-control)
T1598 — Phishing for Information (reconnaissance)
T1559.002 — Dynamic Data Exchange (execution)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1119 — Automated Collection (collection)
T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1221 — Template Injection (defense-evasion)
T1005 — Data from Local System (collection)
T1213.002 — Sharepoint (collection)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1025 — Data from Removable Media (collection)
T1071.001 — Web Protocols (command-and-control)
T1213 — Data from Information Repositories (collection)
T1218.011 — Rundll32 (defense-evasion)
T1560.001 — Archive via Utility (collection)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1598.003 — Spearphishing Link (reconnaissance)
T1542.003 — Bootkit (persistence, defense-evasion)
T1071.003 — Mail Protocols (command-and-control)
T1036 — Masquerading (defense-evasion)
T1210 — Exploitation of Remote Services (lateral-movement)
T1014 — Rootkit (defense-evasion)
T1204.002 — Malicious File (execution)
T1550.001 — Application Access Token (defense-evasion, lateral-movement)
T1030 — Data Transfer Size Limits (exfiltration)
T1134.001 — Token Impersonation/Theft (defense-evasion, privilege-escalation)
T1074.002 — Remote Data Staging (collection)
T1092 — Communication Through Removable Media (command-and-control)
T1098.002 — Additional Email Delegate Permissions (persistence, privilege-escalation)
T1003 — OS Credential Dumping (credential-access)
T1040 — Network Sniffing (credential-access, discovery)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1137.002 — Office Test (persistence)
T1528 — Steal Application Access Token (credential-access)
T1110.003 — Password Spraying (credential-access)
T1204.001 — Malicious Link (execution)
T1133 — External Remote Services (persistence, initial-access)
T1102.002 — Bidirectional Communication (command-and-control)
T1001.001 — Junk Data (command-and-control)
T1211 — Exploitation for Defense Evasion (defense-evasion)
T1003.001 — LSASS Memory (credential-access)
T1573.001 — Symmetric Cryptography (command-and-control)
T1074.001 — Local Data Staging (collection)
T1091 — Replication Through Removable Media (lateral-movement, initial-access)
T1110 — Brute Force (credential-access)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)

Total TTPs: 91

Malware & Tools

Malware: ADVSTORESHELL, CHOPSTICK, CORESHELL, Cannon, DealersChoice, Downdelph, Drovorub, Fysbis, HIDEDRV, JHUHUGIT, Komplex, LoJax, OLDBAIT, USBStealer, XAgentOSX, XTunnel, Zebrocy, reGeorg

Tools: Forfiles, Koadic, Mimikatz, Net, Responder, Tor, Wevtutil, Winexe, certutil, cipher.exe

← Return to Home ← Back to APT Search