Just because Cozy Bear and Fancy Bear aligns to APT28 does not mean there is a 1-1 translation of campaigns
AKA:
- [[Forest Blizzard]]
- [[Unit 26165]]
- [[Blue Delta]]
- [[Fancy Bear]]
- [[Cozy Bear]]
Also known as Group 74, PawnStorm, Sednit, Snackemackerel, Sofacy, STRONTIUM, TG-4127, Tsar Team, Iron Twilight. APT28 has been active since 2004.[^5] This group lead a phishing attack agains against the Iranian Embassy in Albania.[^1] They used an imitated web interface to steal credentials.[^1] APT28 mainly exfiltrate data using HTTP and SMTP protocols.[^2] They also use infiltration of air-gapped networks using local file copying.[^2] They create a temporary file to store information retrieved from a new windows mail slot.[^2] The contents of the mail slot records are then encrypted with RC4, and the contents of the temporary file are encoded into Base64.[^2] A thread records the user activity on the infected host machine.[^2] This temporary file is then deleted by the backdoor.[^2] Alternatively, they send the data as an attachment for SMTP named “detaluri”. This is associated with the GRU. They typically target Healthcare, Aerospace, defense, energy government, military and media sectors. This group stole data from the 2016 Clinton campaign. APT28 has targeted pharmaceutical companies and clinical researchers to steal COVID-19 vaccine and treatment research.[^3] APT28 is suspected to be the Russian GRU 85th GTsSS.[^4] They were able to compromise edge routers to collect credentials, NTMLv2 digests, proxy network traffic and host spear-phishing campaigns.[^4] These routers were used to create a botnet.[^4] APT28 established reverse SSH tunnels to access compromised devices.[^4] Fancy Bear has compromised French Government, research institutions, think tanks, and other entities.[^5] They focus on espionage with phishing and brute-force attacks that use low-cost disposable infrastructure.[^5] This group has targeted the 2024 Olympics and the 2017 French elections.[^5] They target western logistics and technology firms supporting Ukraine.[^5] Unit 26165 targeted entities in Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States.[^6] They use Tor and commercial VPNs in credential-guessing operations, and they rotate IP addresses.[^6] Their spear-phishing campaings use multi-stage redirectors that verify IP-location and browser fingerprints.[^6] Endpoints that fail these checks are sent to a benign URL rather than the malicious infrastructure.[^6] They use Webhook[.]site, FrgeIO, InfinityFree, Dynu, Mocky, Pipedream, and Mockbin[.]org as redirector services.[^6] They weaponized an Outlook NTLM vunerability.[6] Some native tools used by APT28 were Impacked and PsExec.[^6] They use RDP for lateral movement, and dump active directory databases.[^6] They also used Certipy and ADExplorer.exe to attack active directory.[^6] They exfiltrate data using an OpenSSH binary.[^6] For persistence, APT28 uses scheduled tasks, run keys, and malicious shortcuts in the startup folder.[^6] They targeted IP cameras at key locations to track the movements of materials into Ukraine.[^2] APT28 used Signal for phishing campaigns.[^5] APT28 used code injects in watering hole attacks, malicious macros in MS Office files, and malicious RTF documents with embedded flash code.[^7]
[[CHOPSTICKS Backdoor]] – used by APT28
[[HPH Sector]] – targeted by APT 28
[[ADVSTORESHELL]] – used by APT28
[[JHUHUGIT]] – TTP
[[Xtunnel]] – TTP
[[EdgeRouters]]
[[Moobot Botnet]] – used to compromise EdgeRouters
[[MASEPIE]] – written by APT28 actors
[[Oceanmap Stealer]]
[[HEADLACE]]
[[OCEANMAP]]
[[STEELHOOK]]
[[Russian IP Camera hacking]]
[[BEARDSHELL]]
[[SLIMAGENT]]
[[COVENANT]]
[[XAgent]] – malware embedded in Ukranian military application
Backlinks
[[2016 DNC Hack]]
[[Active Directory]]
[[ADExplore.exe]]
[[APT Groups]]
[[Botnet]]
[[Browser Fingerprinting]]
[[certipy]]
[[COVID-19]]
[[Data Exfiltration]]
[[Dynu]]
[[Forest Blizzard]]
[[France]]
[[FrgeIO]]
[[Impacket]]
[[Internet Routers]]
IP Addresses
[[Iran]]
[[Mockbin.org]]
[[Mocky]]
[[NTLMv2 Digests]]
[[Outlook NTLM Vulnerability]]
[[Phishing]]
[[Pipedream]]
[[PsExec]]
[[RC4]]
[[Registry Run Keys]]
[[Roundcube]]
Sources
[1] “ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.” Accessed: Jan. 27, 2025. [Online]. Available: https://asec.ahnlab.com/wp-content/uploads/2023/09/ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.pdf
[2] “Data Exfiltration,” Azeria-Labs. Accessed: Feb. 21, 2025. [Online]. Available: https://azeria-labs.com/data-exfiltration/
[3]HHS_MidnightBlizzard
[4]CISA
[5]CyberwireDaily
[6] “Russian GRU Targeting Western Logistics Entities and Technology Copanies,” CISA, 250521, May 2025. [Online]. Available: https://www.ic3.gov/CSA/2025/250521.pdf
[7] “Enhanced Analysis of GRIZZLY STEPPE Activity.” NCCIC, Feb. 10, 2017.