<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>APT28, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Group G0007 | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="admin@338-admin@338"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ajax Security Team-Ajax Security Team"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT-C-36-APT-C-36"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT1-APT1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT12-APT12"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT16-APT16"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT17-APT17"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT18-APT18"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT19-APT19"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="APT28-APT28"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT29-APT29"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT3-APT3"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT30-APT30"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT32-APT32"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT33-APT33"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT37-APT37"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT38-APT38"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT39-APT39"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT41-APT41"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Axiom-Axiom"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackOasis-BlackOasis"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackTech-BlackTech"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Blue Mockingbird-Blue Mockingbird"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bouncing Golf-Bouncing Golf"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BRONZE BUTLER-BRONZE BUTLER"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbanak-Carbanak"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Chimera-Chimera"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cleaver-Cleaver"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobalt Group-Cobalt Group"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CopyKittens-CopyKittens"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dark Caracal-Dark Caracal"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Darkhotel-Darkhotel"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkHydrus-DarkHydrus"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkVishnya-DarkVishnya"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Deep Panda-Deep Panda"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly-Dragonfly"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly 2.0-Dragonfly 2.0"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DragonOK-DragonOK"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dust Storm-Dust Storm"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Elderwood-Elderwood"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Equation-Equation"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Evilnum-Evilnum"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN10-FIN10"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN4-FIN4"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN5-FIN5"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN6-FIN6"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN7-FIN7"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN8-FIN8"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fox Kitten-Fox Kitten"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Frankenstein-Frankenstein"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GALLIUM-GALLIUM"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gallmaker-Gallmaker"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gamaredon Group-Gamaredon Group"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GCMAN-GCMAN"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GOLD SOUTHFIELD-GOLD SOUTHFIELD"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gorgon Group-Gorgon Group"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Group5-Group5"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAFNIUM-HAFNIUM"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Higaisa-Higaisa"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Honeybee-Honeybee"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Inception-Inception"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Indrik Spider-Indrik Spider"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ke3chang-Ke3chang"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kimsuky-Kimsuky"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lazarus Group-Lazarus Group"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leafminer-Leafminer"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leviathan-Leviathan"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lotus Blossom-Lotus Blossom"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Machete-Machete"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Magic Hound-Magic Hound"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="menuPass-menuPass"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Moafee-Moafee"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mofang-Mofang"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Molerats-Molerats"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MuddyWater-MuddyWater"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mustang Panda-Mustang Panda"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Naikon-Naikon"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NEODYMIUM-NEODYMIUM"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Night Dragon-Night Dragon"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OilRig-OilRig"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Operation Wocao-Operation Wocao"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Orangeworm-Orangeworm"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Patchwork-Patchwork"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PittyTiger-PittyTiger"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLATINUM-PLATINUM"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Poseidon Group-Poseidon Group"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PROMETHIUM-PROMETHIUM"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Putter Panda-Putter Panda"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rancor-Rancor"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rocke-Rocke"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RTM-RTM"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sandworm Team-Sandworm Team"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Scarlet Mimic-Scarlet Mimic"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sharpshooter-Sharpshooter"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sidewinder-Sidewinder"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silence-Silence"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silent Librarian-Silent Librarian"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SilverTerrier-SilverTerrier"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sowbug-Sowbug"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stealth Falcon-Stealth Falcon"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stolen Pencil-Stolen Pencil"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Strider-Strider"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Suckfly-Suckfly"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA459-TA459"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA505-TA505"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA551-TA551"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Taidoor-Taidoor"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEMP.Veles-TEMP.Veles"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="The White Company-The White Company"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-1314-Threat Group-1314"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-3390-Threat Group-3390"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Thrip-Thrip"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tropic Trooper-Tropic Trooper"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Turla-Turla"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Volatile Cedar-Volatile Cedar"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Whitefly-Whitefly"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windigo-Windigo"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windshift-Windshift"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti Group-Winnti Group"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WIRTE-WIRTE"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wizard Spider-Wizard Spider"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZIRCONIUM-ZIRCONIUM"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9bc10ab42f5041809586a8061be87f54"> <span>A-B</span> <div class="expand-button collapsed" id="9bc10ab42f5041809586a8061be87f54-header" data-toggle="collapse" data-target="#9bc10ab42f5041809586a8061be87f54-body" aria-expanded="false" aria-controls="#9bc10ab42f5041809586a8061be87f54-body"></div> </div> <div class="sidenav-body collapse" id="9bc10ab42f5041809586a8061be87f54-body" aria-labelledby="9bc10ab42f5041809586a8061be87f54-header"> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-eb897c1f5ad6440c8f00aec9a67b84c6"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8fd5ab8725924d97ba0b2eba004f2fee"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-c32bf624d6bf42ce95707467e8b90269"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0c3154fe96b343078274c0dc2f23dda1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-843a69656c2b482bb3b10d76f7c6e16f"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1ab49126b7894fcfae69deeac14618fc"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f88228946e41453e92e38c5866a4212f"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-26f2dc710f78450dbbc1be11faa21ddd"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1fdff936c860439ebe70a7ff3be5989d"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="9bc10ab42f5041809586a8061be87f54-fb8607b2690341d89cde7ca7a69c91c6"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-9e54c5fbd52e4859b9fc4fcf11335e4c"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3a223da5b87447f0bbd859a5bba79ce0"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0fc20a27442549099f96a0595e939e69"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-311b6fd499004f0ab3c936b9a5db4817"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f2d9fa39e41344d3bb3e0d64ba14a219"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4706e13c21cf48e59061dbbaab2ecc84"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-080b6603df0c41b394986e93492c6baa"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4df65ad27985448e8d0570867a13bf45"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-06a4b5899d3549e3aa5e4d4ac0adc511"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f1cd11a66db84516a3520405067f85dc"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-5fc1a029befe48b587d4dece1a6bfeeb"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-7d8f8060918143018a61b7d75fae5d61"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3c28366e21404f609b54930888771a75"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-b83df494e0cf43a7a348dcfe001722de"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8080a2475195401ab077c1180ab335bb"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="c9652acf849c48b6b237f8b1ebf4fe78"> <span>C-D</span> <div class="expand-button collapsed" id="c9652acf849c48b6b237f8b1ebf4fe78-header" data-toggle="collapse" data-target="#c9652acf849c48b6b237f8b1ebf4fe78-body" aria-expanded="false" aria-controls="#c9652acf849c48b6b237f8b1ebf4fe78-body"></div> </div> <div class="sidenav-body collapse" id="c9652acf849c48b6b237f8b1ebf4fe78-body" aria-labelledby="c9652acf849c48b6b237f8b1ebf4fe78-header"> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-db8b931f952d412e9d12e18c2c6681fc"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-f3581612c373478bad1829f9b42d6481"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-dd4c80e77f3e489eb664554c42cdd0ab"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-b1e7f8f3bf7d4258b62f192b87703106"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-1d8331b206264aa0bd4524d9de1ef598"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-147b48ccc2654c4fb25185883229826b"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-634f2cae3e0442dba2d09fc987e39e6d"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-50e56472a5ed4f6195061236a3fb3d00"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-08a60dc295e846d89694ff96717072b6"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-15a1180154b449aa9c27c65a46dc074b"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-995ee427b54e4a9aae324ad3f081b0db"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-41c57f3ed8b240c0a8c6120a2652495c"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-8b316a89b77e4e7f837bd4b1f4fad10c"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-a4100800c4f1428bbbe2540845511483"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9f2eecc86c504f9eabd959d63728aaa1"> <span>E-F</span> <div class="expand-button collapsed" id="9f2eecc86c504f9eabd959d63728aaa1-header" data-toggle="collapse" data-target="#9f2eecc86c504f9eabd959d63728aaa1-body" aria-expanded="false" aria-controls="#9f2eecc86c504f9eabd959d63728aaa1-body"></div> </div> <div class="sidenav-body collapse" id="9f2eecc86c504f9eabd959d63728aaa1-body" aria-labelledby="9f2eecc86c504f9eabd959d63728aaa1-header"> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-59ce950244e04dbc8dba513a6a773287"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0cba5b5ed65b4029be092df210cff9aa"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-3f10859e19074cfb95f376c246350cc5"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0842ff6a6e21414ba8f475a9bb395a7c"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-7b7338533d7b4c54bc0ef9eaf4d1a251"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6af19e38aa4d4b57b5c0606f5a7e8391"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6464cb233f6f4c53b1ab5db10f23a210"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-48bd3bce115544c5952947533d0b60a3"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-372710aab0084f3c8aba309b6ef2d212"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-b8594e11427448c3a8224726c17cd747"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-e33946268c9c4844bfcde0970048b263"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7f34b9e0316841f8b1c5533bc278a8d4"> <span>G-H</span> <div class="expand-button collapsed" id="7f34b9e0316841f8b1c5533bc278a8d4-header" data-toggle="collapse" data-target="#7f34b9e0316841f8b1c5533bc278a8d4-body" aria-expanded="false" aria-controls="#7f34b9e0316841f8b1c5533bc278a8d4-body"></div> </div> <div class="sidenav-body collapse" id="7f34b9e0316841f8b1c5533bc278a8d4-body" aria-labelledby="7f34b9e0316841f8b1c5533bc278a8d4-header"> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-4b7069ae092f469582d5726f70b96eb1"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-db030a3ae5d3425e8cc3ccf2cfb84f3b"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-1bebf0070465403494974a0af6d52786"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f69559b91b06468eb923b635e71bcede"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f4789813e37546e89840f110bdcafdba"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-c4e44253bd5b4a829356d7689056c55f"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-16adea168fef439786f2d924ab908d83"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-ccffcc3471bf43b5946a606b0a4b9b1a"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-a887df3159bc46088852185e877d7b11"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-82b66952833942b781e7d85766e990f8"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="69cb6ac7c257408dbc2b1f5e09965b3f"> <span>I-J</span> <div class="expand-button collapsed" id="69cb6ac7c257408dbc2b1f5e09965b3f-header" data-toggle="collapse" data-target="#69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-expanded="false" aria-controls="#69cb6ac7c257408dbc2b1f5e09965b3f-body"></div> </div> <div class="sidenav-body collapse" id="69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-labelledby="69cb6ac7c257408dbc2b1f5e09965b3f-header"> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-e0f25da1e47241ed9003cf925c208671"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-2bcf49313dcf44908e4b514a118ec380"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="cdc4d061012c45d89f82f0ccefd42bbb"> <span>K-L</span> <div class="expand-button collapsed" id="cdc4d061012c45d89f82f0ccefd42bbb-header" data-toggle="collapse" data-target="#cdc4d061012c45d89f82f0ccefd42bbb-body" aria-expanded="false" aria-controls="#cdc4d061012c45d89f82f0ccefd42bbb-body"></div> </div> <div class="sidenav-body collapse" id="cdc4d061012c45d89f82f0ccefd42bbb-body" aria-labelledby="cdc4d061012c45d89f82f0ccefd42bbb-header"> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-61494339efa24892b74cb1bab727ebab"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-7fcbe0dbfca64881b3d90886fa02a057"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-bdb1c87e10124497bc426a32b425de37"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-26f389bcb54744a2a88e3d8b14ebb187"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-01a297ae43e24d27b48dc26f67588c57"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-0173fd0276f24cb2addbf1d49af106f1"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="8bba62bbe3cf487eb3d0e1324d5ea3a7"> <span>M-N</span> <div class="expand-button collapsed" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-header" data-toggle="collapse" data-target="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-expanded="false" aria-controls="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body"></div> </div> <div class="sidenav-body collapse" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-labelledby="8bba62bbe3cf487eb3d0e1324d5ea3a7-header"> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-8edbdbed90584c03b70fc818644a5185"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-e84a7ed3b84b4dcfb01df20449c1064d"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-af944ff295644b2db8f5215c30425187"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-76aa410923384ac0b07fab724da445b6"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-31eff51171d14109ab2ed1ebeb118bbe"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-125859f5afd244758c04d908faabd932"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-7e1535d22fd949e9a58bafd020550df3"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-615d6fbe25804bd68bd2f4a1107d920b"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-73fa70a5a9cb4c5689c7526e4f66081d"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-375acf3b572244a08b896bf8466d0a00"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-5eb93e7b5ae146c5b46a5d21fe03a4a7"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="0ca8ff8ba9024fe09ea2afc61a952501"> <span>O-P</span> <div class="expand-button collapsed" id="0ca8ff8ba9024fe09ea2afc61a952501-header" data-toggle="collapse" data-target="#0ca8ff8ba9024fe09ea2afc61a952501-body" aria-expanded="false" aria-controls="#0ca8ff8ba9024fe09ea2afc61a952501-body"></div> </div> <div class="sidenav-body collapse" id="0ca8ff8ba9024fe09ea2afc61a952501-body" aria-labelledby="0ca8ff8ba9024fe09ea2afc61a952501-header"> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-54768326f6654fb8926eac02f28ad486"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-0aacbe0d942b4eb28d5d7d2476fcfd52"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e11639e6af294e1d9b8052e5cd1e620f"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-5e003492658643c897dc46152eaffcb5"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e1359725d8ae4cc2a16eee5802effde5"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-1529d895bd404a2f8856099b8e8fb640"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-d8ce4ed2e7ce4371b8836b1ba5e2cf2d"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e9fd05a2492241b5bc7d3d99d1e5be94"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-b2b2da56d6ef4998b5b51cadfa0e4e0f"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9c315870cc46405688ed5b4992ea0cd9"> <span>Q-R</span> <div class="expand-button collapsed" id="9c315870cc46405688ed5b4992ea0cd9-header" data-toggle="collapse" data-target="#9c315870cc46405688ed5b4992ea0cd9-body" aria-expanded="false" aria-controls="#9c315870cc46405688ed5b4992ea0cd9-body"></div> </div> <div class="sidenav-body collapse" id="9c315870cc46405688ed5b4992ea0cd9-body" aria-labelledby="9c315870cc46405688ed5b4992ea0cd9-header"> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-ac912afa8e08410292784c628456c4dd"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-e37a841ffc72485794a70ba7c13bc8a4"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-128de6e01a6b4412a9b684bb75248fe8"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="87d8075c72ad40fbb19f9022ad8f64b2"> <span>S-T</span> <div class="expand-button collapsed" id="87d8075c72ad40fbb19f9022ad8f64b2-header" data-toggle="collapse" data-target="#87d8075c72ad40fbb19f9022ad8f64b2-body" aria-expanded="false" aria-controls="#87d8075c72ad40fbb19f9022ad8f64b2-body"></div> </div> <div class="sidenav-body collapse" id="87d8075c72ad40fbb19f9022ad8f64b2-body" aria-labelledby="87d8075c72ad40fbb19f9022ad8f64b2-header"> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-5016020b8dd34724af6755ba6ec71120"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-701e7ac2250642b481d565530e3de2e1"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d297ba1ca5094ca594b4f9effd3d2a63"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d7375e52b3a04157a6ae508927123b95"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-8722d61de36d488fbe1a5b061595fd95"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-29bbc5e7d8db40a8886ff19e83a96b41"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a714165996ce4096b5da2a5abbed72c5"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-ec9a3b77890f4172b18077a1efb6b0b7"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a5140dc1144743179e6711320b2b6043"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4b045f80fec54b1db359b2c97504a3e5"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-3e720da026d74a0da8910ff0ac0db268"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-69c24c5cfbbe4b039b26265b8b55ebb4"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-2825b0b754b94a25bbde6cb5d9780785"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a79283297c4943b98dd0b22780f5def6"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4dd0f0bc793a4770a237e2616f0b608f"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-43a8b490c3904cc194247d4e02fc4296"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-0e740212837d485397e122344e69d4ee"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a03080dbde0840219c117fc3dd9251c8"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-bfac41f1e4ed41c18fe176cc94c5b393"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-68731fabd49e404c8160d82eff15b50d"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-23bf52c62b394f2c832876b7cea27d7a"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-b40e63fa8c834212b0e3769480b64496"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d87018444dee40e3b3d9904f9f86521c"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1a50e36945244146b3675ab05250650d"> <span>U-V</span> <div class="expand-button collapsed" id="1a50e36945244146b3675ab05250650d-header" data-toggle="collapse" data-target="#1a50e36945244146b3675ab05250650d-body" aria-expanded="false" aria-controls="#1a50e36945244146b3675ab05250650d-body"></div> </div> <div class="sidenav-body collapse" id="1a50e36945244146b3675ab05250650d-body" aria-labelledby="1a50e36945244146b3675ab05250650d-header"> <div class="sidenav"> <div class="sidenav-head" id="1a50e36945244146b3675ab05250650d-cb299810c5d643f0b1de3974367e174e"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4b4931e3517041d3861283faa2b8c343"> <span>W-X</span> <div class="expand-button collapsed" id="4b4931e3517041d3861283faa2b8c343-header" data-toggle="collapse" data-target="#4b4931e3517041d3861283faa2b8c343-body" aria-expanded="false" aria-controls="#4b4931e3517041d3861283faa2b8c343-body"></div> </div> <div class="sidenav-body collapse" id="4b4931e3517041d3861283faa2b8c343-body" aria-labelledby="4b4931e3517041d3861283faa2b8c343-header"> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-a11643f4cca04a36893be9e7a5ebad8f"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-8215d91eca124542a1d489bd901c10d5"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-7186929dafbe4852b778e8a357d449bf"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-52ba1a0a287943299fe88eac3493c514"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-93553aa3a2fd4173af460f9569c879cd"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-6848e592c4ce492bbb368b79ee6e735a"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="a5819d5e89464ffabceb17e836662294"> <span>Y-Z</span> <div class="expand-button collapsed" id="a5819d5e89464ffabceb17e836662294-header" data-toggle="collapse" data-target="#a5819d5e89464ffabceb17e836662294-body" aria-expanded="false" aria-controls="#a5819d5e89464ffabceb17e836662294-body"></div> </div> <div class="sidenav-body collapse" id="a5819d5e89464ffabceb17e836662294-body" aria-labelledby="a5819d5e89464ffabceb17e836662294-header"> <div class="sidenav"> <div class="sidenav-head" id="a5819d5e89464ffabceb17e836662294-2779946926394bc19a3c66031d634130"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/groups/">Groups</a></li> <li class="breadcrumb-item">APT28</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> APT28 </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v9/groups/G0007">APT28</a> is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NSA/FBI Drovorub August 2020">^{<a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> This group has been active since at least 2004.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="GRIZZLY STEPPE JAR">^{<a href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> <span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p><p><a href="/versions/v9/groups/G0007">APT28</a> reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> In 2018, the US indicted five GRU Unit 26165 officers associated with <a href="/versions/v9/groups/G0007">APT28</a> for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as <a href="/versions/v9/groups/G0034">Sandworm Team</a>. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0007 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Sébastien Ruel, CGI; Drew Church, Splunk; Emily Ratliff, IBM; Richard Gold, Digital Shadows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 3.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>19 April 2021 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0007" href="/versions/v9/groups/G0007/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0007" href="/groups/G0007/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> SNAKEMACKEREL </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> Swallowtail </td> <td> <p><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> Group 74 </td> <td> <p><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> Sednit </td> <td> <p>This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> Sofacy </td> <td> <p>This designation has been used in reporting both to refer to the threat group and its associated malware. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> Pawn Storm </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </p> </td> </tr> <tr> <td> Fancy Bear </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> STRONTIUM </td> <td> <p><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM Aug 2019">^{<a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </p> </td> </tr> <tr> <td> Tsar Team </td> <td> <p><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> Threat Group-4127 </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> TG-4127 </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> </tbody> </table> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v9/groups/G0007/G0007-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v9/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0007/G0007-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3" id="techniques">Techniques Used</h2> <table class="table techniques-used table-bordered mt-2"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent" id="uses-T1134-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1134">T1134</a> </td> <td> <a href="/versions/v9/techniques/T1134/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/001">Token Impersonation/Theft</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="FireEye Op RussianDoll">^{<a href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1583-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v9/techniques/T1583/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v9/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> registered domains imitating NATO, OSCE security websites, Caucasus information resources and other organizations.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> <span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1595-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1595">T1595</a> </td> <td> <a href="/versions/v9/techniques/T1595/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1595">Active Scanning</a>: <a href="/versions/v9/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has performed large-scale scans in an attempt to find vulnerable servers.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1071-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v9/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a> </td> <td> <p>Later implants used by <a href="/versions/v9/groups/G0007">APT28</a>, such as <a href="/versions/v9/software/S0023">CHOPSTICK</a>, use a blend of HTTP and other legitimate channels for C2, depending on module configuration.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1071-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1560"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v9/techniques/T1560">Archive Collected Data</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1119"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1119">T1119</a> </td> <td> <a href="/versions/v9/techniques/T1119">Automated Collection</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1547-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v9/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has deployed malware that has copied itself to the startup directory for persistence.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1037-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1037">T1037</a> </td> <td> <a href="/versions/v9/techniques/T1037/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v9/techniques/T1037/001">Logon Script (Windows)</a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> loader Trojan adds the Registry key <code>HKCU\Environment\UserInitMprLogonScript</code> to establish persistence.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1110"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v9/techniques/T1110">Brute Force</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> can perform brute force attacks to obtain credentials.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1110-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1110/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1110/001">Password Guessing</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> </tr> <tr class="sub technique" id="uses-T1110-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1110/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1110/003">Password Spraying</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1059-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v9/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> downloads and executes PowerShell scripts and performs PowerShell commands.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1059-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> loader Trojan uses a cmd.exe and batch script to run its payload.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> The group has also used macros to execute payloads.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1092"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1092">T1092</a> </td> <td> <a href="/versions/v9/techniques/T1092">Communication Through Removable Media</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1213-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v9/techniques/T1213/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1213">Data from Information Repositories</a>: <a href="/versions/v9/techniques/T1213/002">Sharepoint</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has collected information from Microsoft SharePoint services within target networks.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="RSAC 2015 Abu Dhabi Stefano Maccaglia">^{<a href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1005"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v9/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has retrieved internal documents from machines inside victim environments, including by using <a href="/versions/v9/software/S0193">Forfiles</a> to stage documents before exfiltration.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1025"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1025">T1025</a> </td> <td> <a href="/versions/v9/techniques/T1025">Data from Removable Media</a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> backdoor may collect the entire contents of an inserted USB device.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1001-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1001">T1001</a> </td> <td> <a href="/versions/v9/techniques/T1001/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v9/techniques/T1001/001">Junk Data</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1074-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v9/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has stored captured credential information in a file named pi.log.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1140"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> macro uses the command <code>certutil -decode</code> to decode contents of a .txt file storing the base64 encoded payload.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1114-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v9/techniques/T1114/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1114">Email Collection</a>: <a href="/versions/v9/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has collected emails from victim Microsoft Exchange servers.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1573-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1573">T1573</a> </td> <td> <a href="/versions/v9/techniques/T1573/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> installed a Delphi backdoor that used a custom algorithm for C2 communications.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1546-015"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v9/techniques/T1546/015">.015</a> </td> <td> <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/015">Component Object Model Hijacking</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used COM hijacking for persistence by replacing the legitimate <code>MMDeviceEnumerator</code> object with a payload.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="ESET Sednit Part 1">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1567"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1567">T1567</a> </td> <td> <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> can exfiltrate data over Google Drive.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </p> </td> </tr> <tr class="technique" id="uses-T1190"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1190">T1190</a> </td> <td> <a href="/versions/v9/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has conducted SQL injection attacks against organizations' external websites.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </p> </td> </tr> <tr class="technique" id="uses-T1203"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v9/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1211"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1211">T1211</a> </td> <td> <a href="/versions/v9/techniques/T1211">Exploitation for Defense Evasion</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used CVE-2015-4902 to bypass security features.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1068"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1068">T1068</a> </td> <td> <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1210"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1210">T1210</a> </td> <td> <a href="/versions/v9/techniques/T1210">Exploitation of Remote Services</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="MS17-010 March 2017">^{<a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1083"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used <a href="/versions/v9/software/S0193">Forfiles</a> to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1589-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1589">T1589</a> </td> <td> <a href="/versions/v9/techniques/T1589/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1589">Gather Victim Identity Information</a>: <a href="/versions/v9/techniques/T1589/001">Credentials</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has harvested user's login credentials.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1564-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v9/techniques/T1564/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has saved files with hidden file attributes.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1564-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1564/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/003">Hidden Window</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used the WindowStyle parameter to conceal <a href="/versions/v9/techniques/T1059/001">PowerShell</a> windows.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="McAfee APT28 DDE1 Nov 2017">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1070-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v9/techniques/T1070/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has cleared event logs, including by using the commands <code>wevtutil cl System</code> and <code>wevtutil cl Security</code>.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1070-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1070-006"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1070/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has performed timestomping on victim files.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1105"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent" id="uses-T1056-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v9/techniques/T1056/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used tools to perform keylogging.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1559-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1559">T1559</a> </td> <td> <a href="/versions/v9/techniques/T1559/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1559">Inter-Process Communication</a>: <a href="/versions/v9/techniques/T1559/002">Dynamic Data Exchange</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has delivered <a href="/versions/v9/software/S0044">JHUHUGIT</a> and <a href="/versions/v9/software/S0250">Koadic</a> by executing PowerShell commands through DDE in Word documents.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="McAfee APT28 DDE1 Nov 2017">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="McAfee APT28 DDE2 Nov 2017">^{<a href="http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1498"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1498">T1498</a> </td> <td> <a href="/versions/v9/techniques/T1498">Network Denial of Service</a> </td> <td> <p>In 2016, <a href="/versions/v9/groups/G0007">APT28</a> conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1040"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1040">T1040</a> </td> <td> <a href="/versions/v9/techniques/T1040">Network Sniffing</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span> <a href="/versions/v9/groups/G0007">APT28</a> close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1027"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> encrypted a .dll payload using RTL and a custom encryption algorithm. <a href="/versions/v9/groups/G0007">APT28</a> has also obfuscated payloads with base64, XOR, and RC4.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1137-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1137">T1137</a> </td> <td> <a href="/versions/v9/techniques/T1137/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1137">Office Application Startup</a>: <a href="/versions/v9/techniques/T1137/002">Office Test</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key <code>HKCU\Software\Microsoft\Office test\Special\Perf</code> to execute code.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Palo Alto Office Test Sofacy">^{<a href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1003"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> regularly deploys both publicly available (ex: <a href="/versions/v9/software/S0002">Mimikatz</a>) and custom password retrieval tools on victims.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </p> </td> </tr> <tr class="sub technique" id="uses-T1003-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> regularly deploys both publicly available (ex: <a href="/versions/v9/software/S0002">Mimikatz</a>) and custom password retrieval tools on victims.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1120"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1120">T1120</a> </td> <td> <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> uses a module to receive a notification every time a USB mass storage device is inserted into a victim.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1566-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v9/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> sent spearphishing emails containing malicious Microsoft Office and RAR attachments.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1566-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1598"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1598">T1598</a> </td> <td> <a href="/versions/v9/techniques/T1598">Phishing for Information</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used spearphishing to compromise credentials.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1542-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v9/techniques/T1542/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v9/techniques/T1542/003">Bootkit</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has deployed a bootkit along with <a href="/versions/v9/software/S0134">Downdelph</a> to ensure its persistence on the victim. The bootkit shares code with some variants of <a href="/versions/v9/software/S0089">BlackEnergy</a>.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1057"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1057">T1057</a> </td> <td> <a href="/versions/v9/techniques/T1057">Process Discovery</a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1090-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v9/techniques/T1090/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1090">Proxy</a>: <a href="/versions/v9/techniques/T1090/002">External Proxy</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. <a href="/versions/v9/groups/G0007">APT28</a> has also used a machine to relay and obscure communications between <a href="/versions/v9/software/S0023">CHOPSTICK</a> and their server.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1090-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1090/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1090">Proxy</a>: <a href="/versions/v9/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has routed traffic over <a href="/versions/v9/software/S0183">Tor</a> and VPN servers to obfuscate their activities.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1091"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1091">T1091</a> </td> <td> <a href="/versions/v9/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1014"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1014">T1014</a> </td> <td> <a href="/versions/v9/techniques/T1014">Rootkit</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used a UEFI (Unified Extensible Firmware Interface) rootkit known as <a href="/versions/v9/software/S0397">LoJax</a>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ESET LoJax Sept 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1113"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1113">T1113</a> </td> <td> <a href="/versions/v9/techniques/T1113">Screen Capture</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used tools to take screenshots from victims.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1218-011"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v9/techniques/T1218/011">.011</a> </td> <td> <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> executed <a href="/versions/v9/software/S0023">CHOPSTICK</a> by using rundll32 commands such as <code>rundll32.exe "C:\Windows\twain_64.dll"</code>. <a href="/versions/v9/groups/G0007">APT28</a> also executed a .dll for a first stage dropper using rundll32.exe. An <a href="/versions/v9/groups/G0007">APT28</a> loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1528"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1528">T1528</a> </td> <td> <a href="/versions/v9/techniques/T1528">Steal Application Access Token</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1221"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1221">T1221</a> </td> <td> <a href="/versions/v9/techniques/T1221">Template Injection</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. <span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1199"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1199">T1199</a> </td> <td> <a href="/versions/v9/techniques/T1199">Trusted Relationship</a> </td> <td> <p>Once <a href="/versions/v9/groups/G0007">APT28</a> gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1550-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1550">T1550</a> </td> <td> <a href="/versions/v9/techniques/T1550/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/001">Application Access Token</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1550-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1550/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used pass the hash for lateral movement.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1204-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v9/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1204-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1078"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v9/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Trend Micro Pawn Storm April 2017">^{<a href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Microsoft STRONTIUM Aug 2019">^{<a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1102-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1102">T1102</a> </td> <td> <a href="/versions/v9/techniques/T1102/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> has used Google Drive for C2.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="software">Software</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0045">S0045</a> </td> <td> <a href="/versions/v9/software/S0045">ADVSTORESHELL</a> </td> <td> <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/003">Archive via Custom Method</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0351">S0351</a> </td> <td> <a href="/versions/v9/software/S0351">Cannon</a> </td> <td> <span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/004">Winlogon Helper DLL</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0160">S0160</a> </td> <td> <a href="/versions/v9/software/S0160">certutil</a> </td> <td> <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v9/techniques/T1553/004">Install Root Certificate</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0023">S0023</a> </td> <td> <a href="/versions/v9/software/S0023">CHOPSTICK</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v9/techniques/T1092">Communication Through Removable Media</a>, <a href="/versions/v9/techniques/T1568">Dynamic Resolution</a>: <a href="/versions/v9/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1008">Fallback Channels</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>: <a href="/versions/v9/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1091">Replication Through Removable Media</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0137">S0137</a> </td> <td> <a href="/versions/v9/software/S0137">CORESHELL</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/001">Binary Padding</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0243">S0243</a> </td> <td> <a href="/versions/v9/software/S0243">DealersChoice</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1203">Exploitation for Client Execution</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0134">S0134</a> </td> <td> <a href="/versions/v9/software/S0134">Downdelph</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v9/techniques/T1001/001">Junk Data</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0502">S0502</a> </td> <td> <a href="/versions/v9/software/S0502">Drovorub</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NSA/FBI Drovorub August 2020">^{<a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/006">Kernel Modules and Extensions</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>: <a href="/versions/v9/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v9/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0193">S0193</a> </td> <td> <a href="/versions/v9/software/S0193">Forfiles</a> </td> <td> <span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1202">Indirect Command Execution</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0410">S0410</a> </td> <td> <a href="/versions/v9/software/S0410">Fysbis</a> </td> <td> <span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="Fysbis Palo Alto Analysis">^{<a href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/013">XDG Autostart Entries</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/002">Systemd Service</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0135">S0135</a> </td> <td> <a href="/versions/v9/software/S0135">HIDEDRV</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0044">S0044</a> </td> <td> <a href="/versions/v9/software/S0044">JHUHUGIT</a> </td> <td> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v9/techniques/T1037/001">Logon Script (Windows)</a>, <a href="/versions/v9/techniques/T1115">Clipboard Data</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v9/techniques/T1008">Fallback Channels</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0250">S0250</a> </td> <td> <a href="/versions/v9/software/S0250">Koadic</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1115">Clipboard Data</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/003">NTDS</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/005">Mshta</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/010">Regsvr32</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0162">S0162</a> </td> <td> <a href="/versions/v9/software/S0162">Komplex</a> </td> <td> <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Sofacy Komplex Trojan">^{<a href="https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/001">Launch Agent</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0397">S0397</a> </td> <td> <a href="/versions/v9/software/S0397">LoJax</a> </td> <td> <span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ESET LoJax Sept 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/004">NTFS File Attributes</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v9/techniques/T1542/001">System Firmware</a>, <a href="/versions/v9/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0002">S0002</a> </td> <td> <a href="/versions/v9/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1098">Account Manipulation</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/006">DCSync</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v9/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/004">Private Keys</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0138">S0138</a> </td> <td> <a href="/versions/v9/software/S0138">OLDBAIT</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT28">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0174">S0174</a> </td> <td> <a href="/versions/v9/software/S0174">Responder</a> </td> <td> <span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a>: <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0136">S0136</a> </td> <td> <a href="/versions/v9/software/S0136">USBStealer</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1020">Automated Exfiltration</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1092">Communication Through Removable Media</a>, <a href="/versions/v9/techniques/T1025">Data from Removable Media</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1052">Exfiltration Over Physical Medium</a>: <a href="/versions/v9/techniques/T1052/001">Exfiltration over USB</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v9/techniques/T1091">Replication Through Removable Media</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0191">S0191</a> </td> <td> <a href="/versions/v9/software/S0191">Winexe</a> </td> <td> <span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0314">S0314</a> </td> <td> <a href="/versions/v9/software/S0314">X-Agent for Android</a> </td> <td> <span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="CrowdStrike-Android">^{<a href="https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1430">Location Tracking</a>, <a href="/versions/v9/techniques/T1444">Masquerade as Legitimate Application</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0161">S0161</a> </td> <td> <a href="/versions/v9/software/S0161">XAgentOSX</a> </td> <td> <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/002">File Transfer Protocols</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0117">S0117</a> </td> <td> <a href="/versions/v9/software/S0117">XTunnel</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1008">Fallback Channels</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/001">Binary Padding</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0251">S0251</a> </td> <td> <a href="/versions/v9/software/S0251">Zebrocy</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v9/techniques/T1037/001">Logon Script (Windows)</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/004">Credential API Hooking</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/002">Software Packing</a>, <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank"> Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank"> SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank"> Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank"> Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank"> Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank"> Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank"> MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank"> Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank"> FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank"> Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="24.0"> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank"> Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank"> Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" target="_blank"> Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank"> Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank"> Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank"> Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank"> Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html" target="_blank"> Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank"> Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank"> ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank"> Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank"> Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank"> Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank"> Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank"> Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" target="_blank"> Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" target="_blank"> CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?8409"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-relationships.js"></script> </body> </html>