<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, Group G0007 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/groups/">Groups</a></li> <li class="breadcrumb-item">APT28</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> APT28 </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v16/groups/G0007">APT28</a> is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020."data-reference="NSA/FBI Drovorub August 2020">^{<a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> This group has been active since at least 2004.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018."data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017."data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017."data-reference="GRIZZLY STEPPE JAR">^{<a href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018."data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p><p><a href="/versions/v16/groups/G0007">APT28</a> reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> In 2018, the US indicted five GRU Unit 26165 officers associated with <a href="/versions/v16/groups/G0007">APT28</a> for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as <a href="/versions/v16/groups/G0034">Sandworm Team</a>. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0007 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Sébastien Ruel, CGI; Drew Church, Splunk; Emily Ratliff, IBM; Richard Gold, Digital Shadows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 5.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>10 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0007" href="/versions/v16/groups/G0007/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0007" href="/groups/G0007/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> IRON TWILIGHT </td> <td> <p><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-twilight" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> SNAKEMACKEREL </td> <td> <p><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> Swallowtail </td> <td> <p><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> Group 74 </td> <td> <p><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> Sednit </td> <td> <p>This designation has been used in reporting both to refer to the threat group and its associated malware <a href="/versions/v16/software/S0044">JHUHUGIT</a>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017."data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018."data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> Sofacy </td> <td> <p>This designation has been used in reporting both to refer to the threat group and its associated malware.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018."data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> Pawn Storm </td> <td> <p><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> </tr> <tr> <td> Fancy Bear </td> <td> <p><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018."data-reference="Ars Technica GRU indictment Jul 2018">^{<a href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> STRONTIUM </td> <td> <p><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019."data-reference="Microsoft STRONTIUM Aug 2019">^{<a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020."data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Tsar Team </td> <td> <p><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> Threat Group-4127 </td> <td> <p><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> TG-4127 </td> <td> <p><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016."data-reference="SecureWorks TG-4127">^{<a href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> Forest Blizzard </td> <td> <p><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> FROZENLAKE </td> <td> <p><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v16/groups/G0007/G0007-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0007/G0007-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1134">T1134</a> </td> <td> <a href="/versions/v16/techniques/T1134/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/001">Token Impersonation/Theft</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017."data-reference="FireEye Op RussianDoll">^{<a href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v16/techniques/T1098/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a>: <a href="/versions/v16/techniques/T1098/002">Additional Email Delegate Permissions</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a Powershell cmdlet to grant the <code>ApplicationImpersonation</code> role to a compromised account.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v16/techniques/T1583/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v16/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022."data-reference="Google TAG Ukraine Threat Landscape March 2022">^{<a href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1583/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v16/techniques/T1583/003">Virtual Private Server</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> hosted phishing domains on free services for brief periods of time during campaigns.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1583/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v16/techniques/T1583/006">Web Services</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used newly-created Blogspot pages for credential harvesting operations.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022."data-reference="Google TAG Ukraine Threat Landscape March 2022">^{<a href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1595">T1595</a> </td> <td> <a href="/versions/v16/techniques/T1595/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1595">Active Scanning</a>: <a href="/versions/v16/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has performed large-scale scans in an attempt to find vulnerable servers.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020."data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1557">T1557</a> </td> <td> <a href="/versions/v16/techniques/T1557/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v16/techniques/T1557/004">Evil Twin</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v16/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a> </td> <td> <p>Later implants used by <a href="/versions/v16/groups/G0007">APT28</a>, such as <a href="/versions/v16/software/S0023">CHOPSTICK</a>, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1071/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v16/techniques/T1560">Archive Collected Data</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1560/001">Archive via Utility</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a variety of utilities, including WinRAR, to archive collected data with password protection.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1119">T1119</a> </td> <td> <a href="/versions/v16/techniques/T1119">Automated Collection</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v16/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has deployed malware that has copied itself to the startup directory for persistence.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1037">T1037</a> </td> <td> <a href="/versions/v16/techniques/T1037/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v16/techniques/T1037/001">Logon Script (Windows)</a> </td> <td> <p>An <a href="/versions/v16/groups/G0007">APT28</a> loader Trojan adds the Registry key <code>HKCU\Environment\UserInitMprLogonScript</code> to establish persistence.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v16/techniques/T1110">Brute Force</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> can perform brute force attacks to obtain credentials.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020."data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1110/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1110/001">Password Guessing</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020."data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> <a href="/versions/v16/groups/G0007">APT28</a> has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1110/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1110/003">Password Spraying</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020."data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020">^{<a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span> <a href="/versions/v16/groups/G0007">APT28</a> has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v16/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> downloads and executes PowerShell scripts and performs PowerShell commands.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>An <a href="/versions/v16/groups/G0007">APT28</a> loader Trojan uses a cmd.exe and batch script to run its payload.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span> The group has also used macros to execute payloads.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1092">T1092</a> </td> <td> <a href="/versions/v16/techniques/T1092">Communication Through Removable Media</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1586">T1586</a> </td> <td> <a href="/versions/v16/techniques/T1586/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1586">Compromise Accounts</a>: <a href="/versions/v16/techniques/T1586/002">Email Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used compromised email accounts to send credential phishing emails.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022."data-reference="Google TAG Ukraine Threat Landscape March 2022">^{<a href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1584">T1584</a> </td> <td> <a href="/versions/v16/techniques/T1584/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v16/techniques/T1584/008">Network Devices</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v16/techniques/T1213">Data from Information Repositories</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has collected files from various information repositories.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1213/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1213/002">Sharepoint</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has collected information from Microsoft SharePoint services within target networks.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018."data-reference="RSAC 2015 Abu Dhabi Stefano Maccaglia">^{<a href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has retrieved internal documents from machines inside victim environments, including by using <a href="/versions/v16/software/S0193">Forfiles</a> to stage documents before exfiltration.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020."data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1039">T1039</a> </td> <td> <a href="/versions/v16/techniques/T1039">Data from Network Shared Drive</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has collected files from network shared drives.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1025">T1025</a> </td> <td> <a href="/versions/v16/techniques/T1025">Data from Removable Media</a> </td> <td> <p>An <a href="/versions/v16/groups/G0007">APT28</a> backdoor may collect the entire contents of an inserted USB device.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1001">T1001</a> </td> <td> <a href="/versions/v16/techniques/T1001/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v16/techniques/T1001/001">Junk Data</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v16/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has stored captured credential information in a file named pi.log.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/002">Remote Data Staging</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has staged archives of collected data on a target's Outlook Web Access (OWA) server.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1030">T1030</a> </td> <td> <a href="/versions/v16/techniques/T1030">Data Transfer Size Limits</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has split archived exfiltration files into chunks smaller than 1MB.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p>An <a href="/versions/v16/groups/G0007">APT28</a> macro uses the command <code>certutil -decode</code> to decode contents of a .txt file storing the base64 encoded payload.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1189">T1189</a> </td> <td> <a href="/versions/v16/techniques/T1189">Drive-by Compromise</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has compromised targets via strategic web compromise utilizing custom exploit kits.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> <a href="/versions/v16/groups/G0007">APT28</a> used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v16/techniques/T1114/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1114">Email Collection</a>: <a href="/versions/v16/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has collected emails from victim Microsoft Exchange servers.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1573">T1573</a> </td> <td> <a href="/versions/v16/techniques/T1573/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> installed a Delphi backdoor that used a custom algorithm for C2 communications.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v16/techniques/T1546/015">.015</a> </td> <td> <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/015">Component Object Model Hijacking</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used COM hijacking for persistence by replacing the legitimate <code>MMDeviceEnumerator</code> object with a payload.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016."data-reference="ESET Sednit Part 1">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1048">T1048</a> </td> <td> <a href="/versions/v16/techniques/T1048/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/versions/v16/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1567">T1567</a> </td> <td> <a href="/versions/v16/techniques/T1567">Exfiltration Over Web Service</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> can exfiltrate data over Google Drive.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1190">T1190</a> </td> <td> <a href="/versions/v16/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1211">T1211</a> </td> <td> <a href="/versions/v16/techniques/T1211">Exploitation for Defense Evasion</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used CVE-2015-4902 to bypass security features.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1068">T1068</a> </td> <td> <a href="/versions/v16/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1210">T1210</a> </td> <td> <a href="/versions/v16/techniques/T1210">Exploitation of Remote Services</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017."data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017."data-reference="MS17-010 March 2017">^{<a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1133">T1133</a> </td> <td> <a href="/versions/v16/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used <a href="/versions/v16/software/S0183">Tor</a> and a variety of commercial VPN services to route brute force authentication attempts.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used <a href="/versions/v16/software/S0193">Forfiles</a> to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1589">T1589</a> </td> <td> <a href="/versions/v16/techniques/T1589/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1589">Gather Victim Identity Information</a>: <a href="/versions/v16/techniques/T1589/001">Credentials</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has harvested user's login credentials.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v16/techniques/T1564/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has saved files with hidden file attributes.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used the WindowStyle parameter to conceal <a href="/versions/v16/techniques/T1059/001">PowerShell</a> windows.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> <span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017."data-reference="McAfee APT28 DDE1 Nov 2017">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has cleared event logs, including by using the commands <code>wevtutil cl System</code> and <code>wevtutil cl Security</code>.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/006">Timestomp</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has performed timestomping on victim files.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v16/techniques/T1056/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used tools to perform keylogging.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1559">T1559</a> </td> <td> <a href="/versions/v16/techniques/T1559/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1559">Inter-Process Communication</a>: <a href="/versions/v16/techniques/T1559/002">Dynamic Data Exchange</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has delivered <a href="/versions/v16/software/S0044">JHUHUGIT</a> and <a href="/versions/v16/software/S0250">Koadic</a> by executing PowerShell commands through DDE in Word documents.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017."data-reference="McAfee APT28 DDE1 Nov 2017">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017."data-reference="McAfee APT28 DDE2 Nov 2017">^{<a href="http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has renamed the WinRAR utility to avoid detection.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1498">T1498</a> </td> <td> <a href="/versions/v16/techniques/T1498">Network Denial of Service</a> </td> <td> <p>In 2016, <a href="/versions/v16/groups/G0007">APT28</a> conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1040">T1040</a> </td> <td> <a href="/versions/v16/techniques/T1040">Network Sniffing</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017."data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> <a href="/versions/v16/groups/G0007">APT28</a> close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> encrypted a .dll payload using RTL and a custom encryption algorithm. <a href="/versions/v16/groups/G0007">APT28</a> has also obfuscated payloads with base64, XOR, and RC4.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v16/techniques/T1588/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v16/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has obtained and used open-source tools like <a href="/versions/v16/software/S0250">Koadic</a>, <a href="/versions/v16/software/S0002">Mimikatz</a>, and <a href="/versions/v16/software/S0174">Responder</a>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017."data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1137">T1137</a> </td> <td> <a href="/versions/v16/techniques/T1137/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1137">Office Application Startup</a>: <a href="/versions/v16/techniques/T1137/002">Office Test</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key <code>HKCU\Software\Microsoft\Office test\Special\Perf</code> to execute code.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017."data-reference="Palo Alto Office Test Sofacy">^{<a href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> regularly deploys both publicly available (ex: <a href="/versions/v16/software/S0002">Mimikatz</a>) and custom password retrieval tools on victims.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> regularly deploys both publicly available (ex: <a href="/versions/v16/software/S0002">Mimikatz</a>) and custom password retrieval tools on victims.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> They have also dumped the LSASS process memory using the MiniDump function.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1003/003">NTDS</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used the ntdsutil.exe utility to export the Active Directory database for credential access.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1120">T1120</a> </td> <td> <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> uses a module to receive a notification every time a USB mass storage device is inserted into a victim.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v16/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> sent spearphishing emails containing malicious Microsoft Office and RAR attachments.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018."data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1598">T1598</a> </td> <td> <a href="/versions/v16/techniques/T1598">Phishing for Information</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used spearphishing to compromise credentials.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1598/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1598/003">Spearphishing Link</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has conducted credential phishing campaigns with links that redirect to credential harvesting sites.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022."data-reference="Google TAG Ukraine Threat Landscape March 2022">^{<a href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v16/techniques/T1542/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v16/techniques/T1542/003">Bootkit</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has deployed a bootkit along with <a href="/versions/v16/software/S0134">Downdelph</a> to ensure its persistence on the victim. The bootkit shares code with some variants of <a href="/versions/v16/software/S0089">BlackEnergy</a>.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1057">T1057</a> </td> <td> <a href="/versions/v16/techniques/T1057">Process Discovery</a> </td> <td> <p>An <a href="/versions/v16/groups/G0007">APT28</a> loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v16/techniques/T1090/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/002">External Proxy</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. <a href="/versions/v16/groups/G0007">APT28</a> has also used a machine to relay and obscure communications between <a href="/versions/v16/software/S0023">CHOPSTICK</a> and their server.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1090/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has routed traffic over <a href="/versions/v16/software/S0183">Tor</a> and VPN servers to obfuscate their activities.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v16/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has mapped network drives using <a href="/versions/v16/software/S0039">Net</a> and administrator credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1091">T1091</a> </td> <td> <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1014">T1014</a> </td> <td> <a href="/versions/v16/techniques/T1014">Rootkit</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a UEFI (Unified Extensible Firmware Interface) rootkit known as <a href="/versions/v16/software/S0397">LoJax</a>.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019."data-reference="ESET LoJax Sept 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1113">T1113</a> </td> <td> <a href="/versions/v16/techniques/T1113">Screen Capture</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used tools to take screenshots from victims.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v16/techniques/T1505/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1528">T1528</a> </td> <td> <a href="/versions/v16/techniques/T1528">Steal Application Access Token</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019."data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> executed <a href="/versions/v16/software/S0023">CHOPSTICK</a> by using rundll32 commands such as <code>rundll32.exe "C:\Windows\twain_64.dll"</code>. <a href="/versions/v16/groups/G0007">APT28</a> also executed a .dll for a first stage dropper using rundll32.exe. An <a href="/versions/v16/groups/G0007">APT28</a> loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1221">T1221</a> </td> <td> <a href="/versions/v16/techniques/T1221">Template Injection</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. <span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1199">T1199</a> </td> <td> <a href="/versions/v16/techniques/T1199">Trusted Relationship</a> </td> <td> <p>Once <a href="/versions/v16/groups/G0007">APT28</a> gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1550">T1550</a> </td> <td> <a href="/versions/v16/techniques/T1550/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/001">Application Access Token</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019."data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1550/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used pass the hash for lateral movement.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19">^{<a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v16/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v16/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017."data-reference="Trend Micro Pawn Storm April 2017">^{<a href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019."data-reference="Microsoft STRONTIUM Aug 2019">^{<a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1078/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1102">T1102</a> </td> <td> <a href="/versions/v16/techniques/T1102/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1102">Web Service</a>: <a href="/versions/v16/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used Google Drive for C2.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/software/S0045">S0045</a> </td> <td> <a href="/versions/v16/software/S0045">ADVSTORESHELL</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v16/techniques/T1560/003">Archive via Custom Method</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0351">S0351</a> </td> <td> <a href="/versions/v16/software/S0351">Cannon</a> </td> <td> <span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/004">Winlogon Helper DLL</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0160">S0160</a> </td> <td> <a href="/versions/v16/software/S0160">certutil</a> </td> <td> <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v16/techniques/T1560/001">Archive via Utility</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v16/techniques/T1553/004">Install Root Certificate</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0023">S0023</a> </td> <td> <a href="/versions/v16/software/S0023">CHOPSTICK</a> </td> <td> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v16/techniques/T1092">Communication Through Removable Media</a>, <a href="/versions/v16/techniques/T1568">Dynamic Resolution</a>: <a href="/versions/v16/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1008">Fallback Channels</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/011">Fileless Storage</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a>: <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0137">S0137</a> </td> <td> <a href="/versions/v16/software/S0137">CORESHELL</a> </td> <td> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/001">Binary Padding</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0243">S0243</a> </td> <td> <a href="/versions/v16/software/S0243">DealersChoice</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018."data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0134">S0134</a> </td> <td> <a href="/versions/v16/software/S0134">Downdelph</a> </td> <td> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v16/techniques/T1001/001">Junk Data</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0502">S0502</a> </td> <td> <a href="/versions/v16/software/S0502">Drovorub</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020."data-reference="NSA/FBI Drovorub August 2020">^{<a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/006">Kernel Modules and Extensions</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v16/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0193">S0193</a> </td> <td> <a href="/versions/v16/software/S0193">Forfiles</a> </td> <td> <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1202">Indirect Command Execution</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0410">S0410</a> </td> <td> <a href="/versions/v16/software/S0410">Fysbis</a> </td> <td> <span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017."data-reference="Fysbis Palo Alto Analysis">^{<a href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/013">XDG Autostart Entries</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/002">Systemd Service</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0135">S0135</a> </td> <td> <a href="/versions/v16/software/S0135">HIDEDRV</a> </td> <td> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v16/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0044">S0044</a> </td> <td> <a href="/versions/v16/software/S0044">JHUHUGIT</a> </td> <td> <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017."data-reference="FireEye APT28 January 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v16/techniques/T1037/001">Logon Script (Windows)</a>, <a href="/versions/v16/techniques/T1115">Clipboard Data</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v16/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v16/techniques/T1008">Fallback Channels</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0250">S0250</a> </td> <td> <a href="/versions/v16/software/S0250">Koadic</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1115">Clipboard Data</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/003">NTDS</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/005">Mshta</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/010">Regsvr32</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0162">S0162</a> </td> <td> <a href="/versions/v16/software/S0162">Komplex</a> </td> <td> <span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017."data-reference="Sofacy Komplex Trojan">^{<a href="https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/001">Launch Agent</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0397">S0397</a> </td> <td> <a href="/versions/v16/software/S0397">LoJax</a> </td> <td> <span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019."data-reference="ESET LoJax Sept 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/004">NTFS File Attributes</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v16/techniques/T1542/001">System Firmware</a>, <a href="/versions/v16/techniques/T1014">Rootkit</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0002">S0002</a> </td> <td> <a href="/versions/v16/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy">^{<a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v16/techniques/T1098">Account Manipulation</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/006">DCSync</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v16/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v16/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/004">Private Keys</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0039">S0039</a> </td> <td> <a href="/versions/v16/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1098">Account Manipulation</a>: <a href="/versions/v16/techniques/T1098/007">Additional Local or Domain Groups</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/001">Local Account</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/001">Local Groups</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0138">S0138</a> </td> <td> <a href="/versions/v16/software/S0138">OLDBAIT</a> </td> <td> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0174">S0174</a> </td> <td> <a href="/versions/v16/software/S0174">Responder</a> </td> <td> <span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017."data-reference="FireEye APT28 Hospitality Aug 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v16/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v16/techniques/T1040">Network Sniffing</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0183">S0183</a> </td> <td> <a href="/versions/v16/software/S0183">Tor</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0136">S0136</a> </td> <td> <a href="/versions/v16/software/S0136">USBStealer</a> </td> <td> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1119">Automated Collection</a>, <a href="/versions/v16/techniques/T1020">Automated Exfiltration</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1092">Communication Through Removable Media</a>, <a href="/versions/v16/techniques/T1025">Data from Removable Media</a>, <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v16/techniques/T1052">Exfiltration Over Physical Medium</a>: <a href="/versions/v16/techniques/T1052/001">Exfiltration over USB</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/006">Timestomp</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0645">S0645</a> </td> <td> <a href="/versions/v16/software/S0645">Wevtutil</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/002">Disable Windows Event Logging</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0191">S0191</a> </td> <td> <a href="/versions/v16/software/S0191">Winexe</a> </td> <td> <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0314">S0314</a> </td> <td> <a href="/versions/v16/software/S0314">X-Agent for Android</a> </td> <td> <span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017."data-reference="CrowdStrike-Android">^{<a href="https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1430">Location Tracking</a>, <a href="/versions/v16/techniques/T1655">Masquerading</a>: <a href="/versions/v16/techniques/T1655/001">Match Legitimate Name or Location</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0161">S0161</a> </td> <td> <a href="/versions/v16/software/S0161">XAgentOSX</a> </td> <td> <span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/002">File Transfer Protocols</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0117">S0117</a> </td> <td> <a href="/versions/v16/software/S0117">XTunnel</a> </td> <td> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."data-reference="Symantec APT28 Oct 2018">^{<a href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1008">Fallback Channels</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/001">Binary Padding</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0251">S0251</a> </td> <td> <a href="/versions/v16/software/S0251">Zebrocy</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."data-reference="Securelist Sofacy Feb 2018">^{<a href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1119">Automated Collection</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v16/techniques/T1037/001">Logon Script (Windows)</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/004">Credential API Hooking</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1124">System Time Discovery</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" target="_blank"> Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" target="_blank"> SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank"> Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank"> Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" target="_blank"> Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.secureworks.com/research/threat-profiles/iron-twilight" target="_blank"> Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank"> Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank"> Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" target="_blank"> MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank"> Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank"> Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="27.0"> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank"> FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" target="_blank"> Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank"> Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank"> Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank"> Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" target="_blank"> Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank"> Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank"> Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" target="_blank"> Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/" target="_blank"> Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html" target="_blank"> Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank"> Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank"> ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank"> Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank"> Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank"> Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" target="_blank"> Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank"> Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" target="_blank"> Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" target="_blank"> CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>