APT28 Analysis
IOB - Indicator of Behavior (1000)
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Activities
Interest
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Vulnerabilities
Campaigns (7)
These are the campaigns that can be associated with the actor:
- Carberp
- CVE-2022-30190
- Fysbis
- Xxxxxx Xxxxx Xxxxx
- Xxxxx
- Xxxx Xxxxx
- Xxxxxx
IOC - Indicator of Compromise (245)
These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.
TTP - Tactics, Techniques, Procedures (20)
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
IOA - Indicator of Attack (233)
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
| ID | Class | Indicator | Type | Confidence |
|---|---|---|---|---|
| 1 | File | .travis.yml | predictive | Medium |
| 2 | File | /.env | predictive | Low |
| 3 | File | /admin.php | predictive | Medium |
| 4 | File | /admin/subnets/ripe-query.php | predictive | High |
| 5 | File | /Config/SaveUploadedHotspotLogoFile | predictive | High |
| 6 | File | /core/conditions/AbstractWrapper.java | predictive | High |
| 7 | File | /dashboard/updatelogo.php | predictive | High |
| 8 | File | /debug/pprof | predictive | Medium |
| 9 | File | /etc/openshift/server_priv.pem | predictive | High |
| 10 | File | /export | predictive | Low |
| 11 | File | /file?action=download&file | predictive | High |
| 12 | File | /hardware | predictive | Medium |
| 13 | File | /index.php | predictive | Medium |
| 14 | File | /medical/inventories.php | predictive | High |
| 15 | File | /mgmt/tm/util/bash | predictive | High |
| 16 | File | /mkshop/Men/profile.php | predictive | High |
| 17 | File | /monitoring | predictive | Medium |
| 18 | File | /MTFWU | predictive | Low |
| 19 | File | /Noxen-master/users.php | predictive | High |
| 20 | File | /opt/zimbra/jetty/webapps/zimbra/public | predictive | High |
| 21 | File | /plugin/LiveChat/getChat.json.php | predictive | High |
| 22 | File | /plugins/servlet/audit/resource | predictive | High |
| 23 | File | /plugins/servlet/project-config/PROJECT/roles | predictive | High |
| 24 | File | /REBOOTSYSTEM | predictive | High |
| 25 | File | /replication | predictive | Medium |
| 26 | File | /RestAPI | predictive | Medium |
| 27 | File | /xxx/xxxxxx-xxxxxxxx-* | predictive | High |
| 28 | File | /xxxxxxx/ | predictive | Medium |
| 29 | File | /xxxxxx | predictive | Low |
| 30 | File | /xxxx/xxxxxx.xxx?xxx=x | predictive | High |
| 31 | File | /xxx/xxx/xx | predictive | Medium |
| 32 | File | /xxx/xxx/xxxxx | predictive | High |
| 33 | File | /xxx/xxx/xxxxxxxx.xxx | predictive | High |
| 34 | File | /xxxxxx/xxxxxx.xxxx | predictive | High |
| 35 | File | /xx-xxxx/xxxxxx/x.x/xxxxx?xxx | predictive | High |
| 36 | File | /xx-xxxx/xx/xx/xxxxxxxx | predictive | High |
| 37 | File | xxxxx/xxxxxxx.xxx | predictive | High |
| 38 | File | xxxxxxx.xxx | predictive | Medium |
| 39 | File | xxx.xxx | predictive | Low |
| 40 | File | xxxxxxx.xxx | predictive | Medium |
| 41 | File | xxx/xx-xxxxx-xxxxxxx/xxx-xx-xxxxx-xxxxxxx.xxx | predictive | High |
| 42 | File | xxx/xxx/xxxx-xxx | predictive | High |
| 43 | File | xxxx/xxxxxxx/xxx/xxxxxx_xxxx.x | predictive | High |
| 44 | File | xxxx-xxxx.x | predictive | Medium |
| 45 | File | xxxx/xxxxxxx.xxx | predictive | High |
| 46 | File | xxxxxx.xxxx | predictive | Medium |
| 47 | File | x:\xxxxxxx xxxxx\xxxxxx xxxxx\xxx\xxxxxxx.xxx | predictive | High |
| 48 | File | x:\xxxxxxx\xxxxxxxx\xxxxxx\xxx | predictive | High |
| 49 | File | xxx-xxx/xx.xxx | predictive | High |
| 50 | File | xxx/xxxxxxx.xx | predictive | High |
| 51 | File | xxxxx.xxx | predictive | Medium |
| 52 | File | xxxxxx.xxx | predictive | Medium |
| 53 | File | xxx_xxxxxx.xxx | predictive | High |
| 54 | File | xxx.xxx | predictive | Low |
| 55 | File | xxxxxx.xxx | predictive | Medium |
| 56 | File | xxxxxxxx.xx | predictive | Medium |
| 57 | File | xxxxxxx.xxx | predictive | Medium |
| 58 | File | x_xxxxxx | predictive | Medium |
| 59 | File | xxxxxxx.xxx | predictive | Medium |
| 60 | File | xx.x | predictive | Low |
| 61 | File | xxxxxxxx.xxx | predictive | Medium |
| 62 | File | xxxxxxx/xxxxx/xxxxxx.x | predictive | High |
| 63 | File | xxxxxxx/xxx/xxxxxxx/xxxx.x | predictive | High |
| 64 | File | xxxx_xxxxx.xxx | predictive | High |
| 65 | File | xxx/xxxx/xxxx.x | predictive | High |
| 66 | File | xxx/xxxxxxxx/xxx_xxxxxxxxxxxx.x | predictive | High |
| 67 | File | xxxxxxxx.x | predictive | Medium |
| 68 | File | xx/xxxxxxxxx.x | predictive | High |
| 69 | File | xx/xxxxx.x | predictive | Medium |
| 70 | File | xx/xxxxx/xxxxxxx.x | predictive | High |
| 71 | File | xxxxx.xxx | predictive | Medium |
| 72 | File | xxxxxxxxxx.xx | predictive | High |
| 73 | File | xxxx_xxxxxxx.xxx.xxx | predictive | High |
| 74 | File | xxxx/xxxxxxxxxxxxxxxxxxxxxxxx.xx | predictive | High |
| 75 | File | xxxxxxxxxxxxxxxxxxxxx.xxx | predictive | High |
| 76 | File | xxxx_xxxx.x | predictive | Medium |
| 77 | File | xxxxx-xxxxx.x | predictive | High |
| 78 | File | xxxxxx_xxxxx_xxxxxxx.x | predictive | High |
| 79 | File | xxxxx.xxx | predictive | Medium |
| 80 | File | xxxxx.xxx?xx=xxxxxxxx.xxxxxx | predictive | High |
| 81 | File | xxxxx.x | predictive | Low |
| 82 | File | xxxxx/xxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxx | predictive | High |
| 83 | File | xxxx_xxxxxx.xx | predictive | High |
| 84 | File | xxxxxx/xxx/xxxxxxxx.x | predictive | High |
| 85 | File | xxxxxx/xxxxx/xxxxx_xxxxxx_xxxxxx.x | predictive | High |
| 86 | File | xxxxxxxxxx/xxx/xxxxxx_xxxx.xxx | predictive | High |
| 87 | File | xxxxxxx/xx_xxx.x | predictive | High |
| 88 | File | xxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxx | predictive | High |
| 89 | File | xxxx.xxx | predictive | Medium |
| 90 | File | xxxxx.xxx | predictive | Medium |
| 91 | File | xxxxx.xxx | predictive | Medium |
| 92 | File | xxxxx.xxx | predictive | Medium |
| 93 | File | xxxxx/?xxxxxx=xxxxxxx&xxxx | predictive | High |
| 94 | File | xxxx.x | predictive | Low |
| 95 | File | xxxxxx_xxxxx_xxxxxxx.x | predictive | High |
| 96 | File | xxxxxxxxxxxxxxxx.x | predictive | High |
| 97 | File | xxx/xxxxxxxxx/xx_xxxxxx_xxx.x | predictive | High |
| 98 | File | xxx/xxxxxxxxx/x_xxxxxx.x | predictive | High |
| 99 | File | xxxx_xxxx.xxx | predictive | High |
| 100 | File | xxxxx-xxxxxxxxxx.xxx | predictive | High |
| 101 | File | xxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
| 102 | File | xxx_xx.x | predictive | Medium |
| 103 | File | xxxxxxxxxxxxxxxxx.xxx | predictive | High |
| 104 | File | xxxxxxxxxxxx.xxx | predictive | High |
| 105 | File | xxxxxxxxx.xxx.xxx | predictive | High |
| 106 | File | xxxxxxx.xxx | predictive | Medium |
| 107 | File | xxxxxxxxxxxxx.xxxx | predictive | High |
| 108 | File | xxxxxxx.xxx | predictive | Medium |
| 109 | File | xxxxxxxxxxxxxx.xxx | predictive | High |
| 110 | File | xxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][] | predictive | High |
| 111 | File | xxxxxxxx.xxx | predictive | Medium |
| 112 | File | xxxxxxxx.xxx | predictive | Medium |
| 113 | File | xxxxx_xxxxxxx.xxx | predictive | High |
| 114 | File | xxxxxxx.xxx | predictive | Medium |
| 115 | File | xxxxxxx.x | predictive | Medium |
| 116 | File | xxxx_xxx_xx.x | predictive | High |
| 117 | File | xx_xxx.x | predictive | Medium |
| 118 | File | xxx.x | predictive | Low |
| 119 | File | xxxxxx.x | predictive | Medium |
| 120 | File | xxxxx.xxx | predictive | Medium |
| 121 | File | xxxx-xxxxxx.x | predictive | High |
| 122 | File | xxxxxxxx.xxx | predictive | Medium |
| 123 | File | xxxx.xxx | predictive | Medium |
| 124 | File | xxxxxxx.x | predictive | Medium |
| 125 | File | xxx/xxx_xxxxx.x | predictive | High |
| 126 | File | xxxxxxx.xxx.xx.xxxxxxxxxxx.xxx | predictive | High |
| 127 | File | xxxxxxx/xxxxxxx/xxxxxx/xxxxxx_xxxx.xxx | predictive | High |
| 128 | File | xxxx/xxx/xxxx-xxxxx.xxx | predictive | High |
| 129 | File | xxxxxxxxx.x | predictive | Medium |
| 130 | File | xxxx.xxxxxxxxx.xxx | predictive | High |
| 131 | File | xxxx_xxxxxxx.xxx | predictive | High |
| 132 | File | xxxxxx.xxx | predictive | Medium |
| 133 | File | xxx.xxx | predictive | Low |
| 134 | File | xxxxxx/xx/xxxx.xxx | predictive | High |
| 135 | File | xx-xxxxx/xxxxx-xxxx.xxx | predictive | High |
| 136 | File | xx-xxxxxxxx/xxxxx-xx-xxxxx.xxx | predictive | High |
| 137 | File | xx-xxxxxxxx/xxxxxxx-xxxxxxxx.xxx | predictive | High |
| 138 | File | xx/xx/xxxxx | predictive | Medium |
| 139 | File | xx_xxxxxxx.x | predictive | Medium |
| 140 | File | _xxxxxxxx/xxxxxxxx.xxx | predictive | High |
| 141 | File | ~/xxxxx/xxxxx-xxxxx-xxxxxx-xxxxx-xxxxx.xxx | predictive | High |
| 142 | File | ~/xxxx/xxx/xxxxxxx/xxxxxxxxxx/xxxxxx.xxx | predictive | High |
| 143 | File | ~/xxxxxx/xxxxxx/xxxxxxx-xxxxxxx/xxxxxx/xxxxxxxx-xxxxxxx.xxx | predictive | High |
| 144 | Library | xxxxx/xxxxxxxxx/xxxx.xxxxxxxxx.xxx | predictive | High |
| 145 | Library | xxxxxxxxxx/xxxxxxxx.x | predictive | High |
| 146 | Library | xxxxxxxx.xxx | predictive | Medium |
| 147 | Library | xxxxxx-xx/xxx/xxx-xxxxxx-xxxxx-xx.xxx | predictive | High |
| 148 | Library | xxxxxxxxx.xxx | predictive | High |
| 149 | Library | xxxxxxx.xxx | predictive | Medium |
| 150 | Library | xxxxxx.xxx.xxx.xxx | predictive | High |
| 151 | Library | xxxxxxxx.xxx | predictive | Medium |
| 152 | Library | xxxxxxxx.xxx | predictive | Medium |
| 153 | Argument | -x | predictive | Low |
| 154 | Argument | xxxx | predictive | Low |
| 155 | Argument | xxxxxxxxxx xxx xxxxxxx | predictive | High |
| 156 | Argument | xxxxxx_xxxx | predictive | Medium |
| 157 | Argument | xxx | predictive | Low |
| 158 | Argument | xxxxx | predictive | Low |
| 159 | Argument | xxx_xx | predictive | Low |
| 160 | Argument | xxxxxx | predictive | Low |
| 161 | Argument | xxxxxxxxxx | predictive | Medium |
| 162 | Argument | xxxxxxx | predictive | Low |
| 163 | Argument | xxxxxx_xxxx_xxxxxxxx | predictive | High |
| 164 | Argument | xxxxxxx_xxxx->xxx($xxxxxxxx) | predictive | High |
| 165 | Argument | xxxxxxxxxxx | predictive | Medium |
| 166 | Argument | xxxxxxxx_xxxx | predictive | High |
| 167 | Argument | xxxxxxxxxxx | predictive | Medium |
| 168 | Argument | xxxxxx_xxxx | predictive | Medium |
| 169 | Argument | xxxx | predictive | Low |
| 170 | Argument | xx | predictive | Low |
| 171 | Argument | xxxxxxxxx | predictive | Medium |
| 172 | Argument | xxxxxxxxxxxxxx | predictive | High |
| 173 | Argument | xxxxxxxxx | predictive | Medium |
| 174 | Argument | xxxxxxx | predictive | Low |
| 175 | Argument | xxx | predictive | Low |
| 176 | Argument | xxxx_xxxxxx_xxxx | predictive | High |
| 177 | Argument | xxxxxxxxxxxxx | predictive | High |
| 178 | Argument | xxxx x xxxx | predictive | Medium |
| 179 | Argument | xxxxxxxxx/xxxxxxxxx | predictive | High |
| 180 | Argument | xxx_xx | predictive | Low |
| 181 | Argument | x-xxx | predictive | Low |
| 182 | Argument | xxxxxxxxxxxxxxxxxxxx | predictive | High |
| 183 | Argument | xx | predictive | Low |
| 184 | Argument | xxxxxxx/xxxx/xxxxxxxx | predictive | High |
| 185 | Argument | xxxxx/xxxxxx | predictive | Medium |
| 186 | Argument | xxxxxxxx | predictive | Medium |
| 187 | Argument | xxxxxxxx | predictive | Medium |
| 188 | Argument | xxxxxxxxx | predictive | Medium |
| 189 | Argument | xxx_xxx | predictive | Low |
| 190 | Argument | xxxxxx | predictive | Low |
| 191 | Argument | xxxxxx | predictive | Low |
| 192 | Argument | xx_xxxxxxx_xxxxxxx | predictive | High |
| 193 | Argument | xxxxx | predictive | Low |
| 194 | Argument | xxxxxxxx | predictive | Medium |
| 195 | Argument | xxxxxxx_xxx | predictive | Medium |
| 196 | Argument | xxxxxx | predictive | Low |
| 197 | Argument | xxxx | predictive | Low |
| 198 | Argument | xxxxxxx | predictive | Low |
| 199 | Argument | xxxxxx | predictive | Low |
| 200 | Argument | xxxxxxxx_xxxxx | predictive | High |
| 201 | Argument | xxxxxxxxxxxx | predictive | Medium |
| 202 | Argument | xxxxxx | predictive | Low |
| 203 | Argument | xxxxx | predictive | Low |
| 204 | Argument | xxx | predictive | Low |
| 205 | Argument | xxxxxx | predictive | Low |
| 206 | Argument | xxx | predictive | Low |
| 207 | Argument | xxxxxxxx-xxxxxxxx | predictive | High |
| 208 | Argument | xxx | predictive | Low |
| 209 | Argument | xxx | predictive | Low |
| 210 | Argument | xxxx | predictive | Low |
| 211 | Argument | xxxxxxxx | predictive | Medium |
| 212 | Argument | xxxxxxx | predictive | Low |
| 213 | Argument | xxxx->xxxxxxx | predictive | High |
| 214 | Argument | xxxxx/xxxxx | predictive | Medium |
| 215 | Argument | xxx | predictive | Low |
| 216 | Argument | _xxx_xxxxxxx_xxxxxxx_xxxxxxxxxxxxx_xxx_xxx_xxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxx | predictive | High |
| 217 | Argument | _xxx_xxxxxxxxxxx_ | predictive | High |
| 218 | Input Value | "><xxxxxx>xxxxx(/xxx/)</xxxxxx> | predictive | High |
| 219 | Input Value | .%xx.../.%xx.../ | predictive | High |
| 220 | Input Value | xxx xxxxxxxx | predictive | Medium |
| 221 | Input Value | xxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxx | predictive | High |
| 222 | Input Value | xxxxxxxxx' xxx 'x'='x | predictive | High |
| 223 | Input Value | xxxxx | predictive | Low |
| 224 | Input Value | xxxxxxx_xxxxx.xxxxxxx_xxxxxxx | predictive | High |
| 225 | Input Value | \x | predictive | Low |
| 226 | Input Value | ….// | predictive | Low |
| 227 | Pattern | () { | predictive | Low |
| 228 | Pattern | |xx| | predictive | Low |
| 229 | Network Port | xxxxx | predictive | Low |
| 230 | Network Port | xx xxxxxxx xxx.xx.xx.xx | predictive | High |
| 231 | Network Port | xxx/xx (xxxxxx) | predictive | High |
| 232 | Network Port | xxx/xxxx | predictive | Medium |
| 233 | Network Port | xxx xxxxxx xxxx | predictive | High |
References (40)
The following list contains external sources which discuss the actor and the associated activities:
- https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/
- https://cert.gov.ua/article/40102
- https://community.blueliv.com/#!/s/5f6b482482df413eb5350d3b
- https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
- https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
- https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
- https://github.com/blackorbird/APT_REPORT/blob/master/CyberMerceNary/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf
- https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
- https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/APT28
- https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
- https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
- https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf
- https://twitter.com/teamcymru_S2/status/1540390942510927873
- https://twitter.com/teamcymru_S2/status/1540390947665616897
- https://twitter.com/teamcymru_S2/status/1540390955882319876
- https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
- https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
- https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
- https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
- https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
- https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
- https://www.ncsc.gov.uk/files/NCSC_APT28.pdf
- https://www.threatminer.org/report.php?q=ASongofIntelandFancy_ExploitingFancyBear%E2%80%99suseofSSLcertificate.pdf&y=2018
- https://www.threatminer.org/report.php?q=eset-sednit-part-2-ESET.pdf&y=2016
- https://www.threatminer.org/report.php?q=eset-sednit-part1-ESET.pdf&y=2016
- https://www.threatminer.org/report.php?q=FancyBearcontinuetooperatethroughphishingemailsandmuchmore_ESET.pdf&y=2017
- https://www.threatminer.org/report.php?q=OperationRussianDoll.pdf&y=2015
- https://www.threatminer.org/report.php?q=TheDeceptionProjectANewJapanese-CentricThreat-Cylance.pdf&y=2017
- https://www.threatminer.org/report.php?q=ThreatConnectandFidelisTeamUptoExploretheDCCCBreach-ThreatConnect.pdf&y=2016
- https://www.threatminer.org/report.php?q=ThreatConnectIdentifiesFANCYBEARWorldAnti-DopingAgencyBreach-ThreatConnect.pdf&y=2016
- https://www.threatminer.org/report.php?q=wp-operation-pawn-storm.pdf&y=2014
- https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
- https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
- https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf