Sciextor

APT 28

APT 28 is another name for a group of cyber attackers that are also known as Fancy Bear, Sofacy, Sednit, or STRONTIUM.

They are believed to be linked to the Russian military intelligence agency GRU and have been active since at least 2004

APT 28 is a sophisticated and persistent threat actor that poses a serious challenge to the cyber security community.

They have demonstrated a high level of technical skill, operational security, and adaptability in their attacks.

They have also shown a keen interest in exploiting zero-day vulnerabilities and using novel techniques to evade detection and attribution.

To defend against APT 28 and other similar groups, it is essential to have a robust and layered security posture, as well as a proactive and collaborative approach to threat intelligence and incident response.

History

• Exploiting known and zero-day vulnerabilities in popular software, such as Microsoft Office, Adobe Flash, and Cisco routers, to gain initial access and execute malicious code
• Deploying custom and open-source malware, such as X-Agent, X-Tunnel, Sofacy, PlugX, and Mimikatz, to perform reconnaissance, lateral movement, data exfiltration, and command and control
• Leveraging phishing, spearphishing, and credential harvesting techniques to compromise email accounts and web services, such as Outlook, Gmail, and Blogspot, and use them for further attacks
• Masquerading as legitimate entities, such as NATO, OSCE, and security websites, to create fake domains and certificates, and use them for deception and redirection