{ "type": "bundle", "id": "bundle--92b2fd69-4f54-47bd-8d13-8b77814f460e", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "external_id": "G0007", "url": "https://attack.mitre.org/groups/G0007", "source_name": "mitre-attack" }, { "source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" }, { "source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)" }, { "source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)" }, { "source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)" }, { "source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" }, { "source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "NSA/FBI Drovorub August 2020", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", "url": "https://www.justice.gov/file/1080281/download" }, { "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "source_name": "Ars Technica GRU indictment Jul 2018" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "source_name": "SecureWorks TG-4127" }, { "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { "source_name": "Symantec APT28 Oct 2018", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." }, { "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "source_name": "ESET Zebrocy May 2019" }, { "source_name": "US District Court Indictment GRU Oct 2018", "url": "https://www.justice.gov/opa/page/file/1098481/download", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" }, { "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "source_name": "Talos Seduploader Oct 2017" }, { "source_name": "Securelist Sofacy Feb 2018", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018." }, { "source_name": "Accenture SNAKEMACKEREL Nov 2018", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019." }, { "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "source_name": "Microsoft STRONTIUM Aug 2019" }, { "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." } ], "aliases": [ "APT28", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127" ], "modified": "2020-10-06T23:32:21.793Z", "created": "2017-05-31T21:31:48.664Z", "x_mitre_contributors": [ "S\u00e9bastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows" ], "x_mitre_version": "3.0" } ] }