• The cyber gang’s top targets include government, aerospace, defense, energy and media sectors.
  • The group does not exfiltrate financial information or sell the information gathered from the targets.

The notorious APT28 group, also known as Fancy Bear or Sofacy, is associated with the Russian military intelligence agency GRU. The group relies on zero-day exploits, spear phishing, and malware to compromise its targets.

Security experts believe that Fancy Bear orchestrated attacks against the US Democratic National Committee (DNC) during the 2016 US presidential election. The group’s efforts are believed to have been part of the Russian government’s goal of damaging the democratic process of the US and help US president Donald Trump come into power.

Primary targets

This Russian government-backed threat actor group has been active since 2007. Initially, it was only involved in stealing information from various governments in Europe and the US. However, after the 2016 US Presidential elections, the group became more active than ever.

Fancy Bear’s top targets include governments, as well as aerospace, defense, energy, and media sectors. The group does not exfiltrate financial information or sell the information gathered from the targets. Instead, it uses tactics to monitor every move of its opponent while remaining undetected. APT28 gathers strategic state information that could be used to influence decisions, public opinion, or geopolitical issues.

Modus Operandi

Sofacy carries out a majority of attacks through spear-phishing, although zero-day exploits and custom malware are some of its other go-to tactics. The Russian affiliated group also makes use of the watering hole technique - infecting a site that is used by a specific group of end users - to infect devices.

Among its several known attacks, the group was found using spear-phishing to conduct attacks against the German parliament in 2014, NATO in 2015, the Democratic National Committee in 2016, and the International Olympic Committee in 2016.

Fancy Bear is also believed to be responsible for the attack against Ukrainian artillery. It distributed an infected version of a malicious Android app to access confidential data.

Tactics, Techniques and Procedures (TTPs)

Fancy Bear employs advanced methods to gain persistence over targeted systems. Some of its TTPs include:

  • Using spear-phishing emails.
  • Disguising malicious websites as news sources.
  • Exploiting zero-day vulnerabilities.
  • Using watering hole attacks to malign government websites.
  • Using sophisticated malware to relay traffic through proxy networks of victims that it has previously compromised.

Fancy Bear has been known to use software such as ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel. The group also has dedicated considerable time in developing several custom malware such as its namesake Sofacy malware and droppers such as Foozer, WinIDS, X-Agent, X-Tunnel, and DownRange.

APT28 is still highly active. The group is continuously improving its tactics and procedures to obtain sensitive information while remaining undetected. The threat group is now believed to be implementing counter-analysis techniques to obfuscate code.

Fancy Bear is widely considered to be one of the most successful cyberespionage threat actor groups active in the wild. The group is known for its targeted and persistent attacks, some of which last for weeks or even months. The group’s sophisticated and constantly evolving attacks indicate that it is well funded and is likely to continue expanding attacks in the future.

Cyware Publisher