We use cookies to improve your experience. Do you accept?

Skip to main content

Inside Fancy Bear's Arsenal: An Update on the Cyber Tactics of APT28

Inside Fancy Bear's Arsenal: An Update on the Cyber Tactics of APT28 - Featured Image

Research and Analysis Jan 10, 2024

Origin: 2007

Aliases: APT 28, APT-C-20, ATK5, Blue Athena, FANCY BEAR, FROZENLAKE, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, UAC-0028

Targeted Sectors: Governments, Military Organizations, Aerospace, Media Firms, Research Companies, Energy, Journalists, Politicians, Telecommunications, IT

Targeted Regions: Europe (Mostly NATO members), North America, The UAE, Middle East, Syria

Common infection vectors: Spear-Phishing, Zero-Day Exploits, Custom Malware, Watering Hole Attacks, Living-off-the-Land tactics

Malware Used: Zebrocy, Sofacy, X-Agent, CHOPSTICK, CORESHELL, JHUHUGIT, ADVSTORESHELL, Drovorub, Skinnyboy

Motivation: Espionage, Political Agenda

Overview

Fancy Bear, aka APT28, is a globally ill-famed Russian cyberespionage group known for attacks on governments, military entities, and high-value targets. Operational since 2007, it has executed several well-coordinated, stealthy attacks, etching its presence into the history of cybersecurity. As per various reports, the attacker group has attempted to influence election processes in the U.S., France, and Germany, and was also behind the 2017 NotPetya attack.

Over the past 20 months, Fancy Bear has been in the news for exploiting a Microsoft Outlook bug, targeting over two dozen organizations across 14 nations that are deemed strategically significant to the Russian government and its military. The threat group’s covert operations are aimed at achieving long-term infiltration of their targets’ systems. With that said, let’s quickly dive into its attack techniques.

Tactics, Techniques, and Procedures

Fancy Bear often uses targeted spearphishing campaigns to deliver malicious payloads where it camouflages itself as emails from a trusted source. The group is also known for exploiting security flaws in software, including zero days. This year, Fancy Bear made headlines for exploiting Outlook zero-day (CVE-2023-23397), an RCE vulnerability in Cisco Routers (CVE-2017-6742), and a WinRar flaw (CVE-2023-38831). (More details are shared in the next section.)

In general, the group employs a diverse array of advanced techniques and tactics to carry out malicious operations that directly or indirectly benefit Russia.

  • Malware Attacks : The group uses various types of malware, including custom-built tools. Sofacy, X-Agent, Sednit, and Zebrocy are among the malware associated with APT28.

  • Watering Hole Attacks : APT28 has been known to compromise websites likely to be visited by their targets. This tactic involved injecting malicious code into those websites.

  • Credential Theft : APT28 employs techniques to steal credentials, such as using keyloggers or credential harvesting tools, to gain access to systems and networks.

  • Persistence Mechanisms : APT28 uses various methods to maintain access to compromised systems for an extended period. This may involve creating backdoors, using scheduled tasks, or manipulating system services.

  • Domain Registration and Infrastructure : APT28 is known to register domains that mimic legitimate ones, creating a deceptive infrastructure for their operations.

  • Use of Virtual Private Servers (VPS): The group often uses VPS providers to host their command and control (C2) servers, helping to hide their tracks and make attribution more challenging.

  • Geopolitical Targeting : APT28's campaigns often align with geopolitical events, suggesting that the group operates in support of Russian state interests.

Attack Details

Espionage-motivated Fancy Bear has targeted Eastern European governments, military entities, Georgia, Ukraine, and organizations like NATO, along with U.S. defense contractors such as Academi, SAIC, Boeing, Lockheed Martin, and Raytheon.

Fancy Bear's target list from March 2015 to May 2016 encompassed a wide range of individuals opposing Putin and the Kremlin in the U.S., Ukraine, Russia, Georgia, and Syria, including both Democratic and Republican entities.

To trace Fancy Bear’s journey to notoriety, below are the incidents that it was involved in:

  • French TV Station TV5 Monde (2015): In April 2015, Fancy Bear destroyed the internet-connected hardware that controlled France's TV5 Monde TV station’s operations. They also hijack the website and social media accounts.

  • U.S. Presidential Election Attack (2016): Fancy Bear targeted Democratic National Committee (DNC) email servers, and stole sensitive emails and other information that were later leaked to the public. It is seen as an attempt to influence the 2016 presidential elections.

  • German Bundestag (2017): The group was publicly associated with infiltrating the German Bundestag, employing spear-phishing attacks and malware to compromise government officials and expand network access.

  • NotPetya Malware Attack (2017): In 2017, Fancy Bear was connected to the destructive NotPetya malware attack that would go on to do $10 billion worth of loss globally, with other significant damages to impacted organizations.

  • Worldwide Anti-doping Agency (2017): Fancy Bear was linked to hack-and-leak operations against the Worldwide Anti-doping Agency, seen as retaliation for Russia's ban from the 2018 Winter Olympics. Ahead of the Tokyo 2020 Olympics, adversaries targeted at least 16 national and international organizations across three continents.

  • Brute-Force Attacks: U.S. and U.K. authorities warned of Fancy Bear's widespread campaign ongoing since mid-2019. The attack utilizes a Kubernetes cluster for brute-force password-spraying attacks against numerous global government and private sector targets.

Espionage in 2022-23

Ukraine and NATO Countries

The Ukraine-Russia conflict unveiled a new chapter of cyberattacks between nations, with APT28 at the forefront of this cyber war. According to Palo Alto’s Unit 42 researchers, the group used the Outlook bug exploit for over 20 months in 14 nations that were of strategic intelligence value to the Russian government. The group conducted the attack campaigns in three parts, with the latest occurring in December 2023. Its attacks focused on critical infrastructure and energy-related entities, pipeline operations, government ministries, and more in NATO member countries. Outside NATO allies, Ukraine, Jordan, and the UAE were its targets. All in all, at least 30 organizations were affected by the attacks.

Fancy Bear’s attacks on Ukraine are nothing new; several attack campaigns have been launched against Ukraine since 2014. From 2014 to 2016, the threat actor dominantly distributed the X-Agent malware implant on Ukrainian military forums bundles with a legitimate application employed by Ukrainian artillery forces to collect tactical data.

Cisco Routers Abused

In April, Fancy Bear members exploited an RCE vulnerability (CVE-2017-6742) in Cisco routers' SNMP implementation. A joint advisory by Western security agencies revealed that actors used this tactic to backdoor Cisco routers globally, including in Europe, US government institutions, and approximately 250 Ukrainian victims.

Israel-Hamas War

Security experts uncovered an attack campaign by Fancy Bear, in December, using lures related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace. The campaign targeted critical infrastructure organizations across Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The infection chain exploited a WinRAR flaw called CVE-2023-38831 to propagate the backdoor.

Preventive Measures

First and foremost, governments and critical infrastructure providers across NATO and European nations are urged to patch the Outlook bug. Microsoft has issued guidance to help identify attacks exploiting the bug. In addition to that, security teams must configure endpoint protections to restrict such malicious campaigns.

Additionally, organizations that leverage strategic and tactical threat intelligence to sharpen their detection and response measures and collaborate beyond their operational silos are likely to defend more effectively against threat actors like Fancy Bear. Cyware’s Intel Exchange (CTIX), Orchestrate, and Respond (CFTR) platforms empower organizations through threat intel automation and advanced threat analysis, while also promoting effective security collaboration and building a proactive defense against sophisticated cyberattacks.

Conclusion

Fancy Bear has remained a persistent and enigmatic adversary for over a decade. By delving into their tactics, motivations, and complex operations, we gain the insights necessary to counter their ambitions. Their adaptability and innovation present a formidable challenge to both governments and organizations globally. Defending against Fancy Bear mandates continuous enhancement and adaptation of state-of-the-art defensive strategies.

Indicators of Compromise

Trojan.Sofacy (Seduploader)

093f2aedcf59c831cda7a92df48b146326c2c81c0a3f1d4f3bdc7c6b9a7c71e4

1140c624fbfe28b9ef19fef2e9aa251adfbe8c157820d5f0356d88b4d80c2c88

11cd541511cc793e7416655cda1e100d0a70fb043dfe7f6664564b91733431d0

12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8

23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701

3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b

3b87bfb837339445987cdf2e97169cb0c63072dc1d5bffa8ffb4af108a410988

5fdc673941ceac84f8f19d550f04a5e1a82c13cbd04771016b68fbf586ff6dc3

8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57

a5742651c3dab8d6ed6f49c2f9fb3ee3bea5cd01c3ec8e73ff0a6f400e32faeb

c3b2c7bbd2aa1e3100b9382ed78dfa0041af764e0e02013acdf282410b302ead

ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18

Backdoor.Sofacy (X-Agent)

001d65185910ae8cd9e7e2472745e593be62b98eae3f5f2266a29c37e56daa1d

1228e9066819f115e8b2a6c1b75352566a6a5dc002d9d36a8c5b47758c9f6a45

2bf9c38d01681b33c1a84e5de1a291288b658939975714c63a487bc050adf03f

2d11e8d81bf776d668355ed15a596193d4bb10a42289ddb3223c1227b042d854

57e96a1136510ac67ff8a3f3e06787f6e6c09da64c318e01b6653fac19b7894f

73ee9ceaae23f96d9a1bc7ebfc382066ca727efb94e5e8ab1ddc0369896c95f7

776780cab8371fea0d2103a8c284d3eff9271f4e16042c0734369f1c9e9d939d

82fc44696d1c5ddfdd5338fcafb6a9dcf7a0796235cd58184d05a2f388ed7e9e

a1c73ce193ffa5323aaef73fbabbc2a984e10900f09cf9fcb0cb11606a23c402

a20e0a3e11c2ac22ac70c52593658993f153d98b8acc89fd82d7c3e0a605e16e

e5d5a6fa74c229d81cb64781556b61ed0148c50c089ea638e7761bf97fe46d40

f97f2985ff599e073156e37cbd34024067680072ac18f9d2040c64eedbe38e4f

Trojan.Shunael (X-Agent)

a37eda810ca92486bfb0e1f1b27adb7c9df57aafab686c000ae1d6ec5d6f6180

fc224a6cca956a59812a13e53ba08a279996ea2ee194fe20fb10170ca5c2db6a

Follina

3aa16a340aacc5aecbdb902a5f6668f117b62e27966ab41f8a71a1dd1a08f8bd

241f00110265b32f0cab95c5503446d0f41d7f78230797acde1280c9865de220

fe43f3ea0146e107521b6b81c53ee4eb583cce8bad69f39072134f53081738dd

e3ba1c45f9dd1f432138654b5f19cf89c55e07219b88aa7628334d38bb036433

59bb14faf1f5c29fd1c8a4c3b6085a51acda9659b3148ca4eed50c0efc36a6ba

4bd8e0e2d27d6d50c6633e20d78d2e7e092cb29e5e47df9a93a29a995f29d57

b6ebc38ddaeee12c90df4124d5f73eab93f54cf3a906da0a0c824d2d3ec45c33

e36984c8db0a05b9524fec5293a580f9c403b7ed683e09e4743a30f9d053e0cd

a841a941f1048189f679f8e457a8f21954e891864144c585a4abc0e6c685c764

73ada27d09e0481ed33c9e2dcafe6d2c09607353867674753be3bad33c8a404

c5a72c4bdb32669c207d5a0dc274f70152c4c989bb23970ca0310d7cd712509

215fab217fe7890fc796ffcf9e82b0407c056991b79b2b07fb41b104e19ef1c5

3b0858ed47784638f397078930dd7a9b287bdb0f6706d32a7ad7dbbd11d2573c

db94048b4a606e2e48bdacc07ca1d686e3f26639e822612172cab08e66abfe93

3db60df73a92b8b15d7885bdcc1cbcf9c740ce29c654375a5c1ce8c2b31488a1

6b06af3d20fd4f35fe62151d45e4344314d26b68d886d80ad6d8a375820247cf

a3fbfe25541744380cb53a2faca2d7c61f8e9973520e82acb379127a99db867d

0751db137f6830f9ce5c88f6757cef35bd15eb12d46b809611f1a141113ee01d

db6592107ee379494ae9f0130e4834a9faf3a598aa27aa6fd6f342a9806b34df

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

64563b42eb7a4569bfbd8e9f04b00d350875a1bb6fe67ddaf1f932d3b0a7dc98

IPs

5.199.162[.]132

101.255.119[.]42

181.209.99[.]204

213.32.252[.]221

168.205.200[.]55

69.162.253[.]21

185.132.17[.]160

69.51.2[.]106

113.160.234[.]229

24.142.165[.]2

85.195.206[.]7

42.98.5[.]225

61.14.68[.]33

50.173.136[.]70

Related Threat Briefings