Russian APT Groups
APT29 (Cozy Bear)
Affiliation: Russia's Foreign Intelligence Service (SVR)
Activities: Active since at least 2008, targeting government networks in Europe, NATO member countries, research institutes, and think tanks. Known for compromising the Democratic National Committee in 2015 and the SolarWinds compromise in 2020.
Targets: Government networks, research institutes, think tanks.
TTPs (Tactics, Techniques, Procedures):
Spear-phishing with malware payloads: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Use of zero-day vulnerabilities: Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Remote access tools (RATs): Remote Access Software
Credential harvesting: Credential Dumping
Advanced malware: Malware
Notable Incidents:
SolarWinds Compromise (2020): This supply chain attack involved compromising SolarWinds' Orion software, which is used by thousands of organizations, including U.S. government agencies and Fortune 500 companies. The attackers inserted a backdoor into the software updates, allowing them to access the networks of SolarWinds' customers. Read more
DNC Hack (2015): APT29 gained access to the Democratic National Committee's network, stealing emails and documents. The stolen information was later leaked, causing significant political impact. Read more
Microsoft and HPE Attacks (2023-2024): APT29 targeted Microsoft and Hewlett-Packard Enterprise, compromising corporate email accounts and potentially accessing sensitive data. Read more
Operation Ghost (2013-2019): Targeted government networks in Europe and NATO member countries, using steganography to hide data within images. This campaign involved persistent surveillance and data exfiltration. Read more
COVID-19 Vaccine Research (2020): APT29 targeted organizations involved in COVID-19 vaccine development, attempting to steal research data and intellectual property related to vaccine production. Read more
APT28 (Fancy Bear)
Affiliation: Russian military intelligence agency GRU
Activities: Active since at least the mid-2000s, using zero-day exploits, spear phishing, and malware to compromise targets. Known for hacking the Democratic National Committee emails in 2016 and targeting government, military, and security organizations.
Targets: Government, military, security organizations, political entities.
TTPs:
Spear-phishing with malware attachments: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Exploitation of zero-day vulnerabilities: Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Use of malware like X-Agent and Sofacy: Malware
Credential theft: Credential Dumping
Lateral movement and data exfiltration: Lateral Movement, Exfiltration Over C2 Channel
Notable Incidents:
Hillary Clinton Campaign Hack (2016): APT28 compromised emails from Hillary Clinton's presidential campaign and the Democratic National Committee, leading to significant political repercussions. Read more
German Parliament Hack (2015): APT28 targeted the German parliament, stealing data and disrupting email accounts of German MPs and the Vice Chancellor. Read more
World Anti-Doping Agency (WADA) Hack (2016): APT28 attacked the World Anti-Doping Agency, leaking confidential athlete data in an attempt to discredit the organization. Read more
Cisco Router Exploits (2021): APT28 exploited vulnerabilities in Cisco routers to conduct reconnaissance and deploy malware, affecting network security across various organizations. Read more
OPCW Attack (2018): APT28 attempted to disrupt the Organization for the Prohibition of Chemical Weapons' analysis of chemical weapons used in the UK. Read more
French TV5Monde Hack (2015): APT28 took control of the TV5Monde television network and broadcasted pro-ISIS content, aiming to disrupt and manipulate media narratives. Read more
Berserk Bear (Energetic Bear)
Affiliation: Russian state-sponsored
Activities: Targeting U.S. state, local, territorial, and tribal government networks, as well as aviation networks. Known for obtaining user and administrator credentials to establish initial access and exfiltrating data from compromised networks.
Targets: Critical infrastructure, government agencies, energy sectors.
TTPs:
Watering hole attacks: Drive-by Compromise
Use of malware like Havex and BlackEnergy: Malware
Credential harvesting: Credential Dumping
Network reconnaissance and lateral movement: Lateral Movement
Notable Incidents:
Ukraine Cyber Attacks (2022): Berserk Bear targeted Ukrainian government, military, and private sectors with cyber attacks aimed at disrupting operations and stealing sensitive information. Read more
Norwegian Parliament Hack (2017): Berserk Bear infiltrated the Norwegian parliament, stealing emails and documents. This attack was part of a broader campaign targeting European political entities. Read more
U.S. Department of State and White House (2014-2015): Berserk Bear compromised email accounts of U.S. Department of State and White House officials, gaining access to sensitive information. Read more
US Energy Sector Attack (2017): Berserk Bear attempted to gain access to operational systems within the US energy sector, posing a significant risk to critical infrastructure. Read more
US Nuclear Laboratories (2018): Berserk Bear infiltrated several US nuclear laboratories, stealing sensitive information and potentially compromising national security. Read more
US Water Utilities (2019): Berserk Bear targeted US water utilities, attempting to gain control over critical infrastructure and potentially disrupt water supply systems. Read more
Last updated
Was this helpful?