Russian APT Groups

APT29 (Cozy Bear)

• Affiliation: Russia's Foreign Intelligence Service (SVR)

• Activities: Active since at least 2008, targeting government networks in Europe, NATO member countries, research institutes, and think tanks. Known for compromising the Democratic National Committee in 2015 and the SolarWinds compromise in 2020.

• Targets: Government networks, research institutes, think tanks.

• TTPs (Tactics, Techniques, Procedures):

  • Spear-phishing with malware payloads: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service

  • Use of zero-day vulnerabilities: Exploitation for Privilege Escalation, Exploitation for Defense Evasion

  • Remote access tools (RATs): Remote Access Software

  • Credential harvesting: Credential Dumping

  • Advanced malware: Malware

• Notable Incidents:

  • SolarWinds Compromise (2020): This supply chain attack involved compromising SolarWinds' Orion software, which is used by thousands of organizations, including U.S. government agencies and Fortune 500 companies. The attackers inserted a backdoor into the software updates, allowing them to access the networks of SolarWinds' customers. Read more

  • DNC Hack (2015): APT29 gained access to the Democratic National Committee's network, stealing emails and documents. The stolen information was later leaked, causing significant political impact. Read more

  • Microsoft and HPE Attacks (2023-2024): APT29 targeted Microsoft and Hewlett-Packard Enterprise, compromising corporate email accounts and potentially accessing sensitive data. Read more

  • Operation Ghost (2013-2019): Targeted government networks in Europe and NATO member countries, using steganography to hide data within images. This campaign involved persistent surveillance and data exfiltration. Read more

  • COVID-19 Vaccine Research (2020): APT29 targeted organizations involved in COVID-19 vaccine development, attempting to steal research data and intellectual property related to vaccine production. Read more

APT28 (Fancy Bear)

• Affiliation: Russian military intelligence agency GRU

• Activities: Active since at least the mid-2000s, using zero-day exploits, spear phishing, and malware to compromise targets. Known for hacking the Democratic National Committee emails in 2016 and targeting government, military, and security organizations.

• Targets: Government, military, security organizations, political entities.

• TTPs:

  • Spear-phishing with malware attachments: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
  • Exploitation of zero-day vulnerabilities: Exploitation for Privilege Escalation, Exploitation for Defense Evasion
  • Use of malware like X-Agent and Sofacy: Malware
  • Credential theft: Credential Dumping
  • Lateral movement and data exfiltration: Lateral Movement, Exfiltration Over C2 Channel
• Notable Incidents:

  • Hillary Clinton Campaign Hack (2016): APT28 compromised emails from Hillary Clinton's presidential campaign and the Democratic National Committee, leading to significant political repercussions. Read more
  • German Parliament Hack (2015): APT28 targeted the German parliament, stealing data and disrupting email accounts of German MPs and the Vice Chancellor. Read more
  • World Anti-Doping Agency (WADA) Hack (2016): APT28 attacked the World Anti-Doping Agency, leaking confidential athlete data in an attempt to discredit the organization. Read more
  • Cisco Router Exploits (2021): APT28 exploited vulnerabilities in Cisco routers to conduct reconnaissance and deploy malware, affecting network security across various organizations. Read more
  • OPCW Attack (2018): APT28 attempted to disrupt the Organization for the Prohibition of Chemical Weapons' analysis of chemical weapons used in the UK. Read more
  • French TV5Monde Hack (2015): APT28 took control of the TV5Monde television network and broadcasted pro-ISIS content, aiming to disrupt and manipulate media narratives. Read more

Berserk Bear (Energetic Bear)

• Affiliation: Russian state-sponsored

• Activities: Targeting U.S. state, local, territorial, and tribal government networks, as well as aviation networks. Known for obtaining user and administrator credentials to establish initial access and exfiltrating data from compromised networks.

• Targets: Critical infrastructure, government agencies, energy sectors.

• TTPs:

  • Spear-phishing: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
  • Watering hole attacks: Drive-by Compromise
  • Use of malware like Havex and BlackEnergy: Malware
  • Credential harvesting: Credential Dumping
  • Network reconnaissance and lateral movement: Lateral Movement
• Notable Incidents:

  • Ukraine Cyber Attacks (2022): Berserk Bear targeted Ukrainian government, military, and private sectors with cyber attacks aimed at disrupting operations and stealing sensitive information. Read more
  • Norwegian Parliament Hack (2017): Berserk Bear infiltrated the Norwegian parliament, stealing emails and documents. This attack was part of a broader campaign targeting European political entities. Read more
  • U.S. Department of State and White House (2014-2015): Berserk Bear compromised email accounts of U.S. Department of State and White House officials, gaining access to sensitive information. Read more
  • US Energy Sector Attack (2017): Berserk Bear attempted to gain access to operational systems within the US energy sector, posing a significant risk to critical infrastructure. Read more
  • US Nuclear Laboratories (2018): Berserk Bear infiltrated several US nuclear laboratories, stealing sensitive information and potentially compromising national security. Read more
  • US Water Utilities (2019): Berserk Bear targeted US water utilities, attempting to gain control over critical infrastructure and potentially disrupt water supply systems. Read more