130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • APT29 (Cozy Bear)
  • APT28 (Fancy Bear)
  • Berserk Bear (Energetic Bear)

Was this helpful?

  1. Threat Intelligence
  2. Advanced Persistent Threat (APT) groups

Russian APT Groups

PreviousChinese APT GroupsNextOther APT

Last updated 5 months ago

Was this helpful?

APT29 (Cozy Bear)

  • Affiliation: Russia's Foreign Intelligence Service (SVR)

  • Activities: Active since at least 2008, targeting government networks in Europe, NATO member countries, research institutes, and think tanks. Known for compromising the Democratic National Committee in 2015 and the SolarWinds compromise in 2020.

  • Targets: Government networks, research institutes, think tanks.

  • TTPs (Tactics, Techniques, Procedures):

    • Spear-phishing with malware payloads:

    • Use of zero-day vulnerabilities:

    • Remote access tools (RATs):

    • Credential harvesting:

    • Advanced malware:

  • Notable Incidents:

    • SolarWinds Compromise (2020): This supply chain attack involved compromising SolarWinds' Orion software, which is used by thousands of organizations, including U.S. government agencies and Fortune 500 companies. The attackers inserted a backdoor into the software updates, allowing them to access the networks of SolarWinds' customers.

    • DNC Hack (2015): APT29 gained access to the Democratic National Committee's network, stealing emails and documents. The stolen information was later leaked, causing significant political impact.

    • Microsoft and HPE Attacks (2023-2024): APT29 targeted Microsoft and Hewlett-Packard Enterprise, compromising corporate email accounts and potentially accessing sensitive data.

    • Operation Ghost (2013-2019): Targeted government networks in Europe and NATO member countries, using steganography to hide data within images. This campaign involved persistent surveillance and data exfiltration.

    • COVID-19 Vaccine Research (2020): APT29 targeted organizations involved in COVID-19 vaccine development, attempting to steal research data and intellectual property related to vaccine production.

APT28 (Fancy Bear)

  • Affiliation: Russian military intelligence agency GRU

  • Activities: Active since at least the mid-2000s, using zero-day exploits, spear phishing, and malware to compromise targets. Known for hacking the Democratic National Committee emails in 2016 and targeting government, military, and security organizations.

  • Targets: Government, military, security organizations, political entities.

  • TTPs:

  • Notable Incidents:

Berserk Bear (Energetic Bear)

  • Affiliation: Russian state-sponsored

  • Activities: Targeting U.S. state, local, territorial, and tribal government networks, as well as aviation networks. Known for obtaining user and administrator credentials to establish initial access and exfiltrating data from compromised networks.

  • Targets: Critical infrastructure, government agencies, energy sectors.

  • TTPs:

  • Notable Incidents:

Spear-phishing with malware attachments:

Exploitation of zero-day vulnerabilities:

Use of malware like X-Agent and Sofacy:

Credential theft:

Lateral movement and data exfiltration: ,

Hillary Clinton Campaign Hack (2016): APT28 compromised emails from Hillary Clinton's presidential campaign and the Democratic National Committee, leading to significant political repercussions.

German Parliament Hack (2015): APT28 targeted the German parliament, stealing data and disrupting email accounts of German MPs and the Vice Chancellor.

World Anti-Doping Agency (WADA) Hack (2016): APT28 attacked the World Anti-Doping Agency, leaking confidential athlete data in an attempt to discredit the organization.

Cisco Router Exploits (2021): APT28 exploited vulnerabilities in Cisco routers to conduct reconnaissance and deploy malware, affecting network security across various organizations.

OPCW Attack (2018): APT28 attempted to disrupt the Organization for the Prohibition of Chemical Weapons' analysis of chemical weapons used in the UK.

French TV5Monde Hack (2015): APT28 took control of the TV5Monde television network and broadcasted pro-ISIS content, aiming to disrupt and manipulate media narratives.

Spear-phishing:

Watering hole attacks:

Use of malware like Havex and BlackEnergy:

Credential harvesting:

Network reconnaissance and lateral movement:

Ukraine Cyber Attacks (2022): Berserk Bear targeted Ukrainian government, military, and private sectors with cyber attacks aimed at disrupting operations and stealing sensitive information.

Norwegian Parliament Hack (2017): Berserk Bear infiltrated the Norwegian parliament, stealing emails and documents. This attack was part of a broader campaign targeting European political entities.

U.S. Department of State and White House (2014-2015): Berserk Bear compromised email accounts of U.S. Department of State and White House officials, gaining access to sensitive information.

US Energy Sector Attack (2017): Berserk Bear attempted to gain access to operational systems within the US energy sector, posing a significant risk to critical infrastructure.

US Nuclear Laboratories (2018): Berserk Bear infiltrated several US nuclear laboratories, stealing sensitive information and potentially compromising national security.

US Water Utilities (2019): Berserk Bear targeted US water utilities, attempting to gain control over critical infrastructure and potentially disrupt water supply systems.

Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Remote Access Software
Credential Dumping
Malware
Read more
Read more
Read more
Read more
Read more
Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Malware
Credential Dumping
Lateral Movement
Exfiltration Over C2 Channel
Read more
Read more
Read more
Read more
Read more
Read more
Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Drive-by Compromise
Malware
Credential Dumping
Lateral Movement
Read more
Read more
Read more
Read more
Read more
Read more