Russian APT Groups
Last updated
Was this helpful?
Last updated
Was this helpful?
Affiliation: Russia's Foreign Intelligence Service (SVR)
Activities: Active since at least 2008, targeting government networks in Europe, NATO member countries, research institutes, and think tanks. Known for compromising the Democratic National Committee in 2015 and the SolarWinds compromise in 2020.
Targets: Government networks, research institutes, think tanks.
TTPs (Tactics, Techniques, Procedures):
Spear-phishing with malware payloads:
Use of zero-day vulnerabilities:
Remote access tools (RATs):
Credential harvesting:
Advanced malware:
Notable Incidents:
SolarWinds Compromise (2020): This supply chain attack involved compromising SolarWinds' Orion software, which is used by thousands of organizations, including U.S. government agencies and Fortune 500 companies. The attackers inserted a backdoor into the software updates, allowing them to access the networks of SolarWinds' customers.
DNC Hack (2015): APT29 gained access to the Democratic National Committee's network, stealing emails and documents. The stolen information was later leaked, causing significant political impact.
Microsoft and HPE Attacks (2023-2024): APT29 targeted Microsoft and Hewlett-Packard Enterprise, compromising corporate email accounts and potentially accessing sensitive data.
Operation Ghost (2013-2019): Targeted government networks in Europe and NATO member countries, using steganography to hide data within images. This campaign involved persistent surveillance and data exfiltration.
COVID-19 Vaccine Research (2020): APT29 targeted organizations involved in COVID-19 vaccine development, attempting to steal research data and intellectual property related to vaccine production.
Affiliation: Russian military intelligence agency GRU
Activities: Active since at least the mid-2000s, using zero-day exploits, spear phishing, and malware to compromise targets. Known for hacking the Democratic National Committee emails in 2016 and targeting government, military, and security organizations.
Targets: Government, military, security organizations, political entities.
TTPs:
Notable Incidents:
Affiliation: Russian state-sponsored
Activities: Targeting U.S. state, local, territorial, and tribal government networks, as well as aviation networks. Known for obtaining user and administrator credentials to establish initial access and exfiltrating data from compromised networks.
Targets: Critical infrastructure, government agencies, energy sectors.
TTPs:
Notable Incidents:
Spear-phishing with malware attachments:
Exploitation of zero-day vulnerabilities:
Use of malware like X-Agent and Sofacy:
Credential theft:
Lateral movement and data exfiltration: ,
Hillary Clinton Campaign Hack (2016): APT28 compromised emails from Hillary Clinton's presidential campaign and the Democratic National Committee, leading to significant political repercussions.
German Parliament Hack (2015): APT28 targeted the German parliament, stealing data and disrupting email accounts of German MPs and the Vice Chancellor.
World Anti-Doping Agency (WADA) Hack (2016): APT28 attacked the World Anti-Doping Agency, leaking confidential athlete data in an attempt to discredit the organization.
Cisco Router Exploits (2021): APT28 exploited vulnerabilities in Cisco routers to conduct reconnaissance and deploy malware, affecting network security across various organizations.
OPCW Attack (2018): APT28 attempted to disrupt the Organization for the Prohibition of Chemical Weapons' analysis of chemical weapons used in the UK.
French TV5Monde Hack (2015): APT28 took control of the TV5Monde television network and broadcasted pro-ISIS content, aiming to disrupt and manipulate media narratives.
Spear-phishing:
Watering hole attacks:
Use of malware like Havex and BlackEnergy:
Credential harvesting:
Network reconnaissance and lateral movement:
Ukraine Cyber Attacks (2022): Berserk Bear targeted Ukrainian government, military, and private sectors with cyber attacks aimed at disrupting operations and stealing sensitive information.
Norwegian Parliament Hack (2017): Berserk Bear infiltrated the Norwegian parliament, stealing emails and documents. This attack was part of a broader campaign targeting European political entities.
U.S. Department of State and White House (2014-2015): Berserk Bear compromised email accounts of U.S. Department of State and White House officials, gaining access to sensitive information.
US Energy Sector Attack (2017): Berserk Bear attempted to gain access to operational systems within the US energy sector, posing a significant risk to critical infrastructure.
US Nuclear Laboratories (2018): Berserk Bear infiltrated several US nuclear laboratories, stealing sensitive information and potentially compromising national security.
US Water Utilities (2019): Berserk Bear targeted US water utilities, attempting to gain control over critical infrastructure and potentially disrupt water supply systems.