SYMBOLCOMMON_NAMEaka. SYNONYMS

APT28  (Back to overview)

aka: Pawn Storm, FANCY BEAR, Sednit, SNAKEMACKEREL, Tsar Team, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, T-APT-12, APT-C-20, UAC-0028

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.


Associated Families
win.arguepatch win.caddywiper

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-23MandiantMandiant Intelligence
@online{intelligence:20220923:gru:511ea47, author = {Mandiant Intelligence}, title = {{GRU: Rise of the (Telegram) MinIOns}}, date = {2022-09-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/gru-rise-telegram-minions}, language = {English}, urldate = {2022-09-26} } GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-19GoogleBilly Leonard
@online{leonard:20220719:continued:2a97da1, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag}, language = {English}, urldate = {2022-08-05} } Continued cyber activity in Eastern Europe observed by TAG
CyberAzov APT28 Callisto Ghostwriter Sandworm Turla
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:fighting:865c81e, author = {Unit 42}, title = {{Fighting Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/fighting-ursa/}, language = {English}, urldate = {2022-07-29} } Fighting Ursa
Cannon Zebrocy APT28
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12Max Kersten's BlogMax Kersten
@online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-05MorphisecMichael Dereviashkin
@online{dereviashkin:20220405:new:2f2f8a9, author = {Michael Dereviashkin}, title = {{New Analysis: The CaddyWiper Malware Attacking Ukraine}}, date = {2022-04-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine}, language = {English}, urldate = {2022-04-07} } New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper
2022-04-01splunkSplunk Threat Research Team
@online{team:20220401:threat:1955941, author = {Splunk Threat Research Team}, title = {{Threat Update: CaddyWiper}}, date = {2022-04-01}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html}, language = {English}, urldate = {2022-04-12} } Threat Update: CaddyWiper
CaddyWiper
2022-03-31eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220331:esentire:287e4dd, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: CaddyWiper}}, date = {2022-03-31}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper}, language = {English}, urldate = {2022-05-23} } eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper
2022-03-26n0p BlogAli Mosajjal
@online{mosajjal:20220326:analysis:b94c029, author = {Ali Mosajjal}, title = {{Analysis of a Caddy Wiper Sample Targeting Ukraine}}, date = {2022-03-26}, organization = {n0p Blog}, url = {https://n0p.me/2022/03/2022-03-26-caddywiper/}, language = {English}, urldate = {2022-03-28} } Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
@online{vincent:20220324:ukrainian:74b1566, author = {Brandi Vincent}, title = {{Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid}}, date = {2022-03-24}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/}, language = {English}, urldate = {2022-03-25} } Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-18MalwarebytesThreat Intelligence Team
@online{team:20220318:double:fde615f, author = {Threat Intelligence Team}, title = {{Double header: IsaacWiper and CaddyWiper}}, date = {2022-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/}, language = {English}, urldate = {2022-03-28} } Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper
2022-03-17NioGuardNioGuard Security Lab
@online{lab:20220317:analysis:90c9558, author = {NioGuard Security Lab}, title = {{Analysis of CaddyWiper}}, date = {2022-03-17}, organization = {NioGuard}, url = {https://www.nioguard.com/2022/03/analysis-of-caddywiper.html}, language = {English}, urldate = {2022-03-22} } Analysis of CaddyWiper
CaddyWiper
2022-03-16Cyber Security NewsGurubaran
@online{gurubaran:20220316:destructive:f915ddf, author = {Gurubaran}, title = {{Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations}}, date = {2022-03-16}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/destructive-data-wiper-malware/}, language = {English}, urldate = {2022-03-17} } Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper
2022-03-15The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220315:caddywiper:f70771d, author = {Ravie Lakshmanan}, title = {{CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks}}, date = {2022-03-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html}, language = {English}, urldate = {2022-03-17} } CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper
2022-03-15SecurityAffairsPierluigi Paganini
@online{paganini:20220315:caddywiper:13b5403, author = {Pierluigi Paganini}, title = {{CaddyWiper, a new data wiper hits Ukraine}}, date = {2022-03-15}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html}, language = {English}, urldate = {2022-03-15} } CaddyWiper, a new data wiper hits Ukraine
CaddyWiper
2022-03-15CiscoCisco Talos
@online{talos:20220315:threat:67922cf, author = {Cisco Talos}, title = {{Threat Advisory: CaddyWiper}}, date = {2022-03-15}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html}, language = {English}, urldate = {2022-03-18} } Threat Advisory: CaddyWiper
CaddyWiper
2022-03-15SecurityIntelligenceChristopher Del Fierro, John Dwyer
@online{fierro:20220315:caddywiper:6504bd2, author = {Christopher Del Fierro and John Dwyer}, title = {{CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations}}, date = {2022-03-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-03-16} } CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper
2022-03-15TRUESECNicklas Keijser
@online{keijser:20220315:analysis:648df73, author = {Nicklas Keijser}, title = {{Analysis of CaddyWiper, wiper targeting Ukraine}}, date = {2022-03-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine}, language = {English}, urldate = {2022-03-16} } Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper
2022-03-15Twitter (@HackNPatch)HackNPatch
@online{hacknpatch:20220315:exploring:5399622, author = {HackNPatch}, title = {{Tweet on Exploring CaddyWiper API resolution}}, date = {2022-03-15}, organization = {Twitter (@HackNPatch)}, url = {https://twitter.com/HackPatch/status/1503538555611607042}, language = {English}, urldate = {2022-03-28} } Tweet on Exploring CaddyWiper API resolution
CaddyWiper
2022-03-15ESET ResearchESET Research
@online{research:20220315:caddywiper:0edb827, author = {ESET Research}, title = {{CaddyWiper: New wiper malware discovered in Ukraine}}, date = {2022-03-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/}, language = {English}, urldate = {2022-03-15} } CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper
2022-03-14Twitter (@ESETresearch)ESET Research
@online{research:20220314:caddywiper:ac25105, author = {ESET Research}, title = {{Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine}}, date = {2022-03-14}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1503436420886712321}, language = {English}, urldate = {2022-03-14} } Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper
2022-03-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20220314:new:b53c7a5, author = {Sergiu Gatlan}, title = {{New CaddyWiper data wiping malware hits Ukrainian networks}}, date = {2022-03-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/}, language = {English}, urldate = {2022-03-17} } New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper
2022-03-14CybernewsJurgita Lapienytė
@online{lapienyt:20220314:new:965eae1, author = {Jurgita Lapienytė}, title = {{New destructive wiper malware deployed in Ukraine}}, date = {2022-03-14}, organization = {Cybernews}, url = {https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/}, language = {English}, urldate = {2022-03-15} } New destructive wiper malware deployed in Ukraine
CaddyWiper
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2020-09-22Bleeping ComputerAx Sharma
@online{sharma:20200922:russian:c3158b2, author = {Ax Sharma}, title = {{Russian hackers use fake NATO training docs to breach govt networks}}, date = {2020-09-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/}, language = {English}, urldate = {2020-09-24} } Russian hackers use fake NATO training docs to breach govt networks
Zebrocy APT28
2020-09-22QuoScientQuoIntelligence
@online{quointelligence:20200922:apt28:9bfda0c, author = {QuoIntelligence}, title = {{APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure}}, date = {2020-09-22}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/}, language = {English}, urldate = {2020-09-23} } APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy APT28
2020-09-10MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20200910:strontium:eeaafcd, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{STRONTIUM: Detecting new patterns in credential harvesting}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/}, language = {English}, urldate = {2020-09-15} } STRONTIUM: Detecting new patterns in credential harvesting
APT28
2019-12-05Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191205:apt28:aa3defd, author = {Marco Ramilli}, title = {{APT28 Attacks Evolution}}, date = {2019-12-05}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/}, language = {English}, urldate = {2019-12-17} } APT28 Attacks Evolution
APT28
2019-02-20Washington PostElizabeth Dwoskin, Craig Timberg
@online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } Microsoft says it has found another Russian operation targeting prominent think tanks
APT28
2019-02-13Accenture SecurityAccenture Security
@techreport{security:20190213:snakemackerel:17add25, author = {Accenture Security}, title = {{SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets}}, date = {2019-02-13}, institution = {Accenture Security}, url = {https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf}, language = {English}, urldate = {2019-12-18} } SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets
APT28
2019MITREMITRE ATT&CK
@online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } Group description: APT28
APT28
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:28:7c5afdd, author = {Cyber Operations Tracker}, title = {{APT 28}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-28}, language = {English}, urldate = {2019-12-20} } APT 28
APT28
2018-12-12Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20181212:dear:0d9a44e, author = {Bryan Lee and Robert Falcone}, title = {{Dear Joohn: The Sofacy Group’s Global Campaign}}, date = {2018-12-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/}, language = {English}, urldate = {2020-01-08} } Dear Joohn: The Sofacy Group’s Global Campaign
APT28
2018-11-29AccentureMichael Yip
@online{yip:20181129:snakemackerel:aa02eba, author = {Michael Yip}, title = {{Snakemackerel delivers Zekapab malware}}, date = {2018-11-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware}, language = {English}, urldate = {2019-12-10} } Snakemackerel delivers Zekapab malware
Zebrocy APT28
2018-11-20Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
APT28
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28
2018-10-04UnknownMSN News
@online{news:20181004:russian:92336c6, author = {MSN News}, title = {{Russian hackers accused of targeting UN chemical weapons watchdog, MH17 files}}, date = {2018-10-04}, organization = {Unknown}, url = {https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny}, language = {English}, urldate = {2020-04-06} } Russian hackers accused of targeting UN chemical weapons watchdog, MH17 files
APT28
2018-09-27Bleeping ComputerIonut Ilascu
@online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild
APT28
2018-09-27ESET ResearchESET Research
@online{research:20180927:lojax:5351e6c, author = {ESET Research}, title = {{LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group}}, date = {2018-09-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/}, language = {English}, urldate = {2020-01-10} } LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
APT28
2018-08-21Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections
APT28
2018-08-21BBCBBC News
@online{news:20180821:microsoft:f0674db, author = {BBC News}, title = {{Microsoft claims win over 'Russian political hackers'}}, date = {2018-08-21}, organization = {BBC}, url = {https://www.bbc.co.uk/news/technology-45257081}, language = {English}, urldate = {2019-10-30} } Microsoft claims win over 'Russian political hackers'
APT28
2018-08-20MicrosoftBrad Smith
@online{smith:20180820:we:2a387d2, author = {Brad Smith}, title = {{We are taking new steps against broadening threats to democracy}}, date = {2018-08-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/}, language = {English}, urldate = {2020-01-06} } We are taking new steps against broadening threats to democracy
APT28
2018-05-23Department of JusticeOffice of Public Affairs
@online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices
VPNFilter APT28
2018-05-15ReutersSimon Johnson, Olof Swahnberg, Niklas Pollard, Hugh Lawson
@online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } Swedish sports body says anti-doping unit hit by hacking attack
APT28
2018-05-08AP NewsRaphael Satter
@online{satter:20180508:russian:8731568, author = {Raphael Satter}, title = {{Russian hackers posed as IS to threaten military wives}}, date = {2018-05-08}, organization = {AP News}, url = {https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f}, language = {English}, urldate = {2020-01-07} } Russian hackers posed as IS to threaten military wives
APT28
2018-02-28Palo Alto Networks Unit 42Bryan Lee, Mike Harbison, Robert Falcone
@online{lee:20180228:sofacy:04fead3, author = {Bryan Lee and Mike Harbison and Robert Falcone}, title = {{Sofacy Attacks Multiple Government Entities}}, date = {2018-02-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/}, language = {English}, urldate = {2020-01-06} } Sofacy Attacks Multiple Government Entities
APT28
2018-02-20Kaspersky LabsGReAT
@online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2022-03-14} } A Slice of 2017 Sofacy Activity
Seduploader APT28
2018-01-10WiredLouise Matsakis
@online{matsakis:20180110:hack:73c4c38, author = {Louise Matsakis}, title = {{Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympic Ban}}, date = {2018-01-10}, organization = {Wired}, url = {https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/}, language = {English}, urldate = {2020-01-13} } Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympic Ban
APT28
2018Accenture SecurityAccenture Security
@techreport{security:2018:snakemackerel:fa2c552, author = {Accenture Security}, title = {{SNAKEMACKEREL - A BREXIT-themed lure document that delivers ZEKAPAB malware}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf}, language = {English}, urldate = {2019-10-15} } SNAKEMACKEREL - A BREXIT-themed lure document that delivers ZEKAPAB malware
APT28
2017-04-26HandelsblattDaniel Tost
@online{tost:20170426:russialinked:9fd1d9d, author = {Daniel Tost}, title = {{Russia-linked Hackers Target German Political Foundations}}, date = {2017-04-26}, organization = {Handelsblatt}, url = {https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1}, language = {English}, urldate = {2020-01-09} } Russia-linked Hackers Target German Political Foundations
APT28
2017-04-03VOAVOA
@online{voa:20170403:iaaf:0b4dd3b, author = {VOA}, title = {{IAAF Says It Has Been Hacked, Athlete Medical Info Accessed}}, date = {2017-04-03}, organization = {VOA}, url = {https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html}, language = {English}, urldate = {2020-01-07} } IAAF Says It Has Been Hacked, Athlete Medical Info Accessed
APT28
2017-02-04de VolkskrantHuib Modderkolk
@online{modderkolk:20170204:russen:2dcb3d1, author = {Huib Modderkolk}, title = {{Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries}}, date = {2017-02-04}, organization = {de Volkskrant}, url = {https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/}, language = {Dutch}, urldate = {2019-12-19} } Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries
APT28
2016-12-15Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
APT28
2016-10-17Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } ‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform
APT28
2016-10-10BBCGordon Corera
@online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } How France's TV5 was almost destroyed by 'Russian hackers'
APT28
2016-09-26Palo Alto Networks Unit 42Dani Creus, Tyler Halfpop, Robert Falcone
@online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } Sofacy’s ‘Komplex’ OS X Trojan
APT28
2016-09-20Deutsche Welleipj, kl
@online{ipj:20160920:hackers:fae1710, author = {ipj and kl}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-09-15} } Hackers lurking, parliamentarians told
APT28
2016-08-23International Business TimesHyacinth Mascarenhas
@online{mascarenhas:20160823:russian:9531f82, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-09-15} } Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say
APT28
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } New Sofacy Attacks Against US Government Agency
APT28
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } New Sofacy Attacks Against US Government Agency
Seduploader APT28
2016-01FireEyeMichael Bailey
@techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } MATRYOSHKA MINING
APT28
2015-12-04Kaspersky LabsGReAT
@online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } Sofacy APT hits high profile targets with updated toolset
Coreshell Sedreco Seduploader X-Agent APT28
2015-10-22Trend MicroFeike Hacquebord
@online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } Pawn Storm Targets MH17 Investigation Team
APT28
2015-10-13Trend MicroBrooks Li, Feike Hacquebord, Peter Pi
@online{li:20151013:new:f451b34, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-12-19} } New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
APT28
2015-09-01WikipediaVarious
@online{various:20150901:fancy:d2f6475, author = {Various}, title = {{Fancy Bear}}, date = {2015-09-01}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Fancy_Bear}, language = {English}, urldate = {2020-01-06} } Fancy Bear
APT28
2015-09-01WikipediaVarious
@online{various:20150901:fancy:3ed81e7, author = {Various}, title = {{Fancy Bear}}, date = {2015-09-01}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Sofacy_Group}, language = {English}, urldate = {2020-01-13} } Fancy Bear
APT28
2015-08-27Electronic Frontier FoundationCooper Quintin
@online{quintin:20150827:new:b79e5c0, author = {Cooper Quintin}, title = {{New Spear Phishing Campaign Pretends to be EFF}}, date = {2015-08-27}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff}, language = {English}, urldate = {2020-01-06} } New Spear Phishing Campaign Pretends to be EFF
APT28
2015-06-19London South EastAlliance News
@online{news:20150619:russian:7295c92, author = {Alliance News}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-09-15} } Russian Hackers Suspected In Cyberattack On German Parliament
APT28
2015-06-19Netzpolitik.orgClaudio Guarnieri
@online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag
XTunnel APT28
2015-04-18FireEyeDan Caselden, Yasir Khalid, James “Tom” Bennett, Genwei Jiang, Corbin Souffrant, Joshua Homan, Jonathan Wrolstad, Chris Phillips, Darien Kin
@online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
APT28
2014-10-27Trend MicroLoucif Kharouni, Feike Hacquebord, Numaan Huq, Jim Gogolinski, Fernando Mercês, Alfred Remorin, Douglas Otis
@techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } Operation Pawn Storm: Using Decoys to Evade Detection
Sedreco Seduploader APT28
2010-05-31Trend MicroJoseph Cepe
@techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } SASFIS Malware Uses a New Trick
APT28

Credits: MISP Project