Blogs

APT28 Threat Guide

Product

APT28 Threat Guide

APT28 Threat Guide

Jake Trujilo

May 16, 2024

Latest Headline

APT28, a Russian-linked cyber espionage group, has been actively exploiting critical vulnerabilities in Microsoft Outlook and other software to carry out extensive espionage operations against NATO countries, Ukraine, and other strategic regions. The group's relentless efforts to infiltrate political and state institutions underscore the continuing threats posed by state-sponsored cyber actors in the geopolitical landscape.
Key Points: 
  • Operating since mid-2000s
  • Russia-linked cyber espionage group
  • 811 IOCs as of publication 

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out APT28’s Threat Board for any updates or join Fletch to be in the know for every threat.


APT28 Group Summary

APT28, also known by aliases such as Fancy Bear, Strontium, and several others, is attributed to Russia's GRU and its specialized unit, the 85th Main Special Service Center. 
APT28 is infamous for its involvement in high-profile cyberattacks and election interference, highlighting its capabilities to conduct operations that can significantly influence international affairs. 
Their methods and targets align closely with Russian military and geopolitical interests, demonstrating a sophisticated understanding of global security dynamics. 
  • Severity: Loud
  • Maturity: Mainstream
  • IOCs: 791 Malware hashes and 20 vulnerabilities
  • Targets: 13 tech targets, 8 industry targets, and 36 geo targets

Learn more about Fletch’s metrics in the Fletch Help Center.

APT28 Group Victims & Motivations

APT28's activities focus primarily on governmental and military organizations in Europe, aiming to access sensitive information that could influence geopolitical dynamics. Their operations have included a wide array of targets from political entities to critical infrastructure sectors such as energy, transportation, and telecommunications. 
These campaigns are not just about gathering intelligence but also about creating disruptions that align with Russian state objectives, such as undermining public trust in government capabilities and destabilizing political climates.


APT28 Group Tactics

The group employs a mix of advanced tactics including spear-phishing, exploitation of software vulnerabilities such as CVE-2023-23397, and the deployment of sophisticated malware tools like JaguarTooth and GooseEgg. 
Their operations often leverage compromised routers and VPN services to conceal their activities, enabling them to conduct NTLM relay attacks that intercept authentication requests to gain unauthorized network access. 
Even after vulnerabilities are known and patches are available, APT28 has shown a tendency to continue exploiting these weaknesses, indicating the high value of the intelligence they are able to gather through these means.


Mitigation Advice

At the time of publication this was the mitigation advice against APT28:
Short-Term:
  • Restrict access to Mocky APIs and Windows Script Host (wscript.exe) to prevent unauthorized use.
  • Update Microsoft Outlook to mitigate CVE-2023-23397.
  • Limit Print Spooler Service: Disable the Windows Print Spooler service on devices where it is not needed to reduce the attack surface. 
  • Patch Systems: Immediately apply the Microsoft October 2022 Patch Tuesday updates to all Windows systems to address the CVE-2022-38028 vulnerability. 
  • Disable NTLM on your environment.
Long-Term:
  • Regularly update all software on company devices; make sure all auto-update mechanisms are enabled and working correctly.
  • Turn off User Account Control's privilege elevation for standard users and enable installer detection for all users.
  • Ensure that the permissions for files and directories are set to restrict unauthorized changes.
  • Limit the use of PowerShell to only administrators and restrict what commands can be executed.
  • Limit user account privileges and restrict access to system directories.


You can check out the most recent mitigation measures by creating an account when you join Fletch.


Communication

On top of mitigation advice, Fletch also provides Beta AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:
For employees:
For customers:

For more templates for your different stakeholders, create a workspace when you join Fletch.


Takeaway

APT28 remains a formidable threat in the realm of cyber espionage, with state-backed support and advanced technological capabilities. Their continued evolution and adaptation to cybersecurity defenses necessitate robust countermeasures from targeted nations and organizations. 
APT28 is just one example of an ever evolving threat that requires in-depth cyber intelligence to stay on top of. Fletch helps you keep track of, and prioritizes, them all. 
As the de facto record on the threat landscape, our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, detect threats to your tech and people early, or simply to become an instant expert on any threat at any time. 


Join Fletch and try it for yourself.

1. CISO2CISO [Russia-linked APT28 targets government Polish institutions](https://ciso2ciso.com/russia-linked-apt28-targets-government-polish-institutions-source-securityaffairs-com/)

2. Security Affairs [NATO AND THE EU FORMALLY CONDEMNED RUSSIA-LINKED APT28 CYBER ESPIONAGE](https://securityaffairs.com/162759/apt/nato-eu-condemned-apt28-espionage.html)

3. SOC Prime [Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America](https://socprime.com/blog/forest-blizzard-aka-fancy-bear-attack-detection-russian-backed-hackers-apply-a-custom-gooseegg-tool-to-exploit-cve-2022-38028-in-attacks-against-ukraine-western-europe-and-north-america/)

4. Rewterz [APT28 Targets Ukrainian and Polish Governments with Previously Undocumented Malware – Active IOCs](https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt28-targets-ukrainian-and-polish-governments-with-previously-undocumented-malware-active-iocs)

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access