adpare
259 lines
18 KiB
JSON
259 lines
18 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--ec0a7754-e051-4501-ab2e-ee012b4b846e",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "intrusion-set",
|
|
"spec_version": "2.1",
|
|
"id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
|
|
"created": "2017-05-31T21:31:48.664Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/groups/G0007",
|
|
"external_id": "G0007"
|
|
},
|
|
{
|
|
"source_name": "SNAKEMACKEREL",
|
|
"description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"
|
|
},
|
|
{
|
|
"source_name": "Fancy Bear",
|
|
"description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
|
|
},
|
|
{
|
|
"source_name": "Tsar Team",
|
|
"description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"
|
|
},
|
|
{
|
|
"source_name": "APT28",
|
|
"description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
|
|
},
|
|
{
|
|
"source_name": "STRONTIUM",
|
|
"description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
|
|
},
|
|
{
|
|
"source_name": "FROZENLAKE",
|
|
"description": "(Citation: Leonard TAG 2023)"
|
|
},
|
|
{
|
|
"source_name": "Forest Blizzard",
|
|
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
|
|
},
|
|
{
|
|
"source_name": "GruesomeLarch",
|
|
"description": "(Citation: Nearest Neighbor Volexity)"
|
|
},
|
|
{
|
|
"source_name": "IRON TWILIGHT",
|
|
"description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"
|
|
},
|
|
{
|
|
"source_name": "Threat Group-4127",
|
|
"description": "(Citation: SecureWorks TG-4127)"
|
|
},
|
|
{
|
|
"source_name": "TG-4127",
|
|
"description": "(Citation: SecureWorks TG-4127)"
|
|
},
|
|
{
|
|
"source_name": "Pawn Storm",
|
|
"description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) "
|
|
},
|
|
{
|
|
"source_name": "Swallowtail",
|
|
"description": "(Citation: Symantec APT28 Oct 2018)"
|
|
},
|
|
{
|
|
"source_name": "Group 74",
|
|
"description": "(Citation: Talos Seduploader Oct 2017)"
|
|
},
|
|
{
|
|
"source_name": "Accenture SNAKEMACKEREL Nov 2018",
|
|
"description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.",
|
|
"url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"
|
|
},
|
|
{
|
|
"source_name": "Crowdstrike DNC June 2016",
|
|
"description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
|
|
"url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
|
|
},
|
|
{
|
|
"source_name": "Leonard TAG 2023",
|
|
"description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
|
|
"url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
|
|
},
|
|
{
|
|
"source_name": "US District Court Indictment GRU Oct 2018",
|
|
"description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
|
|
"url": "https://www.justice.gov/opa/page/file/1098481/download"
|
|
},
|
|
{
|
|
"source_name": "GRIZZLY STEPPE JAR",
|
|
"description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
|
|
"url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
|
|
},
|
|
{
|
|
"source_name": "ESET Zebrocy May 2019",
|
|
"description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.",
|
|
"url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
|
|
},
|
|
{
|
|
"source_name": "ESET Sednit Part 3",
|
|
"description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.",
|
|
"url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
|
|
},
|
|
{
|
|
"source_name": "Sofacy DealersChoice",
|
|
"description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.",
|
|
"url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
|
|
},
|
|
{
|
|
"source_name": "FireEye APT28 January 2017",
|
|
"description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.",
|
|
"url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
|
|
},
|
|
{
|
|
"source_name": "FireEye APT28",
|
|
"description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
|
|
"url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
|
|
},
|
|
{
|
|
"source_name": "Ars Technica GRU indictment Jul 2018",
|
|
"description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.",
|
|
"url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"
|
|
},
|
|
{
|
|
"source_name": "TrendMicro Pawn Storm Dec 2020",
|
|
"description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.",
|
|
"url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"
|
|
},
|
|
{
|
|
"source_name": "Securelist Sofacy Feb 2018",
|
|
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.",
|
|
"url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"
|
|
},
|
|
{
|
|
"source_name": "Kaspersky Sofacy",
|
|
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
|
|
"url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
|
|
},
|
|
{
|
|
"source_name": "Nearest Neighbor Volexity",
|
|
"description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
|
|
"url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
|
|
},
|
|
{
|
|
"source_name": "Palo Alto Sofacy 06-2018",
|
|
"description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
|
|
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
|
|
},
|
|
{
|
|
"source_name": "Talos Seduploader Oct 2017",
|
|
"description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.",
|
|
"url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
|
|
},
|
|
{
|
|
"source_name": "Microsoft Threat Actor Naming July 2023",
|
|
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
|
|
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
|
},
|
|
{
|
|
"source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020",
|
|
"description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.",
|
|
"url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
|
|
},
|
|
{
|
|
"source_name": "Microsoft STRONTIUM Aug 2019",
|
|
"description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.",
|
|
"url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/"
|
|
},
|
|
{
|
|
"source_name": "DOJ GRU Indictment Jul 2018",
|
|
"description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
|
|
"url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
|
|
},
|
|
{
|
|
"source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021",
|
|
"description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.",
|
|
"url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"
|
|
},
|
|
{
|
|
"source_name": "NSA/FBI Drovorub August 2020",
|
|
"description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.",
|
|
"url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
|
|
},
|
|
{
|
|
"source_name": "SecureWorks TG-4127",
|
|
"description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
|
|
"url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
|
|
},
|
|
{
|
|
"source_name": "Secureworks IRON TWILIGHT Active Measures March 2017",
|
|
"description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.",
|
|
"url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures"
|
|
},
|
|
{
|
|
"source_name": "Secureworks IRON TWILIGHT Profile",
|
|
"description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.",
|
|
"url": "https://www.secureworks.com/research/threat-profiles/iron-twilight"
|
|
},
|
|
{
|
|
"source_name": "Symantec APT28 Oct 2018",
|
|
"description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.",
|
|
"url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
|
|
},
|
|
{
|
|
"source_name": "Sednit",
|
|
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)"
|
|
},
|
|
{
|
|
"source_name": "Sofacy",
|
|
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-04-21T13:20:49.866Z",
|
|
"name": "APT28",
|
|
"description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ",
|
|
"aliases": [
|
|
"APT28",
|
|
"IRON TWILIGHT",
|
|
"SNAKEMACKEREL",
|
|
"Swallowtail",
|
|
"Group 74",
|
|
"Sednit",
|
|
"Sofacy",
|
|
"Pawn Storm",
|
|
"Fancy Bear",
|
|
"STRONTIUM",
|
|
"Tsar Team",
|
|
"Threat Group-4127",
|
|
"TG-4127",
|
|
"Forest Blizzard",
|
|
"FROZENLAKE",
|
|
"GruesomeLarch"
|
|
],
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "5.3",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_contributors": [
|
|
"Drew Church, Splunk",
|
|
"Emily Ratliff, IBM",
|
|
"Richard Gold, Digital Shadows",
|
|
"S\u00e9bastien Ruel, CGI"
|
|
],
|
|
"x_mitre_domains": [
|
|
"enterprise-attack",
|
|
"mobile-attack"
|
|
]
|
|
}
|
|
]
|
|
} |