The Russian Bear Unleashed: The Cyber Threat of APT28

The Russian Bear, a symbol deeply ingrained in Russian culture, is often associated with the Eurasian brown bear. This majestic creature, known for its immense strength and solitary nature, embodies the vast and untamed landscapes of Russia. From the dense forests of Siberia to the remote wilderness of Kamchatka, the Russian Bear roams freely, captivating imaginations and evoking a sense of awe and respect.

APT28, also known as Fancy Bear, amongst other aliases, does not evoke the same sense of awe and respect, well not from a Cyber Defenders perspective. AP28 is a highly sophisticated cyber espionage group assessed to be linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit.

Estonian and British intelligence services have also associated APT28 with Russian military intelligence (GRU). The United States believes that GRU units 26165 and 74455 form part of this threat actor. APT28 has been active since at least 2004.

Targets and Objectives

APT28 primarily targets:

• Governments
• Military organisations
• Media outlets
• Research institutions
• Private sector companies

The group’s objectives include:

• Gathering intelligence
• Stealing sensitive information
• Disrupting systems
• Influencing political processes
• Criminal financial gain

Tactics, Techniques and Procedures (TTPs)

APT28 is known for its sophisticated and constantly evolving TTPs, which include:

• Spearphishing: They send targeted emails with malicious attachments or links, often disguised as legitimate communications, to trick victims into revealing their credentials or installing malware.
• Exploiting vulnerabilities: They exploit software vulnerabilities in operating systems, applications and network devices to gain unauthorised access to systems. These may include zero-day exploits, taking advantage of vulnerabilities before patches are available.
• Watering hole attacks: They compromise websites frequently visited by target organisations and inject malicious code to deliver malware to visitors.
• Credential harvesting: They create spoofed websites mimicking legitimate organisations to steal user credentials.
• Brute-force attacks: They use brute-force techniques, including password spraying, to gain access to accounts.
• Lateral movement: Once inside a network, they move laterally to other systems using techniques such as pass-the-hash and exploiting the EternalBlue vulnerability, expanding their access and searching for valuable data.
• Data exfiltration: They steal sensitive information such as intellectual property, trade secrets and personal data, often using encrypted channels to avoid detection.
• Command and control (C2) infrastructure: They utilise various protocols, including HTTP and DNS, to communicate with malware and exfiltrate data, making it difficult to detect and block their activities25. They may also leverage compromised infrastructure, including routers and network devices, to act as C2 servers.

Notable Malware and Tools

APT28 uses a range of custom-developed and publicly available malware and tools, including:

• Sednit/Sofacy: A modular suite of malware tools designed for surveillance, data theft and persistence.
• XAgent: A remote access trojan (RAT) that runs on iOS, Unix and Windows and currently protects communications with SSL/TLS. XAgent does key logging and file extraction.
• X-Tunnel: A network tunnelling tool used to create encrypted tunnels for secure data exfiltration.
• CompuTrace/Lojack: Legitimate software modified by APT28 to enable persistence.
• Responder: An open source tool used to facilitate NetBIOS Name Service (NBT-NS) poisoning and steal usernames and hashed passwords.
• EternalBlue: An exploit for a vulnerability in Microsoft’s SMB protocol, used for lateral movement.
• Empire: A post-exploitation framework, including PowerShell and Python versions, used for various malicious activities.

Notable Attacks

APT28 has been linked to several high-profile cyberattacks, including:

• Interference in the 2016 US presidential election: The group targeted the Democratic National Committee (DNC) and the Hillary Clinton campaign, stealing sensitive emails and other information that were later leaked to the public.
• Attack on the German parliament in 2015: This attack involved data theft and the disruption of email accounts belonging to German Members of Parliament (MPs) and the Vice Chancellor.
• Attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018: This attack was intended to disrupt independent analysis of chemical weapons used by the GRU in the UK.
• Compromising a satellite communications provider in 2023: This intrusion targeted a provider with critical infrastructure customers.
• Targeting the hospitality sector in 2017: APT28 targeted hotels throughout Europe and the Middle East, using techniques such as sniffing passwords from Wi-Fi traffic and spreading laterally via EternalBlue.

Mitigating the Threat

Organisations can take steps to mitigate the threat posed by APT28 and other advanced persistent threats:

• Implement strong password policies: Enforce strong, unique passwords for all accounts and implement multi-factor authentication where possible.
• Keep systems and software up to date: Regularly patch systems and applications to address known vulnerabilities.
• Educate employees on security best practices: Train employees on how to identify and avoid phishing attacks and other social engineering tactics.
• Network segmentation: Divide networks into smaller segments to limit the impact of a potential breach.
• Employ advanced security tools: Utilise intrusion detection systems, firewalls, endpoint protection solutions, and security information and event management (SIEM) systems to detect and respond to malicious activity.
• Develop and test incident response plans: Establish procedures for responding to security incidents and regularly test these plans.
• Threat intelligence sharing: Participate in information sharing with other organisations and industry groups to stay informed about the latest threats and TTPs.