Home Malware Programs Advanced Persistent Threat (APT) APT28

APT28

Posted: October 8, 2019

APT28 is a Russian state-sponsored threat actor that specializes in espionage. APT28 collects information with the help of a family of advanced tools, including backdoor Trojans and rootkits, along with phishing lures for compromising the victims. Workers in vulnerable sectors can install security patches, educate themselves on phishing tactics, and keep anti-malware services for deleting the threats deployed by APT28's hackers.

Bears Roaming the World on Trojan Legs

The impracticality of manually detecting Trojan attacks is well-displayed by the long-term behavior of APT28, a group of hackers with ties to Russian military intelligence. Over the years, the threat actors strategies wax and wane from deliberately, highly-visible to low-key and stealth-based. Simultaneously, the hackers employ an extensive collection of Trojans and other threats, all of which help them collect information for leaking to the public and other purposes.

APT28 is identifiable by a range of aliases, such as Fancy Bear, Swallowtail, STRONTIUM, Tsar Team and Grizzly Steppe. This collection of labels is, partially, thanks to APT28's operating since 2007, although its most notorious attacks didn't arrive until around 2016. Different campaigns from APT28 target various entities oppositional to Russian state interests, including government embassies, military networks, political organizations, et al., throughout North America, South America and Europe.

Although a complete list of all of its techniques and Trojan toolboxes would be overly unwieldy, malware experts do stress some of the most consistently-recurring aspects of APT28 attacks. The hackers often exploit zero-day vulnerabilities that aren't patchable yet, wield Trojans with compatibility for Windows and Mac environments, and favor e-mail phishing tactics. Traditional lures from APT28 use fake password-changing security alerts that collect the victims' credentials. From that point, APT28 escalates into dropping high-level threats and infecting the network.

The Bear that Prefers Data to Salmon

APT28's best-known attacks involve leaking Democratic National Committee information, with deliberate efforts of publicizing their involvement. However, other APT28 attacks remain in 'stealth mode' and will avoid attribution or drawing notice of its activities. Some of the Trojans and other threats that malware analysts find affiliated to APT28 include, among others:

  • Sednit or Sofacy is a backdoor Trojan group that also utilizes data-collecting features like keylogging.
  • The Chopstick backdoor is a possible update of Sednit that fulfills similar functions.
  • LoJax is one of the more recent additions and is a UEFI-abusing rootkit that establishes long-term persistence for the attackers.
  • XTunnel offers network-tunneling capabilities for transferring information between the compromised systems and APT28's Command & Control servers.

Considering APT28's ongoing activities, workers in vulnerable organizations should inspect e-mails for potential phishing lures from these hackers carefully. In most cases, corrupted links will use a URL-obscuring or shortening service. Anti-malware services should block corrupted domains and attachments, along with disinfecting PCs compromised by APT28's attacks.

APT28 isn't going to be any less fancy – or well-funded – any time soon. As long as oppositional state interests exist, their digital arms, which APT28 represents so well, will claw at any targets that aren't minding their basic security protocols.

Loading...