APT28

Posted: October 8, 2019

APT28 Description

APT28 is a Russian state-sponsored threat actor that specializes in espionage. APT28 collects information with the help of a family of advanced tools, including backdoor Trojans and rootkits, along with phishing lures for compromising the victims. Workers in vulnerable sectors can install security patches, educate themselves on phishing tactics, and keep anti-malware services for deleting the threats deployed by APT28's hackers.

Bears Roaming the World on Trojan Legs

The impracticality of manually detecting Trojan attacks is well-displayed by the long-term behavior of APT28, a group of hackers with ties to Russian military intelligence. Over the years, the threat actors strategies wax and wane from deliberately, highly-visible to low-key and stealth-based. Simultaneously, the hackers employ an extensive collection of Trojans and other threats, all of which help them collect information for leaking to the public and other purposes.

APT28 is identifiable by a range of aliases, such as Fancy Bear, Swallowtail, STRONTIUM, Tsar Team and Grizzly Steppe. This collection of labels is, partially, thanks to APT28's operating since 2007, although its most notorious attacks didn't arrive until around 2016. Different campaigns from APT28 target various entities oppositional to Russian state interests, including government embassies, military networks, political organizations, et al., throughout North America, South America and Europe.

Although a complete list of all of its techniques and Trojan toolboxes would be overly unwieldy, malware experts do stress some of the most consistently-recurring aspects of APT28 attacks. The hackers often exploit zero-day vulnerabilities that aren't patchable yet, wield Trojans with compatibility for Windows and Mac environments, and favor e-mail phishing tactics. Traditional lures from APT28 use fake password-changing security alerts that collect the victims' credentials. From that point, APT28 escalates into dropping high-level threats and infecting the network.

The Bear that Prefers Data to Salmon

APT28's best-known attacks involve leaking Democratic National Committee information, with deliberate efforts of publicizing their involvement. However, other APT28 attacks remain in 'stealth mode' and will avoid attribution or drawing notice of its activities. Some of the Trojans and other threats that malware analysts find affiliated to APT28 include, among others:

  • Sednit or Sofacy is a backdoor Trojan group that also utilizes data-collecting features like keylogging.
  • The Chopstick backdoor is a possible update of Sednit that fulfills similar functions.
  • LoJax is one of the more recent additions and is a UEFI-abusing rootkit that establishes long-term persistence for the attackers.
  • XTunnel offers network-tunneling capabilities for transferring information between the compromised systems and APT28's Command & Control servers.

Considering APT28's ongoing activities, workers in vulnerable organizations should inspect e-mails for potential phishing lures from these hackers carefully. In most cases, corrupted links will use a URL-obscuring or shortening service. Anti-malware services should block corrupted domains and attachments, along with disinfecting PCs compromised by APT28's attacks.

APT28 isn't going to be any less fancy – or well-funded – any time soon. As long as oppositional state interests exist, their digital arms, which APT28 represents so well, will claw at any targets that aren't minding their basic security protocols.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to APT28 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.