Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value organizations worldwide. Active since 2007, they are infamous for their stealthy and well-coordinated cyberattacks. Fancy Bear has been implicated in attempts to influence election processes in the U.S., France, and Germany.
Alias: Fancy Bear, APT 28, APT-28, APT28, Blue Athena, BlueDelta, FROZENLAKE, Fighting Ursa, Forest Blizzard, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, STRONTIUM, Sednit, Sofacy, Sofacy Group, Strontium, Swallowtail, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028, Unit 26165, Unit 74455
Motivation: Financial Gains, Reputational Damage, Espionage, Political Agenda
Targeted Countries
Afghanistan, Brazil, Cambodia, France, Georgia, Germany, India, Indonesia, Kazakhstan, Malaysia, Moldova, Pakistan, Romania, Russia, South Africa, Syria, Thailand, Turkey, Ukraine, United States, Vietnam, and Australia.
Malware used by Fancy Bear:
Zebrocy, Sofacy, X-Agent, CHOPSTICK, CORESHELL, JHUHUGIT, ADVSTORESHELL, Drovorub, Skinnyboy
Fancy Bear Campaigns Tracked by CYFIRMA
MITRE ATT&CK Techniques used by Fancy Bear
| Reconnaissance | Execution | Privilege Escalation | Credential Access | Collection |
| T1598 | T1203 | T1068 | T1110.003 | T1213 |
| T1595.002 | T1059.003 | T1037.001 | T1110.001 | T1005 |
| T1589.001 | T1204.001 | T1078 | T1003 | T1025 |
| T1598.003 | T1059.001 | T1078.004 | T1110 | T1113 |
| Resource Development | T1204.002 | T1546.015 | T1040 | T1560 |
| T1583.006 | T1559.002 | T1547.001 | T1528 | T1560.001 |
| T1588.002 | Persistence | T1134.001 | T1003.003 | T1119 |
| T1583.001 | T1505.003 | Defense Evasion | T1003.001 | T1039 |
| T1586.002 | T1542.003 | T1027 | T1056.001 | T1056.001 |
| Initial Access | T1037.001 | T1211 | Discovery | T1074.001 |
| T1189 | T1133 | T1036 | T1057 | T1114.002 |
| T1133 | T1078 | T1070.001 | T1120 | T1074.002 |
| T1199 | T1078.004 | T1014 | T1040 | T1213.002 |
| T1078 | T1137.002 | T1221 | T1083 | Command and Control |
| T1566.001 | T1546.015 | T1078 | Lateral Movement | T1573.001 |
| T1566.002 | T1098.002 | T1078.004 | T1210 | T1071.001 |
| T1078.004 | T1547.001 | T1564.001 | T1550.002 | T1102.002 |
| T1091 | T1564.003 | T1021.002 | T1090.003 | |
| T1190 | T1134.001 | T1550.001 | T1071.003 | |
| T1218.011 | T1091 | T1090.002 | ||
| T1542.003 | T1092 | |||
| T1036.005 | T1105 | |||
| T1550.002 | T1001.001 | |||
| T1550.001 | Exfiltration | |||
| T1140 | T1048.002 | |||
| T1070.004 | T1030 | |||
| T1070.006 | T1567 | |||
| Impact | ||||
| T1498 |
Recently Exploited Vulnerabilities by Fancy Bear
| CVE-2024-21412 | CVE-2023-32315 |
| CVE-2023-38831 | CVE-2023-36025 |
| CVE-2023-23397 | CVE-2023-27351 |
Fancy Bear’s Recent Campaign Highlights and Trends
- They are believed to be exploiting a security flaw in Microsoft Outlook, as well as vulnerabilities in the Windows Print Spooler service which allows them to gain elevated privileges on targeted systems.
- The Print Spooler vulnerability can also deliver malware named ‘GooseEgg’, which has specifically targeted governmental organizations, NGOs, and the education and transportation sectors across Ukraine, Western Europe, and North America.
- Widespread Password-Spraying: APT28 has been using Kubernetes clusters to conduct large-scale brute-force attacks on global organizations by exploiting weak passwords. This method has been effective against Microsoft cloud services and other email providers
- Threat actors are employing a new technique involving the “search-ms” URI handler to deliver phishing payloads, which has been linked to multiple attacks involving lure documents.
Source: Original Post