himynamesdave/APT28-Center-of-Storm-2017.txt

## APT28-Center-of-Storm-2017.txt
FIREEYE ISIGHT INTELLIGENCE

APT28:
AT THE CENTER
OF THE STORIE

RUSSIA STRATEGICALLY EVOLVES
ITS CYBER OPERATIONS :

SPECIAL REPORT / JANUARY 2017

CONTENTS

Introduction
Overview

APT28 Targeting And Intrusion Activity

Table 1- APT28 Targeting of Political Entities and Intrusion Activity

Table 2 - APT28 Network Activity Has Likely Supported
Information Operations

From Olympic Slight to Data Leak:
Investigating APT28 at the World Anti-Doping Agency

Conclusion

Appendix
INTRODUCTION

The Democratic National Committee's (DNC) June
2016 announcement attributing its network breach
to the Russian Government triggered an international
debate over Russia's sponsorship of information
operations against the U.S.

At issue is the question of proof: did the Russian Government direct the group
responsible for the breaches and related data leaks? If so, is this simply a matter
of accepted state espionage, or did it cross a line? Was the DNC breach part
of a concerted effort by the Russian Government to interfere with the U.S.
presidential election?

Unfortunately, we have failed to ask the most consequential question: how will

Russia continue to employ a variety of methods, including hacks and leaks,

to undermine the institutions, policies, and actors that the Russian Government
perceives as constricting and condemning its forceful pursuit of its state aims?

Our visibility into the operations of APT28 - a group we belie

Government sponsors - has given us insight into some ©

targets, as well as its objectives and the activities ¢

We have tracked and profiled this group through

and network detections, and continuous monitori

operations, which date to at least 2007, has allowed us tc

malware, operational changes, and motivations. This intelligence 5

to protecting and informing our clients, exposing this threat, and strengthening
our confidence in attributing APT28 to the Russian Government.

OVERVIEW

On December 29, 2016, the Department of Homeland Security (DHS)
and Federal Bureau of Investigation (FBI) released a Joint Analysis
Report confirming FireEye’s long held public assessment that the Russian
Government sponsors APT28. Since at least 2007, APT28 has engaged

in extensive operations in support of Russian strategic interests.

The group, almost certainly compromised of a sophisticated and prolific
set of developers and operators, has historically collected intelligence on
defense and geopolitical issues. APT28 espionage activity has primarily
targeted entities in the U.S., Europe, and the countries of the former
Soviet Union, including governments and militaries, defense attaches,
media entities, and dissidents and figures opposed to the current Russian
Government.

Over the past two years, Russia appears to have increasingly leveraged
APT28 to conduct information operations commensurate with broader
strategic military doctrine. After compromising a victim organization,
APT28 will steal internal data that is then leaked to further political
narratives aligned with Russian interests. To date these have included

the conflict in Syria, NATO-Ukraine relations, the European Union refugee
and migrant crisis, the 2016 Olympics and Paralympics Russian athlete
doping scandal, public accusations regarding Russian state-sponsored
hacking, and the 2016 U.S. presidential election.

This report details our observations of APT28’s

targeting, and our investigation into a related
breach. We also provide an update on shifts in the y,
group's tool development and use, and summarize :
the tactics APT28 employs to compromise its victims.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM 2
APT28 TARGETING AND
INTRUSION ACTIVITY

In October 2014, FireEye released APT28: A Window into
Russia's Cyber Espionage Operations? and characterized
APT28's activity as aligning with the Russian Government's
strategic intelligence requirements. While tracking APT28,
we noted the group's interest in foreign governments and
militaries, particularly those of European and Eastern
European nations, as well as regional security organizations,
such as the North Atlantic Treaty Organization (NATO)
and the Organization for Security and Cooperation

in Europe (OSCE), among others. Table 1 highlights

some recent examples of this activity.

SPECIAL REPORT / Al

AT THE CENTER OF THE S

TABLE 1: APT28 TARGETING OF POLITICAL ENTITIES AND INTRUSION ACTIVITY

ENTITY

OSCE

TIMEFRAME

NOVEMBER 2016

APT28 TARGETING AND INTRUSION ACTIVITY

The OSCE confirmed that it had suffered an intrusion,
which a Western intelligence service attributed to APT28.!

Germany's Christian
Democratic Union (CDU)

APRIL - MAY 2016

Researchers at Trend Micro observed APT28 establish a fake

CDU email server and launch phishing emails against CDU
members in an attempt to obtain their email credentials and access
their accounts.?®

Pussy Riot

AUGUST 2015

APT28 targets Russian rockers and dissidents Pussy Riot via
spear-phishing emails.“

NATO, Afghan Ministry

APT28 used two domains (nato-news.com and bbc-news.org) to host

of Foreign Affairs, Pakistani JULY 2015 an Adobe Flash zero-day exploit to target NATO, the Afghan Ministry
Military of Foreign Affairs, and the Pakistani military.
Germany's Federal Office for Security in Information Technology (BSI)
announced that APT28 was likely responsible for the spear phishing
German Bundestag JUNE 2015 emails sent to members of several German political parties. The head

& Political Parties

of Germany’s domestic intelligence agency, Bundesamt fur Ver-
fassungsschutz (BfV), also attributed the June 2015 compromise of
the Bundestag’s networks to APT28.5¢

Kyrgyzstan Ministry
of Foreign Affairs

OCTOBER 2014
THROUGH
SEPTEMBER 2015

FireEye iSight Intelligence identified changes made to domain name
server (DNS) records that suggest that APT28 intercepted email traf-
fic from the Kyrgyzstan Ministry of Foreign Affairs after maliciously
modifying DNS records of the ministry’s authoritative DNS servers.

Polish Government & Power
Exchange websites

JUNE AND
SEPTEMBER 2014

APT28 employed “Sedkit” in conjunction with strategic web compro-
mises to deliver “Sofacy” malware on Polish Government websites,
and the websites of Polish energy company Power Exchange.”

Gauquelin, Blaise. “La Russie soupconnée détre responsable d'un piratage informatique contre OSCE.” Le Monde. 28 Dec. 2016. Web. 29 Dec. 2016.
Trend Micro refers to activity corresponding to Fire Eye's APT28 as “Pawn Storm.”
Hacquebord Feike. "Pawn Storm Targets German Christian Democratic Union.” Trend Micro. 11 May 2016. Web. 28 Dec. 2016.

Hacquebord Feike. "Pawn Storm's Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets.” TrendLabs Security Intelligence Blog, Trend Micro. 18 August 2015. Web. 29 Dec. 2016
“Neuer Hackerangriff auf Bundespolitiker / BSI warnt Parteien vor Cyberangriffen.” Westdeutscher Rundfunk. 20 Sept. 2016. Web. 29 Dec. 2016.

“Russia ‘was Behind German Parliament Hack.” The BBC. 13 May 2016. Web. 28 Dec. 2016
Kharouni, Loucif. et al. “Operation Pawn Storm: Using Decoys to Evade Detection.” Trend Micro. 22 Oct. 2014. Web. 3 Jan. 2017.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM 4
Since 2014, APT28 network activity has likely supported
information operations designed to influence the domestic
politics of foreign nations. Some of these operations have
involved the disruption and defacement of websites, false flag
operations using false hacktivist personas, and the theft of
data that was later leaked publicly online.

Table 2 highlights incidents in which victims suffered

a compromise that FireEye ISIGHT Intelligence, other
authorities, or the victims themselves later attributed to the
group we track as APT28. All of these operations have aimed
to achieve a similar objective: securing a political outcome

beneficial to Russia.

TABLE 2: APT28 NETWORK ACTIVITY HAS LIKELY SUPPORTED INFORMATION OPERATIONS

VICTIM

TIMEFRAME

APT28 NETWORK ACTIVITY

ASSOCIATED INFORMATION OPERATIONS
ACTIVITY

World Anti-Doping
Agency (WADA)

SEPTEMBER 2016

On September 13, WADA confirmed that APT28
had compromised its networks and accessed
athlete medical data.®

On September 12, 2016, the “Fancy Bears’ Hack Team” persona
claimed to have compromised WADA and released athletes’
medical records as “proof of American athletes taking dop-
ing.”®

U.S. Democratic National
Committee (DNC)

APRIL -
SEPTEMBER 2016

The DNC announced it had suffered a network
compromise and that a subsequent investigation
found evidence of two breaches, attributed to
APT28 and APT29. FireEye analyzed the mal-
ware found on DNC networks and determined
that it was consistent with our previous cbserva-
tions of APT28 tools"

In June 2016, shortly after the DNC’s announcement, the Gu-
ccifer 2.0 persona claimed responsibility for the DNC breach
and leaked documents taken from the organization's network
Guccifer 2.0 continued to leak batches of DNC documents
through September 21

John Podesta

MARCH -
NOVEMBER 2016

Investigators found that John Podesta, Hillary
Clinton's presidential campaign chairman, was
one of thousands of individuals targeted in a
mass phishing scheme using shortened URLS
that security researchers attributed to APT28.¢

Throughout October and into early November, WikiLeaks pub-
lished 34 batches of email correspondence stolen from John
Podesta’s personal email account. Correspondence of other
individuals targeted in the same phishing campaign, including
former Secretary of State Colin Powell and Clinton campaign
staffer William Rinehart, were published on the

“DC Leaks” website's

U.S. Democratic
Congressional Campaign
Committee (DCCC)

MARCH -
OCTOBER 2016

In July, the DCCC announced that it was investi-
gating an ongoing “cybersecurity incident” that
the FBI believed was linked to the compromise
of the DNC. House Speaker Nancy Pelosi

later confirmed that the DCCC had suffered a
network compromise. Investigators indicated
that the actors may have gained access to DCCC
systems as early as March, 8718

In August, the Guccifer 2.0 persona contacted reporters cov-
ering U.S. House of Representative races to announce newly
leaked documents from the DCCC pertaining to Democratic
candidates. From August tc October, Guccifer 2.0 posted sev-
eral additional installments of what appear to be internal DCCC
documents on “his” WordPress site.'®2°

TV5Monde

FEBRUARY 2015,
APRIL 2015

In February, FireEye identified CORESHELL
traffic beaconing from TV5Maonde’s network,
confirming that APT28 had compromised TV-
SMonde’s network

In April 2015, alleged pro-1SIS hacktivist group CyberCaliphate
defaced TV5Monde’s websites and social media profiles and
forced the company’s 11 broadcast channels offline. FireEye
identified overlaps between the domain registration details of
CyberCaliphate’s website and APT28 infrastructure 2

Ukrainian Central
Election Commission
(CEC)

MAY 2014

Ukrainian officials revealed that the investigation
into the compromise of the CEC’s internal net-
work identified malware traced to APT28 22

During the May 2014 Ukrainian presidential election, purported
pro-Russian hacktivists CyberBerkut conducted a series of mali-
cious activities against the CEC including a system compromise,
data destruction, a data leak, a distributed denial-of-service
(DDoS) attack, and an attempted defacement of the CEC web-
site with fake election results.

“WADA Confirms Attack by Russian Cyber Espionage Group.” World Anti-Doping Agency. 13 Sept. 2016. Web. 29 Dec. 2016
Fancy Bears’ HT (fancybears). "@AnonPress Greetings. We hacked #WADA. We have Proof of American Athletes taking doping. Fancybear.net.” 12 Sept. 2016, 412 PM. Tweet
Crowdstrike refers to activity corresponding to FireEye's APT28 and APT29 as “Fancy Bear” and “Cozy Bear,” respectively.
“Nakashima, Ellen. “Cyber Researchers Confirm Russian Government Hack of Democratic National Committee.” The Washington Post. 20 June 2016. Web. 29 Dec. 2016
“Rid, Thomas. “All Signs Point to Russia Being Behind the DNC Hack.” Motherboard, Vice. 25 July 2016. Web. 29 Dec. 2016
“Bennett, Cory. “Guccifer 2.0 Drops More DNC Docs.” Politico. 13 Sept. 2016. Web. 2 Jan. 2017. <>

Perlroth, Nicole. Shear, Michael D. “Private Security Group Says Russia was Behind John Podesta’s Email Hack” The New York Times. 21 Oct. 2016. Web. 2 Jan. 2017.
“Franceschi-Bicchierai, Lorenzo. "How Hackers Broke Into John Podesta and Colin Powell's Gmail Accounts.” 20 Oct. 2016. Web. 2 Jan. 2017.

“Nakashima, Ellen. “FBI Probes Suspected Breach of Another Democratic Organization by Russian Hackers.” The Washington Post. 29 July 2016. Web. 29 Dec. 2016.

“Pelosi, Nancy. “DCCC Cyber Breach.” 13 August 2016. Email. U.S. House of Representatives. Washington, DC. Politico. Web. 29 Dec. 2016.

“Lipton, Eric. Shane, Scott. “Democratic House Candidates Were Also Targets of Russian Hacking.” The New York Times. 13 Dec. 2016. Web. 29 Dec. 2016.

Ibid.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM 5
FROM OLYMPIC SLIGHT TO DATA LEAK:
Investigating APT28 at the World Anti-Doping Agency

As news of the DNC breach spread, APT28 was preparing for another set
of operations: countering the condemnation that Russia was facing after
doping allegations and a threatened blanket ban of the Russian team
from the upcoming Rio Games. Russia, like many nations, has long viewed
success in the Olympic Games as a source of national prestige and soft
power on the world stage. The doping allegations and prospective ban
from the Games further ostracized Russia, and likely provided motivation
to actively counter the allegations by attempting to discredit anti-doping
agencies and policies. Our investigation of APT28’s compromise of
WADA's network, and our observations of the surrounding events reveal
how Russia sought to counteract a damaging narrative and delegitimize
the institutions leveling criticism.

ALLEGATIONS OF RUSSIAN ATHLETES’ WIDESPREAD DOPING

NOV (2015)

WADA declares the
Russian Anti-Doping
Agency (RUSADA) non-
compliant.24

JULY 18

WADA-commissioned
report documents
evidence of Russian
athletes’ widespread
doping.?®

APT28 COMPROMISES WADA

EARLY AUG

APT28 sends spear
phishing emails to
WADA employees. ?

AUG 10

APT28 uses a legitimate
user account belonging
to a Russian athlete to
log into WADA’s Anti-
Doping Administration
and Management
System (ADAMS)
database. ®

AUG 4

Russian athletes were
barred from competing
in the Olympic Games.?®

AUG 25-SEP 12

APT28 gains access

to an International
Olympic Committee
account created
specifically for the 2016
Olympic Games, and
views and downloads
athlete data.?®
FALSE HACKTIVIST PERSONAS CLAIM TO TARGET WADA, LEAK ATHLETE DATA

AUG 9

The actor
@anpoland,
purporting to
represent
“Anonymous Poland,
claims to have
defaced the

WADA website. ©

Based on this timeline of leak and threatened leak
activity, as well as strikingly similar characteristics and
distribution methods shared between @anpoland and
“Fancy Bears’ Hack Team,” the same operators are highly
likely behind the two personas. WADA officials, citing
evidence provided by law enforcement, stated that the

AUG

On August 11
@anpoland threatens
to conduct a DDoS
attack against and
leak data from WADA,
but fails to follow
through on the
threats.s!s2

SEP 12

“Fancy Bears Hack
Team”, a previously
unknown group
purporting to

be affiliated with
Anonymous, claims
via Twitter to have
compromised WADA,
and directs readers
to a website hosting
stolen documents.*3

In tweets to
international
journalists and
Twitter accounts
that disseminate
hacktivist and
information security
news, “Fancy Bears’
Hack Team” claims
to have "proof of
American athletes
taking doping.”**

threat activity originated in Russia, possibly in retaliation

SERRE!

WADA releases a
statement confirming
the breach and
attributes the
compromise and
theft of athlete
medical data

to APT28.%5

SEP 15-30

“Fancy Bears’ Hack
Team” releases five
additional batches
of medical files for
high-profile athletes
from multiple nations,
including the U.S,
which had applied
for and received
Therapeutic Use
Exemptions (TUES)
for medications
otherwise banned
from competition .3®

Claiming to support
“fair play and clean
sport,” Fancy Bears’
Hack team calls TUEs
“licenses for doping.”?”

for WADA's exposure of Russia's expansive, state-run
doping.*® The statement prompted denials from the
Russian Government, with Russian sports minister
Vitaly Mutko asking, “How can you prove that the
hackers are Russian? You blame Russia for everything,
itis very in fashion now.”*?

Gallagher, Sean. “Guccifer 20 Posts DCCC Docs, Says They're From Clinton Foundation.” Ars Technica. 4 Oct. 2016. Web. 3 Jan. 2017.

“Russian Hackers Suspected in French TV Cyberattack” Deutsche Welle. 6 Oct. 2015. Web. 29 Dec. 2016.

Joselow, Gabe. “Election Cyberattacks: Pro-Russia Hackers Have Been Accused in Past.” NBC News. 3 Nov. 2016. Web. 29 Dec. 2016.

Clayton, Mark. “Ukraine Election Narrowly Avoided "Wanton Destruction’ From Hackers (+Video).” The Christian Science Monitor. 17 June 2014. Web. 2 Jan. 2017.

“Foundation Board Media Release: WADA Strengthens Anti-Doping Worldwide.” World Anti-Doping Agency. 18 November 2015.

“Russia State-Sponsored Doping Across Majority of Olympic Sports, Claims Report.” The BBC. 18 July 2016. Web. 29 Dec. 2016
Macguire, Eoghan. Almasy, Steve. “271 Russian Athletes Cleared for Rio Games.” CNN. 5 August 2016. Web. 29 Dec. 2016.
“Cyber Security Update: WADA's Incident Response.” World Anti-Doping Agency. 5 Oct. 2016. Web. 3 Jan. 2017.

“WADA Confirms Attack by Russian Cyber Espionage Group.” World Anti-Doping Agency. 13 Sept. 2016

“WADA Confirms Another Batch of Athlete Data Leaked by Russian Cyber Hackers ‘Fancy Bear” World Anti-Doping Agency. 14 Sept. 2016. Web. 29 Dec. 2016. <>
[OP PLI "wwwi.tas-cas.org.” Online video clip. YouTube. YouTube, 9 Aug. 2016. Web. 3 Jan. 2017.
Anonymous Poland (@anpoland). "@Cryptomeorg @ben_rumsby @PogoWasRight @Jason_A_Murdock @Cyber_War_News @kevincollier Tomorrow will ddos WADA and publish some secret dosc.” 11 Aug 2016 10:10

AM. Tweet.

Anonymous Poland (@an poland). “@JoeUchill within a few days will be new attack on the WADA/Climpic” 5 Sept. 2016 519 AM. Tweet.

Fancy Bears’ HT (fancybears). "@AnonPress Greetings. We hacked #WADA. We have Proof of American Athletes taking doping. Fancybear.net.”

Ibid.

“WADA Confirms Attack by Russian Cyber Espionage Group." World Anti-Doping Agency]3 Sept. 2016
Russian Hackers Leak Simone Biles and Serena Williams Files.” The BBC. 13 Sept. 2016. Web. 29 Dec. 2016

Rumsby, Ben. “US Superstars Serena and Venus Williams and Simone Biles Given Drugs Exemption, Russian Hackers Reveal.” The Telegraph. 14 Sept. 2016. Web. 29 Dec. 2016.

Luhn, Alec’Fancy Bears Crigins Unclear But Russia Seizes Chance to Put Boot into Wada.” 15 Sept. 2016. Web. 29 Dec. 2016.

Gibson, Owen. “Russian Sports Minister Vitaly Mutko Denies Link to Wada Hackers.” The Guardian. 14 Sept. 2016. Web. 29 Dec. 2016.
CONCLUSION

Since releasing our 2014 report, we continue to assess that
APT28 is sponsored by the Russian Government. We further
assess that APT28 is the group responsible for the network
compromises of WADA and the DNC and other entities
related to the 2016 U.S. presidential election cycle. These
breaches involved the theft of internal data - mostly emails
- that was later strategically leaked through multiple forums
and propagated in a calculated manner almost certainly
intended to advance particular Russian Government aims. In
a report released on January 7 2017, the U.S. Directorate of
National Intelligence described this activity as an “influence
campaign.”

This influence campaign - a combination of network
compromises and subsequent data leaks - aligns closely
with the Russian military's publicly stated intentions and
capabilities. Influence operations, also frequently called
“information operations,” have a long history of inclusion

in Russian strategic doctrine, and have been intentionally
developed, deployed, and modernized with the advent of
the internet. The recent activity in the U.S. is but one of
many instances of Russian Government influence operations
conducted in support of strategic political objectives, and it
will not be the last. As the 2017 elections in Europe approach
- most notably in Germany, France, and the Netherlands - we
are already seeing the makings of similarly concerted efforts.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM
APPENDIX:
APT28’s Tools, Tactics, and Operational Changes

In our 2014 report, we identified APT28 as a suspected Russian
government-sponsored espionage actor. We came to this conclusion

in part based on forensic details left in the malware that APT28 had
employed since at least 2007. We have provided an updated version of
those conclusions, a layout of the tactics that they generally employ,

as well as observations of apparent tactical shifts. For full details,
please reference our 2014 report, APT28: A Window into Russia's Cyber
Espionage Operations?

APT28 employs a suite of malware with features indicative of the group's
plans for continued operations, as well as the group's access to resources
and skilled developers.

Key characteristics of APT28’s toolset include:

* A flexible, modular framework that has allowed APT28
to consistently evolve its toolset since at least 2007.

Use of a formal coding environment in which to develop
tools, allowing the group to create and deploy custom
modules within its backdoors.

Incorporation of counter-analysis capabilities including
runtime checks to identify an analysis environment, obfuscated
strings unpacked at runtime, and the inclusion of unused
machine instructions to slow analysis.

Code compiled during the normal working day in the Moscow
time zone and within a Russian language build environment.

OVER

97%

88%

IN ADDITION,
APT28’S DEVELOPERS

APT28’S MALWARE SAMPLES COMPILED CONSISTENTLY BUILT
SAMPLES WERE BETWEEN 8AM AND 6PM MALWARE IN RUSSIAN
COMPILED DURING IN THE TIMEZONE THAT LANGUAGE SETTINGS UNTIL
THE WORKING WEEK INCLUDES MAJOR RUSSIAN

CITIES SUCH AS MOSCOW
AND ST. PETERSBURG

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM 1
APT28’S MALWARE SUITE

TOOL ROLE AKA

CHOPSTICK | backdoor Xagent, webhp, SPLM, (v2 fysbis)

EVILTOSS backdoor Sedreco, AZZY, Xagent, ADVSTORESHELL, NETUI
GAMEFISH backdoor Sednit, Seduploader, JHUHUGIT, Sofacy

SOURFACE downloader Older version of CORESHELL, Sofacy

OLDBAIT credential | ogo
harvester

CORESHELL | downloader Newer version of SOURFACE, Sofacy

APT28’S OPERATIONAL CHANGES SINCE 2014

APT28 continues to evolve its toolkit and refine its tactics

in what is almost certainly an effort to protect its operational
effectiveness in the face of heightened public exposure and
scrutiny. In addition to the continued evolution of the group's
first stage tools, we have also noted APT28:

Leveraging zero-day vulnerabilities in Adobe Flash Player,
Java, and Windows, including CVE-2015-1701, CVE-2015-2424,
CVE-2015-2590, CVE-2015-3043, CVE-2015-5119, and CVE-
2015-7645.

Using a profiling script to deploy zero-days and other
tools more selectively, decreasing the chance that researchers
and others will gain access to the group's tools.

Increasing reliance on public code depositories, such

as Carberp, PowerShell Empire, P.A.S. webshell, Metasploit
modules, and others in a likely effort to accelerate their
development cycle and provide plausible deniability.

Obtaining credentials through fabricated Google

App authorization and Oauth access requests that allow
the group to bypass two-factor authentication and other
security measures.

Moving laterally through a network relying only

on legitimate tools that already exist within the victims’
systems, at times forgoing their traditional toolset for the
duration of the compromise.

These changes are not only indicative of APT28's skills,
resourcefulness, and desire to maintain operational
effectiveness, but also highlight the longevity of the
group’s mission and its intent to continue its activities
for the foreseeable future.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM
APT28 TACTICS

We have observed APT28 rely on four key tactics when attempting

to compromise intended targets. These include sending spear-phishing
emails that either deliver exploit documents that deploy malware onto

a user's systems, or contain a malicious URL designed to harvest the
recipients’ email credentials and provide access to the their accounts.
APT28 has also compromised and placed malware on legitimate websites

intending to infect site visitors, and has gained access to organizations by
compromising their web-facing servers

TACTIC

INFECTION WITH MALWARE VIA SPEAR PHISH

Craft exploit document
with enticing lure content.

Send exploit document
to victim.

Victim opens document,
and malware is installed by
exploiting a vulnerability

(e.g., ARM-NATO_
ENGLISH_30_NOV_2016.
doc leveraged an Adobe Flash
exploit, CVE-2016-7855,
to install GAMEFISH
targeted machine).

Register a domain spoofing
that of a legitimate
organization (e.g.
theguardiannews[.Jorg).

Send link mirroring structure
of legitimate organization's
site that is designed to
expire once users clickit.

Victim goes to link and
retrieves malicious
document or is served a
web-based exploit that
installs malware.

(Flash Vulnerability CVE-
2016-7855 and Windows
Vulnerability CVE-2016-7255
were exploited as zero days to
install malware on victims who
visited a malicious URL).

APT28 1S IN YOUR NETWORK.

TACTIC

WEBMAIL ACCESS VIA SPEAR-PHISH

Register a domain spoofing a webmail service
or an organization’s webmail portal
(e.g., Onedrive-Office365[Jcom)

Send email to targets
instructing them
to reset their passwords.

Recipient visits fake login page
and enters credentials.

APT28 uses stolen

credentials to access
mailbox and read email.

Send email to victims
warning of security risk
and asking them to enable
security service.

Person is asked to authorize
application to view mail
and gives access.

APT28 leverages OAuth
privileges given to malicious
application to read email.

TACTIC

INFECTION WITH MALWARE VIA STRATEGIC
WEB COMPROMISE (SWC)

Compromise a legitimate site and set up
malicious iFrame.

Users of the site are redirected using malicious
iFrame and profiled

(e.g, this technique was used
to compromise and infect visitors to numerous
Polish Government websites in 2014).

Exploit is served to users matching the target profile
and malware is installed on their system.

APT28 IS IN YOUR NETWORK.

TACTIC

ACCESS THROUGH INTERNET-FACING SERVERS

Network reconnaissance to find vulnerable software.

Exploitation of previously known vulnerabilities
present on unpatched systems.

Leverage initial compromise to access other systems
and move deeper into the victim network.

APT28 IS IN YOUR NETWORK.

SPECIAL REPORT / APT28: AT THE CENTER OF THE STORM 12
To download this or other
FireEye ISIGHT Intelligence reports,
visit: www.fireeye.com/reports.html

FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com

www.FireEye.com
© 2076 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc ) - .
All other brands, products, or service names are or may be trademarks <© FireEye

or service marks of their respective owners. GRAF-60