A Two-Decade Threat Evolution of Russian APT Group, APT28

Category: Threat Actor Activity | Industries: Aerospace, Defense, Energy, Financial, Government, Logistics, Transportation | Source: Trend Micro

In the examination of the evolving capabilities of the Russian APT group APT28, also known as Fancy Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, TA422, and STRONTIUM, Trend Micro offers insights into the group's tactical evolution since 2004. This study delves into their effective cyber espionage campaigns, which, despite their lack of sophistication, have proven highly successful. As Trend Micro points out, "On the contrary, we have clear indications that APT28 has compromised thousands of email accounts over time, with some of these seemingly repetitive attacks being cleverly designed and stealthy, employing advanced TTPs. The loudness of their repetitive, often crude and aggressive campaigns can overshadow the subtlety and complexity of their initial intrusion, as well as the post-exploitation actions that follow once APT28 gains a foothold within victim organizations."

APT28's targets are diverse, encompassing government entities, defense sectors, energy companies, and transportation industries across Europe, North America, South America, Asia, Africa, and the Middle East. Notably, the group focuses on brute-force credential attacks, with a particular emphasis on mail servers and corporate VPN services. They have effectively exploited vulnerabilities like CVE-2023-23397, a critical Outlook flaw that enables attackers to relay NTLMv2 hashes and execute further intrusions within a victim's network. Persistence strategies include the "modification of folder permissions within the victim's mailbox, leading to enhanced persistence. Using the victim's email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization." To conceal their activities, APT28 employs multiple anonymization layers, including VPN services, Tor, data center IP addresses, and potentially compromised EdgeOS routers. As Trend Micro notes, "We do not know whether APT28 itself compromised these EdgeOS routers or if it is using routers that were already compromised by a third-party actor."

Recent campaigns have witnessed a shift towards more advanced and covert methodologies, often blending aggressive initial attacks with sophisticated post-compromise actions. APT28 has been linked to the exploitation of the WinRAR vulnerability CVE-2023-38831. In their recent endeavors, Trend Micro observed the threat actor executing a credential phishing campaign targeting European governments from November 29 to December 11, 2023. During this campaign, they leveraged webhook[.]site URLs and VPN IP addresses from services such as Mullvad, Whoer, and IPVanish for phishing email delivery. This operation demonstrated technical connections to their prior Net-NTLMv2 hash relay campaigns, including the reuse of the same computer name.

Furthermore, in October 2022, APT28 targeted high-profile individuals with spear-phishing emails, distributing a simple information stealer as an attachment, all without a command-and-control (C&C) server. Once installed on a victim's computer, this autonomous information stealer selectively sought specific file types, including PDFs, Word documents, spreadsheets, and uploaded them to a free file-sharing service, free.keep[.]sh. To further complicate attribution for security researchers, APT28 employed unique shortened URLs for each victim. Consequently, APT28 remains a formidable cybersecurity threat, with threat actors adeptly blending traditional and innovative attack techniques to target high-profile organizations worldwide.