← Back to Actors
APT28
APT28IRON TWILIGHTSNAKEMACKERELSwallowtailGroup 74SednitSofacyPawn StormFancy BearSTRONTIUMTsar TeamThreat Group-4127TG-4127Forest BlizzardFROZENLAKEGruesomeLarch
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G...
91
Techniques
80
Covered
11
Gaps
88%
Coverage
Coverage80/91
GAPS (11)
T1001.001Junk DataT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1092Communication Through Removable MediaT1557.004Evil TwinT1573.001Symmetric CryptographyT1583.003Virtual Private ServerT1584.008Network DevicesT1586.002Email AccountsT1591Gather Victim Org InformationT1596Search Open Technical DatabasesT1669Wi-Fi Networks
COVERED (80)
T1003OS Credential Dumping106 det.T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1014Rootkit29 det.T1021.002SMB/Windows Admin Shares67 det.T1025Data from Removable Media3 det.T1027.013Encrypted/Encoded File7 det.T1030Data Transfer Size Limits6 det.T1036Masquerading493 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037.001Logon Script (Windows)5 det.T1039Data from Network Shared Drive6 det.T1040Network Sniffing15 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1068Exploitation for Privilege Escalation91 det.T1070.001Clear Windows Event Logs15 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071.001Web Protocols74 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts252 det.T1078.004Cloud Accounts149 det.T1083File and Directory Discovery48 det.T1090.002External Proxy6 det.T1090.003Multi-hop Proxy8 det.T1091Replication Through Removable Media8 det.T1098.002Additional Email Delegate Permissions8 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1110Brute Force85 det.T1110.001Password Guessing35 det.T1110.003Password Spraying65 det.T1113Screen Capture17 det.T1114.002Remote Email Collection18 det.T1119Automated Collection11 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services72 det.T1134.001Token Impersonation/Theft20 det.T1137.002Office Test3 det.T1140Deobfuscate/Decode Files or Information55 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application208 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1210Exploitation of Remote Services33 det.T1211Exploitation for Defense Evasion6 det.T1213Data from Information Repositories24 det.T1213.002Sharepoint4 det.T1218.011Rundll3273 det.T1221Template Injection1 det.T1498Network Denial of Service13 det.T1505.003Web Shell57 det.T1528Steal Application Access Token42 det.T1542.003Bootkit3 det.T1546.015Component Object Model Hijacking13 det.T1547.001Registry Run Keys / Startup Folder50 det.T1550.001Application Access Token30 det.T1550.002Pass the Hash9 det.T1559.002Dynamic Data Exchange1 det.T1560Archive Collected Data11 det.T1560.001Archive via Utility24 det.T1564.001Hidden Files and Directories23 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment850 det.T1567Exfiltration Over Web Service44 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589.001Credentials2 det.T1595.002Vulnerability Scanning12 det.T1598Phishing for Information843 det.T1598.003Spearphishing Link271 det.