← Back to Actors
APT28
APT28IRON TWILIGHTSNAKEMACKERELSwallowtailGroup 74SednitSofacyPawn StormFancy BearSTRONTIUMTsar TeamThreat Group-4127TG-4127Forest BlizzardFROZENLAKEGruesomeLarch
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G...
94
Techniques
81
Covered
13
Gaps
86%
Coverage
Coverage81/94
GAPS (13)
T1001.001Junk DataT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1092Communication Through Removable MediaT1557.004Evil TwinT1573.001Symmetric CryptographyT1583.003Virtual Private ServerT1584.008Network DevicesT1586.002Email AccountsT1588.007Artificial IntelligenceT1591Gather Victim Org InformationT1596Search Open Technical DatabasesT1669Wi-Fi NetworksT1684.001Impersonation
COVERED (81)
T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1014Rootkit30 det.T1021.002SMB/Windows Admin Shares74 det.T1025Data from Removable Media3 det.T1027.013Encrypted/Encoded File8 det.T1030Data Transfer Size Limits7 det.T1036Masquerading572 det.T1036.005Match Legitimate Resource Name or Location45 det.T1037.001Logon Script (Windows)5 det.T1039Data from Network Shared Drive6 det.T1040Network Sniffing15 det.T1056.001Keylogging4 det.T1057Process Discovery21 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1068Exploitation for Privilege Escalation99 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion43 det.T1070.006Timestomp10 det.T1071.001Web Protocols81 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts297 det.T1078.004Cloud Accounts183 det.T1083File and Directory Discovery48 det.T1090.002External Proxy8 det.T1090.003Multi-hop Proxy9 det.T1091Replication Through Removable Media8 det.T1098.002Additional Email Delegate Permissions9 det.T1102.002Bidirectional Communication16 det.T1105Ingress Tool Transfer184 det.T1110Brute Force90 det.T1110.001Password Guessing35 det.T1110.003Password Spraying66 det.T1113Screen Capture18 det.T1114.002Remote Email Collection18 det.T1119Automated Collection12 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services74 det.T1134.001Token Impersonation/Theft20 det.T1137.002Office Test3 det.T1140Deobfuscate/Decode Files or Information58 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application227 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1210Exploitation of Remote Services35 det.T1211Exploitation for Stealth6 det.T1213Data from Information Repositories24 det.T1213.002Sharepoint4 det.T1218.011Rundll3275 det.T1221Template Injection1 det.T1498Network Denial of Service14 det.T1505.003Web Shell65 det.T1528Steal Application Access Token52 det.T1542.003Bootkit4 det.T1546.015Component Object Model Hijacking13 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.001Application Access Token42 det.T1550.002Pass the Hash10 det.T1559.002Dynamic Data Exchange1 det.T1560Archive Collected Data12 det.T1560.001Archive via Utility26 det.T1564.001Hidden Files and Directories25 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment979 det.T1567Exfiltration Over Web Service46 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589.001Credentials2 det.T1595.002Vulnerability Scanning13 det.T1598Phishing for Information1002 det.T1598.003Spearphishing Link312 det.T1685.005Clear Windows Event Logs12 det.