← Back to Actors
APT28
APT28IRON TWILIGHTSNAKEMACKERELSwallowtailGroup 74SednitSofacyPawn StormFancy BearSTRONTIUMTsar TeamThreat Group-4127TG-4127Forest BlizzardFROZENLAKEGruesomeLarch
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G...
94
Techniques
81
Covered
13
Gaps
86%
Coverage
Coverage81/94
GAPS (13)
T1001.001Junk DataT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1092Communication Through Removable MediaT1557.004Evil TwinT1573.001Symmetric CryptographyT1583.003Virtual Private ServerT1584.008Network DevicesT1586.002Email AccountsT1588.007Artificial IntelligenceT1591Gather Victim Org InformationT1596Search Open Technical DatabasesT1669Wi-Fi NetworksT1684.001Impersonation
COVERED (81)
T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1014Rootkit30 det.T1021.002SMB/Windows Admin Shares73 det.T1025Data from Removable Media3 det.T1027.013Encrypted/Encoded File8 det.T1030Data Transfer Size Limits7 det.T1036Masquerading525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037.001Logon Script (Windows)5 det.T1039Data from Network Shared Drive6 det.T1040Network Sniffing15 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1068Exploitation for Privilege Escalation99 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion42 det.T1070.006Timestomp10 det.T1071.001Web Protocols80 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts280 det.T1078.004Cloud Accounts167 det.T1083File and Directory Discovery48 det.T1090.002External Proxy6 det.T1090.003Multi-hop Proxy9 det.T1091Replication Through Removable Media8 det.T1098.002Additional Email Delegate Permissions9 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1110Brute Force90 det.T1110.001Password Guessing35 det.T1110.003Password Spraying66 det.T1113Screen Capture18 det.T1114.002Remote Email Collection18 det.T1119Automated Collection12 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services72 det.T1134.001Token Impersonation/Theft20 det.T1137.002Office Test3 det.T1140Deobfuscate/Decode Files or Information58 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application216 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1210Exploitation of Remote Services35 det.T1211Exploitation for Stealth6 det.T1213Data from Information Repositories24 det.T1213.002Sharepoint4 det.T1218.011Rundll3275 det.T1221Template Injection1 det.T1498Network Denial of Service13 det.T1505.003Web Shell63 det.T1528Steal Application Access Token47 det.T1542.003Bootkit4 det.T1546.015Component Object Model Hijacking13 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.001Application Access Token38 det.T1550.002Pass the Hash10 det.T1559.002Dynamic Data Exchange1 det.T1560Archive Collected Data12 det.T1560.001Archive via Utility26 det.T1564.001Hidden Files and Directories25 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment905 det.T1567Exfiltration Over Web Service45 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589.001Credentials2 det.T1595.002Vulnerability Scanning12 det.T1598Phishing for Information902 det.T1598.003Spearphishing Link285 det.T1685.005Clear Windows Event Logs11 det.