Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value organizations worldwide. Active since 2007, they are infamous for their stealthy and well-coordinated cyberattacks. Fancy Bear has been implicated in attempts to influence election processes in the U.S., France, and Germany.
Alias: Fancy Bear, APT 28, APT-28, APT28, Blue Athena, BlueDelta, FROZENLAKE, Fighting Ursa, Forest Blizzard, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, STRONTIUM, Sednit, Sofacy, Sofacy Group, Strontium, Swallowtail, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028, Unit 26165, Unit 74455
Motivation: Financial Gains, Reputational Damage, Espionage, Political Agenda
Afghanistan, Brazil, Cambodia, France, Georgia, Germany, India, Indonesia, Kazakhstan, Malaysia, Moldova, Pakistan, Romania, Russia, South Africa, Syria, Thailand, Turkey, Ukraine, United States, Vietnam, and Australia.
Malware used by Fancy Bear:
Zebrocy, Sofacy, X-Agent, CHOPSTICK, CORESHELL, JHUHUGIT, ADVSTORESHELL, Drovorub, Skinnyboy
Reconnaissance | Execution | Privilege Escalation | Credential Access | Collection |
T1598 | T1203 | T1068 | T1110.003 | T1213 |
T1595.002 | T1059.003 | T1037.001 | T1110.001 | T1005 |
T1589.001 | T1204.001 | T1078 | T1003 | T1025 |
T1598.003 | T1059.001 | T1078.004 | T1110 | T1113 |
Resource Development | T1204.002 | T1546.015 | T1040 | T1560 |
T1583.006 | T1559.002 | T1547.001 | T1528 | T1560.001 |
T1588.002 | Persistence | T1134.001 | T1003.003 | T1119 |
T1583.001 | T1505.003 | Defense Evasion | T1003.001 | T1039 |
T1586.002 | T1542.003 | T1027 | T1056.001 | T1056.001 |
Initial Access | T1037.001 | T1211 | Discovery | T1074.001 |
T1189 | T1133 | T1036 | T1057 | T1114.002 |
T1133 | T1078 | T1070.001 | T1120 | T1074.002 |
T1199 | T1078.004 | T1014 | T1040 | T1213.002 |
T1078 | T1137.002 | T1221 | T1083 | Command and Control |
T1566.001 | T1546.015 | T1078 | Lateral Movement | T1573.001 |
T1566.002 | T1098.002 | T1078.004 | T1210 | T1071.001 |
T1078.004 | T1547.001 | T1564.001 | T1550.002 | T1102.002 |
T1091 | T1564.003 | T1021.002 | T1090.003 | |
T1190 | T1134.001 | T1550.001 | T1071.003 | |
T1218.011 | T1091 | T1090.002 | ||
T1542.003 | T1092 | |||
T1036.005 | T1105 | |||
T1550.002 | T1001.001 | |||
T1550.001 | Exfiltration | |||
T1140 | T1048.002 | |||
T1070.004 | T1030 | |||
T1070.006 | T1567 | |||
Impact | ||||
T1498 |
CVE-2024-21412 | CVE-2023-32315 |
CVE-2023-38831 | CVE-2023-36025 |
CVE-2023-23397 | CVE-2023-27351 |