ATK5

Presumed Origin: Russia < Back

Alias: APT 28, APT28, Fancy Bear, Group-4127, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TAG_0700, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, apt_sofacy

ATK5 (aka: Sofacy, APT28) is a Russian state-sponsored group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets such as political and military targets that benefit the Russian government. It is a skilled team which has the capabilities to develop complex modular malwares and exploit multiple 0-days. Their malwares are compiled with Russian language setting and during the Russian office working hours. Despite number of public disclosure from European governments and indictments from the U.S. Department of Justice, this adversary continues to launch operation targeting the political and defense sector in Europe and Eurasia.

 

Between 2007 and 2014, ATK5 had three kind of targets:

  • Georgian government agencies (Ministry of Internal Affairs and Ministry of Defense) or citizens
  • Eastern European governments
  • Security organisations

 

The attack of the Georgian Ministry of Defense can be a response to the growing U.S.-Georgian military relationship. In 2013, the group targeted a journalist which is a way to monitor public opinion, spread disinformations or identify dissident.

 

During 2015 and 2016, this group’s activity has increased significantly, with numerous attacks against government departments and embassies all over the world.

 

Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde. ATK5 seems to have a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics. They alos have been implicated in the U.S. presidential election attacks in late 2016.

 

The 2016 attacks were visible and disruptive but in 2017 the group operates a great change to more stealthy attacks to gather intelligence about a range of targets.

 

One of the striking characteristics of ATK5 is its ability to come up with brand-new 0-day vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities. This high number of 0-day exploits suggests significant resources available, either because the group members have the skills and time to find and weaponize these vulnerabilities, or because they have the budget to purchase the exploits. In addition, APT28 tries to profile its target system to deploy only the needed tools. This prevents researchers from having access to their full arsenal.

 

REFERENCES

Target sector

  • Aerospace
  • Defense
  • Defense contractors
  • Embassies
  • Energy
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Hospitality
  • International Organizations
  • Media
  • Political Organizations
  • Think Tank
  • Transportation
  • Universities

Target countries

  • Afghanistan
  • Armenia
  • Azerbaijan
  • Belarus
  • Belgium
  • Brazil
  • Bulgaria
  • Canada
  • China
  • France
  • Georgia
  • Germany
  • Hungary
  • Iran, Islamic Republic Of
  • Japan
  • Kazakhstan
  • Korea, Republic of
  • Latvia
  • Malaysia
  • Mongolia
  • Montenegro
  • Netherlands
  • Poland
  • Romania
  • Saudi Arabia
  • Slovakia
  • Spain
  • Sweden
  • Tajikistan
  • Turkey
  • Ukraine
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1001 - Data Obfuscation
  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1014 - Rootkit
  • T1024 - Custom Cryptographic Protocol
  • T1025 - Data from Removable Media
  • T1027 - Obfuscated Files or Information
  • T1037 - Logon Scripts
  • T1040 - Network Sniffing
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1064 - Scripting
  • T1067 - Bootkit
  • T1068 - Exploitation for Privilege Escalation
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1074 - Data Staged
  • T1075 - Pass the Hash
  • T1078 - Valid Accounts
  • T1083 - File and Directory Discovery
  • T1085 - Rundll32
  • T1086 - PowerShell
  • T1090 - Connection Proxy
  • T1091 - Replication Through Removable Media
  • T1092 - Communication Through Removable Media
  • T1099 - Timestomp
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1119 - Automated Collection
  • T1120 - Peripheral Device Discovery
  • T1122 - Component Object Model Hijacking
  • T1134 - Access Token Manipulation
  • T1137 - Office Application Startup
  • T1140 - Deobfuscate/Decode Files or Information
  • T1158 - Hidden Files and Directories
  • T1173 - Dynamic Data Exchange
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1199 - Trusted Relationship
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1210 - Exploitation of Remote Services
  • T1211 - Exploitation for Defense Evasion
  • T1213 - Data from Information Repositories
  • T1221 - Template Injection
  • T1328 - Buy domain name
  • T1346 - Obtain/re-use payloads

Motivation

  • Espionage
  • Political Manipulation

Malwares

  • ADVSTORESHELL
  • Blitz backdoor
  • CORESHELL
  • Cannon
  • DealersChoice
  • Delphocy
  • Downdelph
  • Drovorub
  • HIDEDRV
  • JHUHUGIT
  • Komplex
  • LoJax
  • OLDBAIT
  • USBStealer
  • X-Agent
  • X-Agent for Android
  • XAgentOSX
  • XTunnel
  • Zebrocy

Vulnerabilities

  • CVE-2010-3333
  • CVE-2012-0158
  • CVE-2013-1347
  • CVE-2013-3897
  • CVE-2013-3906
  • CVE-2014-0515
  • CVE-2014-1761
  • CVE-2014-1776
  • CVE-2014-4076
  • CVE-2015-1641
  • CVE-2015-1642
  • CVE-2015-1701
  • CVE-2015-2387
  • CVE-2015-2424
  • CVE-2015-2590
  • CVE-2015-3043
  • CVE-2015-4902
  • CVE-2015-5119
  • CVE-2015-7645
  • CVE-2016-7255
  • CVE-2016-7855
  • CVE-2017-0144
  • CVE-2017-0262
  • CVE-2017-0263
  • CVE-2020-0688
  • CVE-2020-17144