{"description": "Enterprise techniques used by APT28, ATT&CK group G0007 (v5.2)", "name": "APT28 (G0007)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.(Citation: FireEye APT28)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Google TAG Ukraine Threat Landscape March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Storm 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "showSubtechniques": true}, {"techniqueID": "T1557.004", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.(Citation: US District Court Indictment GRU Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "Later implants used by [APT28](https://attack.mitre.org/groups/G0007), such as [CHOPSTICK](https://attack.mitre.org/software/S0023), use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.001", "comment": "An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan adds the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence.(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "[APT28](https://attack.mitre.org/groups/G0007) can perform brute force attacks to obtain credentials.(Citation: TrendMicro Pawn Storm 2019)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Microsoft Targeting Elections September 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) [APT28](https://attack.mitre.org/groups/G0007) has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020) [APT28](https://attack.mitre.org/groups/G0007) has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) performed password-spray attacks against public facing services to validate credentials.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy 06-2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used PowerShell cmdlet Get-ChildItem to access credentials, among other PowerShell functions deployed.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used cmd.exe for execution.(Citation: Nearest Neighbor Volexity) ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1092", "comment": "[APT28](https://attack.mitre.org/groups/G0007) uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Threat Landscape March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1584.008", "comment": "[APT28](https://attack.mitre.org/groups/G0007) compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has collected files from various information repositories.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has retrieved internal documents from machines inside victim environments, including by using [Forfiles](https://attack.mitre.org/software/S0193) to stage documents before exfiltration.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has collected files from network shared drives.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "An [APT28](https://attack.mitre.org/groups/G0007) backdoor may collect the entire contents of an inserted USB device.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) added \"junk data\" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a \"junk length\" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) staged captured credential information in the C:\\ProgramData directory.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1074.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has split archived exfiltration files into chunks smaller than 1MB.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "An [APT28](https://attack.mitre.org/groups/G0007) macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)\nDuring [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) unarchived data using the GUI version of WinRAR.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1006", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the native Microsoft utility [cipher.exe](https://attack.mitre.org/software/S1205) to securely wipe files and folders \u2013 overwriting the deleted data using cmd.exe /c cipher /W:C.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1189", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has compromised targets via strategic web compromise utilizing custom exploit kits.(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) [APT28](https://attack.mitre.org/groups/G0007) used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.(Citation: ESET Sednit Part 1)(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "comment": "[APT28](https://attack.mitre.org/groups/G0007) can exfiltrate data over Google Drive.(Citation: TrendMicro Pawn Storm Dec 2020) During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) exfiltrated data over public-facing webservers \u2013 such as Google Drive.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.(Citation: Securelist Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1211", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used CVE-2015-4902 to bypass security features.(Citation: Bitdefender APT28 Dec 2015)(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges.(Citation: Bitdefender APT28 Dec 2015)(Citation: Microsoft SIR Vol 19)(Citation: Securelist Sofacy Feb 2018)(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[APT28](https://attack.mitre.org/groups/G0007) exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: MS17-010 March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used [Tor](https://attack.mitre.org/software/S0183) and a variety of commercial VPN services to route brute force authentication attempts.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used [Forfiles](https://attack.mitre.org/software/S0193) to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has harvested user's login credentials.(Citation: Microsoft Targeting Elections September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1591", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used large language models (LLMs) to gather information about satellite capabilities.(Citation: MSFT-AI)(Citation: OpenAI-CTI) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used the WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/001) windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Playbook Dec 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has delivered [JHUHUGIT](https://attack.mitre.org/software/S0044) and [Koadic](https://attack.mitre.org/software/S0250) by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has renamed the WinRAR utility to avoid detection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1498", "comment": "In 2016, [APT28](https://attack.mitre.org/groups/G0007) conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.(Citation: US District Court Indictment GRU Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[APT28](https://attack.mitre.org/groups/G0007) deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017) [APT28](https://attack.mitre.org/groups/G0007) close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.(Citation: US District Court Indictment GRU Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[APT28](https://attack.mitre.org/groups/G0007) encrypted a .dll payload using RTL and a custom encryption algorithm. [APT28](https://attack.mitre.org/groups/G0007) has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has obtained and used open-source tools like [Koadic](https://attack.mitre.org/software/S0250), [Mimikatz](https://attack.mitre.org/software/S0002), and [Responder](https://attack.mitre.org/software/S0174).(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\\Software\\Microsoft\\Office test\\Special\\Perf to execute code.(Citation: Palo Alto Office Test Sofacy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)(Citation: US District Court Indictment GRU Oct 2018)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) They have also dumped the LSASS process memory using the MiniDump function.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the following commands to dump SAM, SYSTEM, and SECURITY hives: reg save hklm\\sam, reg save hklm\\system, and reg save hklm\\security.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) dumped NTDS.dit through creating volume shadow copies via vssadmin.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[APT28](https://attack.mitre.org/groups/G0007) uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used spearphishing to compromise credentials.(Citation: Microsoft Targeting Elections September 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has conducted credential phishing campaigns with links that redirect to credential harvesting sites.(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has deployed a bootkit along with [Downdelph](https://attack.mitre.org/software/S0134) to ensure its persistence on the victim. The bootkit shares code with some variants of [BlackEnergy](https://attack.mitre.org/software/S0089).(Citation: ESET Sednit Part 3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the built-in netsh portproxy command to create internal proxies on compromised systems.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. [APT28](https://attack.mitre.org/groups/G0007) has also used a machine to relay and obscure communications between [CHOPSTICK](https://attack.mitre.org/software/S0023) and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has routed traffic over [Tor](https://attack.mitre.org/software/S0183) and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used RDP for lateral movement.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has mapped network drives using [Net](https://attack.mitre.org/software/S0039) and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) leveraged SMB to transfer files and move laterally.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[APT28](https://attack.mitre.org/groups/G0007) uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a UEFI (Unified Extensible Firmware Interface) rootkit known as [LoJax](https://attack.mitre.org/software/S0397).(Citation: Symantec APT28 Oct 2018)(Citation: ESET LoJax Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used tools to take screenshots from victims.(Citation: ESET Sednit Part 2)(Citation: XAgentOSX 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1596", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used large language models (LLMs) to assist in script development and deployment.(Citation: MSFT-AI)(Citation: OpenAI-CTI) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used several malicious applications to steal user OAuth access tokens including applications masquerading as \"Google Defender\" \"Google Email Protection,\" and \"Google Scanner\" for Gmail users. They also targeted Yahoo users with applications masquerading as \"Delivery Service\" and \"McAfee Email Protection\".(Citation: Trend Micro Pawn Storm OAuth 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[APT28](https://attack.mitre.org/groups/G0007) executed [CHOPSTICK](https://attack.mitre.org/software/S0023) by using rundll32 commands such as rundll32.exe \u201cC:\\Windows\\twain_64.dll\u201d. [APT28](https://attack.mitre.org/groups/G0007) also executed a .dll for a first stage dropper using rundll32.exe. An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.(Citation: Crowdstrike DNC June 2016)(Citation: Bitdefender APT28 Dec 2015)(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: ESET Zebrocy May 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.002", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) collected information on wireless interfaces within range of a compromised system.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1221", "comment": "[APT28](https://attack.mitre.org/groups/G0007) used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. (Citation: Unit42 Sofacy Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1199", "comment": "Once [APT28](https://attack.mitre.org/groups/G0007) gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.(Citation: Trend Micro Pawn Storm OAuth 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.(Citation: Trend Micro Pawn Storm April 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1669", "comment": "[APT28](https://attack.mitre.org/groups/G0007) has exploited open Wi-Fi access points for initial access to target devices using the network.(Citation: Nearest Neighbor Volexity)(Citation: DOJ GRU Charges 2018)During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT28", "color": "#66b1ff"}, {"label": "used by a campaign attributed to APT28", "color": "#ff6666"}, {"label": "used by APT28 and used by a campaign attributed to APT28", "color": "#ff66f4"}]}