Nation-State Actor

APT28 (Fancy Bear)

Russia • Active since 2004

APT28 is a Russian military hacking unit that's been active for 20 years. They're behind the infamous DNC hack in 2016 and constantly target governments, militaries, and political organizations. They're extremely sophisticated and focus on espionage and influence operations.

Overview

APT28, also known as Fancy Bear, is a Russian military intelligence (GRU) cyber espionage group. They're responsible for numerous high-profile attacks including the 2016 Democratic National Committee hack. APT28 targets government, military, security organizations, and critical infrastructure worldwide.

Also Known As

Fancy Bear, Sofacy, Pawn Storm, Forest Blizzard, STRONTIUM

Target Industries

Government, Military, Defense contractors, Media, Political organizations, Critical infrastructure

Target Regions

United States, Europe, NATO countries, Ukraine, Georgia

Is your business exposed?

Tactics, Techniques & Procedures

  • Spear-phishing with credential harvesting
  • Zero-day exploitation
  • Watering hole attacks
  • Credential theft via fake login pages
  • Olympic Destroyer-style destructive attacks

Known Tools & Malware

X-Agent, X-Tunnel, Sofacy, CHOPSTICK, Zebrocy, LoJax (UEFI rootkit)

Notable Campaigns

Democratic National Committee Hack (2016)

Infiltrated DNC networks, exfiltrating emails that were later published by WikiLeaks.

World Anti-Doping Agency (WADA) Hack (2016)

Stole and leaked medical records of athletes following Russian Olympic doping scandal.

Bundestag (German Parliament) Attack (2015)

Compromised the German parliament network, requiring complete infrastructure rebuild.

MITRE ATT&CK Techniques

T1566.001, T1078, T1190, T1059.001, T1027

Defense Recommendations

  1. 1.

    Implement MFA on all accounts, especially email

  2. 2.

    Train staff on sophisticated spear-phishing recognition

  3. 3.

    Monitor for credential harvesting phishing pages impersonating your organization

  4. 4.

    Keep all systems patched, especially VPNs and email

  5. 5.

    Implement DMARC to prevent email spoofing

Related Threat Actors

Apt29 Cozy Bear, Sandworm, Turla

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices