Threat Actor – APT28

Threat Actor – APT28

junho 8, 2017 | Adeline Zhang


APT28 is a recognized state-sponsored threat actor operating out of Russia. Nefarious efforts and known exploits conducted by ATP28 (Advanced Persistent Threat) have been tracked as early as 2007 by various cyber-security experts in the field. The following information will outline the worldwide cyber warfare attacks that have been linked to APT28 throughout their years of operation.

Through analysis and correlation, it has been determined that the illegal acts conducted by APT28 are in fact Russian state-sponsored and carried out for reasons of intelligence collections, ideological motives, and disruption of operations for recognition purposes.

Additionally, the previous attacks have been centered around military and governmental intelligence attacks pertaining to countries of Eastern Europe and of course the United States. I will be providing context behind these collection campaigns and briefly list their primary attack vectors and the tools that have been used to assist in their exploits.

Attack History

One of the biggest attacks conducted on behalf of APT28 is still currently under investigation. The supposed medaling in the United States 2016 Presidential elections has been on ongoing affair since its inception early last year. However, the illegal deeds performed by APT28 span far beyond this recent breach and date back as early as 2007. The global industries that have suffered the greatest impact include the media, government, and military facets.

The attack vectors that have been successful in facilitating the exploits include spear-phishing, zero-day vulnerabilities, code obfuscation, and deployment of various forms of malware to assist in lateral/forward movement and backdoor root-kit deployments. Listing all of the previous attacks spans far beyond the scope of this blog but I will identify four out of more than ten that have arguably reeked the most havoc for its victims.

September 2016: World Anti-Doping Agency (WADA)

It was determined that APT28 had significant involvement in the tampering of athlete’s medical records located in the Administration and Management System (ADAMS) database. Due to the scandal surrounding the barring of Russian athletes from the 2016 Rio Olympics because of illegal doping practices it was believed that the WADA attack carried out by APT28 was in retaliation to this notion.

April – September 2016: U.S. Democratic National Committee (DNC)

FireEye determined that two breaches occurred in which known malware tools were directly responsible for compromising the U.S. DNC database. Moreover, Gucifrer 2.0 willingly admitted to the attack confirming its involvement in illegally releasing obtained documents associated w/ the DNC.

July 2015: NATO, Afghan Ministry of Foreign Affairs, Pakistani Military

Reports surfaced validating that two-domains ( & were used to host Adobe Flash zero-days to conduct malicious activity on behalf of APT28. The imposed threats had significant impact on business relations performed by NATO, Afghan Ministry of Foreign Affairs, and the Pakistani Military.

February – April 2015: TV5Monde

Registered domain names were linked to ISIS hacktivist group ‘CyberCaliphate’ and indicated ties between APT28 and the pro-ISIL group. Acts including defacement of TV5Monde social media sites and taking over 11 broadcast channels offline. Moreover, the exploit ‘CORESHELL’ had been used to beacon traffic from the compromised TV5Monde network.

APT28 Malware Suite

CHOPSTICK backdoor Xagent, webhp, SPLM, (.v2 fysbis)
GAMEFISH backdoor Sednit, Seduploader, JHUHUGIT, Sofacy
SOURFACE downloader Older version of CORESHELL, Sofacy
OLDBAIT credential harvester Sasfis
CORESHELL downloader Newer version of SOURFACE, Sofacy
Courtesy: FireEye – APT28: At the Center of the Storm. PDF

 Exploited Zero-Day Vulnerabilities

  • Adobe Flash Player
  • Java Windows
  • CVE-2015-1701
  • CVE-2015-2424
  • CVE-2015-2590
  • CVE-2015-3043
  • CVE-2015-5119
  • CVE-2015-7645


The efforts conducted on behalf of Russian Threat Actor APT28 has been closely followed and tracked by various sources since early 2007. For the last year, the media has reported on the current investigation directed by the FBI and other organizations on the recent breach linked to the U.S. 2016 Presidential election. This on-going investigation has been marked as one of the greatest breaches of information since the Watergate scandal. Not only has APT28 been recognized as supporting involvement in this attack; but, a significant amount of other global compromises have occurred due to actions implemented by APT28 that have been publicly acknowledge and documented.