{
	"id": "f01c7b97-aee0-47a2-9bb1-49477ae7a638",
	"created_at": "2026-04-06T00:13:34.310911Z",
	"updated_at": "2026-04-10T03:37:50.068934Z",
	"deleted_at": null,
	"sha1_hash": "983db49b31b51a33cfee6d2c1990abf3c5e9c5a7",
	"title": "Russian cyber-espionage group hits Sanoma",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 419450,
	"plain_text": "Russian cyber-espionage group hits Sanoma\r\nPublished: 2016-05-30 · Archived: 2026-04-05 19:42:49 UTC\r\nThe article is more than 9 years old\r\nYle has obtained new evidence of cyber-attacks on Finnish targets by a cyber-espionage group linked to Russian\r\nstate intelligence. The group, known as Sofacy or Pawn Storm, has attempted to hack into data communications of\r\nFinland's largest group, Sanoma, as well as of a Finnish member of Bellingcat, an international group\r\ninvestigating the Ukraine conflict.\r\nSanoma publishes many of Finland's top newspapers and magazines. Image: Jyrki Lyytikkä / Yle\r\n30.5.2016 20:47Updated 30.5.2016 21:02\r\nThe Tokyo-based security software firm Trend Micro has found strong evidence that employees of Finland's\r\nSanoma corporation have been targeted by an attempted cyber-attack.\r\nThe Russian cyber-espionage group set up a fake server that closely resembled Sanoma's webmail server, Trend\r\nMicro’s Senior Threat Researcher, Feike Hacquebord tells Yle.\r\nHe says the group registered a web address that differed by just one character from the address of Sanoma's\r\ngenuine webmail server.\r\nHacquebord says the attack most likely occurred last August, and that the fake corporate webmail server operated\r\nfor a few weeks before it was shut down.\r\nSanoma confirms attempted breach\r\nhttps://yle.fi/uutiset/osasto/news/russian_cyber-espionage_group_hits_sanoma/8919118\r\nPage 1 of 2\n\nSanoma's Chief Technology Officer Kai Taka-Aho has confirmed the information to Yle.\r\n\"In late April, we were informed by the National Cyber Security Centre Finland (NCSC-FI) of a cyber-espionage\r\ncampaign aimed at targets including Sanoma. Other media outlets were also involved,\" he says.\r\nSanoma owns several of Finland's largest newspapers including Helsingin Sanomat and Ilta-Sanomat, along with\r\nNelonen Television and an array of other media outlets.\r\nHacquebord explains that spies use such tactics to gain access to employee emails and to send emails in their\r\nnames.\r\nTaka-Aho says that Sanoma immediately launched its own probe into whether employees had been subjected to\r\nphishing emails, such as requests to change passwords.\r\n\"So far we have not found any evidence that the attackers succeeded or that we even received any phony\r\nmessages. However we cannot completely rule this out, he says.\r\nShadowy group with many names\r\nData security firms refer to the cyber-espionage group behind the attacks by various names including Pawn Storm,\r\nAPT28, Sednit and Sofacy. Hacquebord says the group is part of Russia's state intelligence apparatus. The German\r\nintelligence service has confirmed this assessment.\r\nThe shadowy organisation has been blamed for cyber-attacks in France, Germany, the US and elsewhere.\r\nTaka-Aho says that Sanoma takes the cyber-espionage attempt seriously.\r\n\"Apparently Sanoma is sufficiently large and interesting to make it a target of various players. These kinds of\r\nattacks will very likely continue to be made against us and other Finnish companies in the future,\" he says.\r\nHe adds that Sanoma has since replaced its email system with a more secure one – something he says it would\r\nhave done in any case.\r\nAnother target of the same attempted attack was Veli-Pekka Kivimäki, a Finnish member of Bellingcat, an\r\ninternational group of civic journalists investigating the Ukraine conflict. Pawn Storm sought access to his data by\r\nsending him a customised phishing email.\r\nRussian cyber-espionage is the focus of the Yle current affairs programme A-studio beginning at 9pm Monday on\r\nYle TV1.\r\nSource: https://yle.fi/uutiset/osasto/news/russian_cyber-espionage_group_hits_sanoma/8919118\r\nhttps://yle.fi/uutiset/osasto/news/russian_cyber-espionage_group_hits_sanoma/8919118\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://yle.fi/uutiset/osasto/news/russian_cyber-espionage_group_hits_sanoma/8919118"
	],
	"report_names": [
		"8919118"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434414,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/983db49b31b51a33cfee6d2c1990abf3c5e9c5a7.pdf",
		"text": "https://archive.orkl.eu/983db49b31b51a33cfee6d2c1990abf3c5e9c5a7.txt",
		"img": "https://archive.orkl.eu/983db49b31b51a33cfee6d2c1990abf3c5e9c5a7.jpg"
	}
}