Sofacy, APT 28, Fancy Bear, Sednit
Archived: 2026-04-05 18:36:37 UTC
Home > List all groups > Sofacy, APT 28, Fancy Bear, Sednit
 APT group: Sofacy, APT 28, Fancy Bear, Sednit
Names
Sofacy (Kaspersky)
APT 28 (Mandiant)
Fancy Bear (CrowdStrike)
Sednit (ESET)
Group 74 (Talos)
TG-4127 (SecureWorks)
Pawn Storm (Trend Micro)
Tsar Team (iSight)
Strontium (Microsoft)
Swallowtail (Symantec)
SIG40 (NSA)
Snakemackerel (iDefense)
Iron Twilight (SecureWorks)
ATK 5 (Thales)
T-APT-12 (Tencent)
ITG05 (IBM)
TAG-0700 (Recorded Future)
UAC-0028 (CERT-UA)
FROZENLAKE (Google)
Grey-Cloud (?)
Grizzly Steppe (US Government) together with APT 29, Cozy Bear, The Dukes
Forest Blizzard (Microsoft)
GruesomeLarch (Volexity)
BlueDelta (Recorded Future)
TA422 (Proofpoint)
Fighting Ursa (Palo Alto)
Blue Athena (PWC)
UAC-0063 (CERT-UA)
TAG-110 (Recorded Future)
G0007 (MITRE)
Country Russia
Sponsor State-sponsored, two GRU units known as Unit 26165 and Unit 74455
Motivation Information theft and espionage
First seen 2004
Description APT 28 is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian Gen
Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary C
campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2
an attempt to interfere with the U.S. presidential election. APT 28 has been active since at least January 2007.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 1 of 12

(FireEye) APT28 likely seeks to collect intelligence about Georgia’s security and political dynamics by targeti
officials working for the Ministry of Internal Affairs and the Ministry of Defense.
APT28 has demonstrated interest in Eastern European governments and security organizations. These victims
provide the Russian government with an ability to predict policymaker intentions and gauge its ability to influ
public opinion.
APT28 appeared to target individuals affiliated with European security organizations and global multilateral
institutions. The Russian government has long cited European security organizations like NATO and the OSCE
existential threats, particularly during periods of increased tension in Europe.
Sofacy may be related to Hades, but it could be a false flag as well.
Observed
Sectors: Automotive, Aviation, Chemical, Construction, Defense, Education, Embassies, Energy, Engineering,
Financial, Government, Healthcare, Industrial, IT, Media, NGOs, Oil and gas, Think Tanks and Intelligence
organizations.
Countries: Afghanistan, Armenia, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, Ch
Croatia, Cyprus, France, Georgia, Germany, Hungary, India, Iran, Iraq, Italy, Japan, Jordan, Kazakhstan, Latvi
Malaysia, Mexico, Mongolia, Montenegro, Netherlands, Norway, Pakistan, Poland, Romania, Saudi Arabia,
Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, UAE
Ukraine, USA, Uzbekistan, NATO and APEC and OSCE.
Tools used
Cannon, certutil, CHERRYSPY, Computrace, CORESHELL, DealersChoice, Downdelph, Drovorub, Foozer,
GooseEgg, Graphite, HATVIBE, Headlace, HIDEDRV, Impacket, JHUHUGIT, Koadic, Komplex, LoJax,
MASEPIE, Mimikatz, Nimcy, OCEANMAP, OLDBAIT, PocoDown, ProcDump, PythocyDbg, Responder, Se
Sedreco, SkinnyBoy, SMBExec, STEELHOOK, USBStealer, VPNFilter, Winexe, WinIDS, X-Agent, X-Tunn
Zebrocy, Living off the Land.
Operations performed
2011/2012
Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFAC
its first stage malware. The implant shared certain similarities with the old Miniduke implants.
led us to believe the two groups were connected, at least to begin with, although it appears they
parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.
2013
At some point during 2013, the Sofacy group expanded its arsenal and added more backdoors a
tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is
with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, an
spans across four to five generations) and a few others. We’ve seen quite a few versions of thes
implants and they were relatively widespread for a time.
Oct 2014
Operation “Pawn Storm”
Target: Several foreign affairs ministries from around the globe.
Method: Spear-phishing e-mails with links leading to an Adobe Flash exploit.
Dec 2014
Six-month-long cyberattack on the German parliament
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 2 of 12

Apr 2015
Compromise of TV5Monde in France
“A group calling itself the Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC), linke
so-called Islamic State, first claimed responsibility. But an investigation now suggests the attac
in fact carried out by a group of Russian hackers.”
Apr 2015
Operation “Russian Doll”
Method: Adobe Flash 0-day
Apr 2015
Compromise of the German Parliament (Bundestag) network
Jul 2015
Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit
Aug 2015
EFF spoof, White House and NATO attack
Method: zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching at
on the White House and NATO. The hackers used a spear-phishing attack, directing emails to th
false url electronicfrontierfoundation.org.
Sep 2015
Bootstrapped Firefox Add-on
Oct 2015
Attack on Bellingcat
Eliot Higgins and other journalists associated with Bellingcat, a group researching the shoot do
Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear-phishing emails. Th
messages were fake Gmail security notices with Bit.ly and TinyCC shortened URLs.
Oct 2015
Attack on Dutch Safety Board
The group targeted the Dutch Safety Board, the body conducting the official investigation into
crash, before and after the release of the board’s final report. They set up fake SFTP and VPN s
to mimic the board’s own servers, likely for the purpose of spear-phishing usernames and passw
Jan 2016
Pawn Storm Campaign Adds Turkey To Its List of Targets
May 2016
Russian cyber-espionage group hits Sanoma
Jun 2016 Breach of Democratic National Committee
Fancy Bear carried out spear-phishing attacks on email addresses associated with the Democrat
National Committee in the first quarter of 2016. On March 10, phishing emails that were mainl
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 3 of 12

directed at old email addresses of 2008 Democratic campaign staffers began to arrive. One of th
accounts may have yielded up to date contact lists. The next day, phishing attacks expanded to t
non-public email addresses of high level Democratic Party officials. Hillaryclinton.com address
were attacked, but required two factor authentication for access. The attack redirected towards
accounts on March 19th. Podesta’s Gmail account was breached the same day, with 50,000 ema
stolen.
Another sophisticated hacking group attributed to the Russian Federation, nicknamed APT 29,
Bear, The Dukes appears to be a different agency, one more interested in traditional long-term
espionage.
Jun 2016
“Exercise Noble Partner 2016” spear-phishing e-mail
Method: Spear-phishing e-mail
Target: USA government
Aug 2016
World Anti-Doping Agency
Method: Phishing emails sent to users of its database claiming to be official WADA communica
requesting their login details.
Sep 2016
Operation “Komplex”
Oct 2016
Operation “DealersChoice”
Feb 2017 Attack on Dutch ministries
In February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands rev
that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, includ
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 4 of 12

the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD
on EenVandaag that the hackers were Russian and had tried to gain access to secret governmen
documents.
Feb 2017
Russian Hackers ‘Fancy Bear’ Targeted French Presidential Candidate Macron
Feb 2017
IAAF Hack
The officials of International Association of Athletics Federations (IAAF) stated in April 2017 t
servers had been hacked by the “Fancy Bear” group. The attack was detected by cybersecurity
Context Information Security which identified that an unauthorized remote access to IAAF’s se
had taken place on February 21. IAAF stated that the hackers had accessed the Therapeutic Use
Exemption applications, needed to use medications prohibited by WADA.
Apr 2017
German elections
They targeted the German Konrad Adenauer Foundation and Friedrich Ebert Foundation, group
are associated with Angela Merkel’s Christian Democratic Union and opposition Social Democ
Party, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails w
links to malware.
Early 2017
SPLM backdoor
Target: included defense related commercial and military organizations, and telecommunication
Targeting included TR, KZ, AM, KG, JO, UK, UZ
Method: SPLM/CHOPSTICK/Xagent
Jun 2017
Heavy Zebrocy deployments
Targeting profiles, spear-phish filenames, and lures carry thematic content related to visa applic
and scanned images, border control administration, and various administrative notes. Targeting
appears to be widely spread across the Middle East, Europe, and Asia:
- Business accounting practices and standards
- Science and engineering centers
- Industrial and hydro chemical engineering and standards/certification
- Ministry of foreign affairs
- Embassies and consulates
- National security and intelligence agencies
- Press services
- Translation services
- NGO – family and social service
- Ministry of energy and industry
Method: the Zebrocy chain follows a pattern: spear-phish attachment -> compiled Autoit script
(downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively develop
and deploying a new package to a much smaller, specific subset of targets within the broader se
Jul 2017
APT28 Targets Hospitality Sector, Presents Threat to Travelers
Oct 2017 In this case it capitalized on the recent terrorist attack in New York City. The document itself is
Once opened, the document contacts a control server to drop the first stage of the malware,
Seduploader, onto a victim’s system.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 5 of 12

Oct 2017
Russische hackers vallen vredesbeweging Pax aan
Jan 2018
Breach of the International Olympic Committee
On January 10, 2018, the “Fancy Bears Hack Team” online persona leaked what appeared to be
stolen International Olympic Committee (IOC) and U.S. Olympic Committee emails, dated from
2016 to early 2017, were leaked in apparent retaliation for the IOC’s banning of Russian athlete
from the 2018 Winter Olympics as a sanction for Russia’s systematic doping program. The atta
resembles the earlier World Anti-Doping Agency (WADA) leaks. It is not known whether the e
are fully authentic, because of Fancy Bear’s history of salting stolen emails with disinformation
mode of attack was also not known, but was probably phishing.
Feb 2018
Attacks on Multiple Government Entities
Target: Ministries of Foreign Affairs of the USA and Romania.
Method: Spear-phishing using the subject line of Upcoming Defense events February 2018 and
sender address claiming to be from Jane’s 360 defense events.
Mar 2018
On March 12 and March 14, we observed the Sofacy group carrying out an attack on a Europea
government agency involving an updated variant of DealersChoice. The updated DealersChoic
documents used a similar process to obtain a malicious Flash object from a C2 server, but the in
mechanics of the Flash object contained significant differences in comparison to the original sa
we analyzed.
May 2018
Breach of the Swedish Sports Confederation
The Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its
computers, targeting records of athletes’ doping tests.
May 2018
VPNFilter IoT botnet
ThaiCERT's whitepaper:
Jun 2018
This third campaign is consistent with two previously reported attack campaigns in terms of
targeting: the targets were government organizations dealing with foreign affairs. In this case
however the targets were in different geopolitical regions.
Aug 2018
Attacks on United States Conservative Groups
The software company Microsoft reported in August 2018 that the group had attempted to steal
from political organizations such as the International Republican Institute and the Hudson Insti
think tanks. The attacks were thwarted when Microsoft security staff won control of six net dom
In its announcement Microsoft advised that “we currently have no evidence these domains wer
in any successful attacks before the DCU transferred control of them, nor do we have evidence
indicate the identity of the ultimate targets of any planned attack involving these domains”.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 6 of 12

Oct 2018
Operation “Dear Joohn”
Target: The weaponized documents targeted several government entities around the globe, inclu
North America, Europe, and a former USSR state.
Method: new ‘Cannon’ Trojan
2018
BREXIT-themed lure document
Brexit-themed bait documents to deliver the Zekapab (also known as Zebrocy) first-stage malw
sent on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft
agreement with the European Union (EU). “As the United Kingdom (UK) Prime Minister Ther
May announced the initial BREXIT draft agreement with the European Union (EU).
Feb 2019
2019 Think Tank Attacks
In February 2019, Microsoft announced that it had detected spear-phishing attacks from APT28
aimed at employees of the German Marshall Fund, Aspen Institute Germany, and the German
Council on Foreign Relations. Hackers from the group purportedly sent phishing e-mails to 104
addresses across Europe in an attempt to gain access to employer credentials and infect sites wi
malware.
Feb 2019
Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets
iDefense assesses with moderate confidence that the actors may be targeting attendees and spon
of the upcoming Underwater Defense & Security 2019 event occurring March 5-7, 2019, in
Southampton, United Kingdom. This event draws attendees from government, military and priv
sector entities across the globe.
Apr 2019
In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructu
a known adversary communicating to several external devices. Further research uncovered atte
by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video
decoder) across multiple customer locations.
Apr 2019
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to o
credentials
May 2019
Since May 2019, Pawn Storm has been abusing compromised email addresses to send credentia
phishing spam. The majority of the compromised systems were from defense companies in the
Middle East. Other targets included organizations in the transportation, utilities, and governmen
sectors.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 7 of 12

Aug 2019
On August 20th, 2019, a new campaign was launched by the group targeting their usual victims
embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countri
Aug 2019
APT28, one of Russia's military hacking units, was most likely responsible for hacking the ema
accounts of the Norwegian Parliament, the Norwegian police secret service (PST) said today.
Sep 2019
At least 16 national and international sporting and anti-doping organizations across three contin
were targeted in these attacks which began September 16th, just before news reports about new
potential action being taken by the World Anti-Doping Agency. Some of these attacks were
successful, but the majority were not.
Nov 2019
Beginning in early November of 2019, the Main Intelligence Directorate of the General Staff of
Russian Army (GRU) launched a phishing campaign targeting Burisma Holdings, a holding com
of energy exploration and production companies based in Kiev, Ukraine.
Apr 2020
Microsoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesti
activity aimed at US and UK organizations directly involved in political elections.
May 2020
Pawn Storm scanned IP addresses worldwide, including IP addresses from the defense industry
Europe, on TCP port 445 and 1433, likely in an attempt to find vulnerable SMB and SQL serve
brute force credentials.
Aug 2020
New cyberattacks targeting U.S. elections
Aug 2020
APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Nov 2020
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
2021
France says Russian state hackers breached numerous critical networks
Jun 2021
A not so Fancy game. Exploring the new “SkinnyBoy” Bear’s backdoor
Jun 2021
Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets
Sep 2021
Google notifies 14,000 Gmail users of targeted APT28 attacks
Feb 2022
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for C
Access
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 8 of 12

Feb 2022
FancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large creden
phishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company.
Feb 2022
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Acti
Apr 2022
APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in
Ukraine with a new variant of malware.
Apr 2022
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Sep 2022
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite im
Mar 2023
TA422’s Dedicated Exploitation Loop—the Same Week After Week
Apr 2023
Hackers use fake ‘Windows Update’ guides to target Ukrainian govt
Apr 2023
GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns
Aug 2023
ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware
Sep 2023
Ukraine says an energy facility disrupted a Fancy Bear intrusion
Sep 2023
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Sep 2023
Operation “Steal-It”
Sep 2023
Operation “RoundPress”
Dec 2023
Russian hackers exploiting Outlook bug to hijack Exchange accounts
Dec 2023
Russian military hackers target Ukraine with new MASEPIE malware
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 9 of 12

Feb 2024
Russian hackers hijack Ubiquiti routers to launch stealthy attacks
Mar 2024
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
Mar 2024
Fighting Ursa Luring Targets With Car for Sale
Mar 2024
APT28 hackers use Signal chats to launch new malware attacks on Ukraine
Early 2024
MITRE: Russian APT28's LameHug, a Pilot for Future AI Cyber-Attacks
May 2024
Poland says Russian military hackers target its govt networks
Jul 2024
Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware
Jul 2024
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Sep 2024
German Cyber Agency Investigating APT28 Phishing Campaign
Sep 2024
French Cyber Agency Warns of APT28 Hacks Against Think Tanks
Sep 2024
UAC-0063: Cyber Espionage Operation Expanding from Central Asia
Oct 2024
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage
Central Asia and Kazakhstan diplomatic relations
Jan 2025
Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Templates
Counter operations
May 2018
Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infe
Routers and Network Storage Devices
Jul 2018
Mueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms
Aug 2018 Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and trans
control of six internet domains
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 10 of 12

Oct 2018
US charges Russian military officers over international hacking and disinformation campaigns
May 2020
German authorities charge Russian hacker for 2015 Bundestag hack
Apr 2022
Disrupting cyberattacks targeting Ukraine
Apr 2023
Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28
Jan 2024
Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian
Federation’s Main Intelligence Directorate of the General Staff (GRU)
Apr 2025
France ties Russian APT28 hackers to 12 cyberattacks on French orgs
Information
MITRE ATT&CK Playbook Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 11 of 12

Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1
Page 12 of 12