Cyber Threat Actor: APT28

Sednit, also tracked as APT28, Fancy Bear, Sofacy, BlueDelta and Strontium, is a threat actor publicly linked to Russia’s General Staff Main Intelligence Directorate (GRU) and assessed to operate from Russian territory. The group has been observed conducting cyber‑espionage campaigns that align with Russian state interests, including the collection of military and governmental intelligence to support the invasion of Ukraine and the execution of influence and disinformation operations aimed at undermining Western institutions. Its targeting has repeatedly included Ukrainian government entities, such as email servers and military‑related organizations, as well as European and North‑American think tanks, defense contractors, energy providers, transportation networks and political organizations like the German Bundestag and the U.S. Democratic National Committee and Democratic Congressional Campaign Committee. The actor’s strategic objectives, as described in open‑source reporting, involve harvesting credentials and sensitive data for intelligence gathering, deploying malware to maintain persistent access, and leaking stolen information to shape public narratives in favor of Russian policy goals.

Observed tactics, techniques and procedures for this actor include spearphishing emails that lure targets into opening malicious attachments or links, the exploitation of specific software vulnerabilities to gain initial access, and the deployment of custom malware for exfiltration and persistence. Notably, the group has leveraged flaws in the Roundcube webmail platform (CVE‑2020‑35730, CVE‑2020‑12641, CVE‑2021‑44026) to run reconnaissance and data‑theft scripts on compromised Ukrainian government email servers. It has also exploited a zero‑day vulnerability in Microsoft Outlook (CVE‑2023‑23397) to steal credentials and move laterally within victim networks, and abused an older SNMP flaw in Cisco IOS routers (CVE‑2017‑6742) to install the non‑persistent Jaguar Tooth malware, which exfiltrates router configuration data and provides unauthenticated backdoor access. Additional observed behaviors include credential harvesting through brute force and password‑spray attacks, the use of thousands of rotating IP addresses associated with the Tor network to obfuscate command‑and‑control traffic, and the deployment of malicious scripts that redirect email traffic, steal address books and session cookies, and maintain long‑term access to compromised systems. Publicly reported operations attributed to Sednit/APT28 encompass the 2015 intrusion into the German Federal Parliament, the 2016 breaches of the Democratic National Committee and Democratic Congressional Campaign Committee, the 2023 campaign against Ukrainian government email servers leveraging Roundcube vulnerabilities, the 2023 Jaguar Tooth activity on Cisco routers, and repeated targeting of European and North‑American think tanks and defense‑related entities beginning in 2020. These activities collectively illustrate a pattern of state‑aligned espionage and influence activity conducted by the group.