THREATOPS Actor Dossier
LIVE ← Dashboard

APT28

G00072 reports
aliases · APT28 · IRON TWILIGHT · SNAKEMACKEREL · Swallowtail · Group 74 · Sednit · Sofacy · Pawn Storm · Fancy Bear · STRONTIUM · Tsar Team · Threat Group-4127 · TG-4127 · Forest Blizzard · FROZENLAKE · GruesomeLarch
Export dossier:
2
Reports
6
Techniques
5
Tactics
3
Countries
67%
Hunt coverage
16
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1590.005 (IP Addresses), T1059.001 (PowerShell), T1556.006 (Multi-Factor Authentication).
  • Primary targeting: RU, UA, US.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 67% of 6 observed techniques (2 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2024-11-22 · last 2026-03-10
0
7d
0
30d
0
90d
2
All
0.0
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1590.005T1059.001T1556.006T1589.001T1027.015T1669

Vulnerabilities in this actor's reporting · 4

Overview

Analyst triage
Intelligence summary

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected