APT28 is an adversary group which has been active since at least 2007. This group was identified to be targeting mostly military or government entities and has been linked publicly to intrusions into the German Bundestag , France’s TV5 Monde TV station in 2015  and the DNC  in April 2016. The incidents linked to this group have been analyzed by different security companies and independent researchers. These companies label already discovered and named APT Groups with their own name convention. Therefore, the group is also known as “Sofacy”, “Fancy Bear”, “Sednit”, “Pawn Storm”, “TsarTeam” and “Strontium”.
The motives of APT28 can be evaluated by observing the strategies they used in their campaigns. The group is known for its interest in secret geopolitical information that would be relevant to Russia. Therefore, their targets include Government, Aerospace, Defense, Energy and Media sectors. However, the group does not exfiltrate financial information or sell the information it has gathered from its targets. Instead, it uses tactics for monitoring every move of the opponent while trying to remain unseen. This is an effective tactic, because by following the movements of others the threat actor is able to gain valuable insights into his target’s habits, routines, and secrets. This tactic is the preeminent device for detectives and spies and is used by APT28 for gathering strategic state information that could be used to influence political decisions, public opinion, or geographical issues.
This research focuses on the most interesting or sufficiently reported capabilities and attacks associated with this APT group and do not represent an exhaustive list of all TTPs this group uses.