APT28 is an adversary group which has been active since at least 2007. This group was identified to be targeting mostly military or government entities and has been linked publicly to intrusions into the German Bundestag  [1], France’s TV5 Monde TV station in 2015 [2] and the DNC [3] in April 2016. The incidents linked to this group have been analyzed by different security companies and independent researchers. These companies label already discovered and named APT Groups with their own name convention. Therefore, the group is also known as “Sofacy”, “Fancy Bear”, “Sednit”, “Pawn Storm”, “TsarTeam” and “Strontium”.

The motives of APT28 can be evaluated by observing the strategies they used in their campaigns. The group is known for its interest in secret geopolitical information that would be relevant to Russia. Therefore, their targets include Government, Aerospace, Defense, Energy and Media sectors. However, the group does not exfiltrate financial information or sell the information it has gathered from its targets. Instead, it uses tactics for monitoring every move of the opponent while trying to remain unseen. This is an effective tactic, because by following the movements of others the threat actor is able to gain valuable insights into his target’s habits, routines, and secrets. This tactic is the preeminent device for detectives and spies and is used by APT28 for gathering strategic state information that could be used to influence political decisions, public opinion, or geographical issues.

This research focuses on the most interesting or sufficiently reported capabilities and attacks associated with this APT group and do not represent an exhaustive list of all TTPs this group uses.

Malware Components

APT28 is known to have the capability of targeting various operating systems, including Microsoft Windows, Linux and Apple iOS. Additionally, their malware is capable of targeting air-gaped networks via USB drive infections. The tools targeting Windows systems are mostly backdoors and information stealers. The capabilities of these include logging key strokes and stealing system information which is then sent to remote C&C servers. Upon successful exploitation through one of the attack vectors described in section Initial Compromise, a downloader (SOURFACE) is written to disk. Its main purpose is to contact the C&C server and obtain the second-stage backdoor.

Another backdoor, described as CHOPSTICK by FireEye in its report, starts collecting detailed information from the infected host. This information includes Microsoft Windows operating system version, CPU architecture, Windows Firewall state, User Account Control (UAC) configuration settings and Internet Explorer settings. One variant of this backdoor contained modules for collecting Microsoft Office documents and PGP files. Additionally, it tests for installation of specific security products and applications. Apart from collecting host information, the backdoor has the ability to record user activity on the infected host by making desktop screenshots, recording keystrokes and monitoring active application windows. Moreover, FireEye reported that CHOPSTICK backdoors are compiled within a modularized development framework. Therefore, depending on the included modules at compile time, these backdoors may contain different functionality [4].

Another variant of the backdoor (EVILTOSS), which is also being delivered through the downloader, contains functionalities allowing it to access the file system and registry, enumerate network resources, create processes, log keystrokes, access of stored credentials, and shellcode execution. Additionally, this backdoor uses RSA key based encryption in order to hinder investigation efforts. Finally, a variant of this backdoor is suspected to be first seen as early as 2004 indicating that the campaigns by APT28 might be conducted for more than 10 years.

Techniques Matrix

The threat actor named as APT30 by FireEye is considered to be speaking Chinese. The language artifacts can be found by analyzing the metadata and the user interface of the malware used by APT30. The list of confirmed targets consists of companies and organizations in various fields operating in India, South Korea, Malaysia, Vietnam, Thailand, Saudi Arabia and United States. In addition to the confirmed countries, other countries in the region, like Singapore, Myanmar, Japan, etc., are also suspected to be targeted by the APT30 group [5].

From the publicly available information it is clear that APT30 is a motivated and determined threat group. A clear indication for this is the consistent long-term missions lasting for more than 10 years. Moreover, the tools used to carry out their attacks shows a strictly organized hierarchy and a consistent development indicating an involvement of a highly interested party which supports their attacks [5].

The APT30 group is linked to another threat actor named as Naikon. While Naikon seems to be also originating from within the China country, there is little evidence which correlates between these actors. Therefore, in order to analyze TTPs of this actor, the research focuses on indicators strictly associated with the group APT30.

Malware Components

The malware used by the APT30 group mainly targets Microsoft Windows operating systems. The core arsenal of this threat actor consists of two backdoors: BACKSPACE and NETEAGLE. These backdoors are usually delivered with attachments during a Spear-Phishing attack, either directly or via droppers. In addition to backdoors, SHIPSHAPE, SPACESHIP and FLASHFLOOD components are used in order to spread to air-gapped networks. The purpose of these components is to infiltrate systems disconnected from the network and steal valuable information [5]. The following table summarizes the first and last known compilation dates of the most common pieces of malware used by APT30.

While BACKSPACE and NETEAGLE are different backdoors, they have multiple variations. Certain variants of both backdoors have modular design allowing attackers to create a customized version which suits specific environment of the target. While there are quite a lot of slight differences between BACKSPACE and NETEAGLE, the most notable difference is the usage of RC4 encryption in NETEAGLE’s variants compared to plain-text data transmission in BACKSPACE. This shows attacker’s attempt to use encryption as a technique of covering malicious activities from investigators. On the other hand, BACKSPACE included some notable features like ability to bypass host based firewalls in variations of ZR branch or a capability to reach out systems within the targets network having no direct internet access (variations in ZJ branch). Moreover, BACKSPACE variants implement a technique that allows to transmit metadata (such as file name, attributes, size, MAC time) to the threat actor who can then select files for uploading, resulting in less traffic transmitted over the target network and therefore reduces the chance of drawing attention. So, BACKSPACE and NETEAGLE seem to extend the capabilities of the APT30 group rather than replace each other.

SHIPSHAPE targets removable and fixed drives with a likely intent to spread malware to other systems. It targets drives with specific size and replaces files and folders on targeted drives by setting the hide option on the original files and planting SPACESHIP executables from specified paths on the computer infected with SHIPSHAPE. In order to be efficient, SHIPSHAPE is designed to name the executables under the names of the original files which were residing on the target drives. The purpose of the SPACESHIP component is to steal files based on a specified set of file extensions by copying these files to a removable drive inserted into the air-gapped systems infected with SPACESHIP. Identified samples of FLASHFLOOD have the capability to log or copy system information and contacts from the victim computer and implement similar capabilities to SPACESHIP, such as the same encoding process and the capability to search for and archive files based on pre-configured patterns. Unlike SPACESHIP, FLASHFLOOD scans inserted removable drives for interesting files in order to copy them from the removable drive to the computer infected with FLASHFLOOD.

Less documented malware components are MILKMAID and ORANGEADE droppers used by APT30 to install downloaders, such as CREAMSICLE, BACKBEND and GEMCUTTER. The purpose of those downloaders is to fetch and install BACKSPACE and NETEAGLE backdoors or to assure their persistence. The advantage of using droppers is small size of the component and lower likelihood of triggering Anti-Virus solutions which allows attackers to remain stealth.

Finally, traces of extensive versioning maintained by the group indicate that the malware used during their activities is developed continuously by adding new functions which allow to perform more sophisticated attacks. Moreover, actors try to make sure their targets are running the most recent version of the malware as the self-update functionality was observed across multiple samples of their backdoors. It is also important to note that an attempt to protect the backdoor controller software by implementing hardware checks indicates that this malicious software is intended to be used by a narrow group of users on a specific infrastructure.

Techniques Matrix

1. Guarnieri, C. (2015, June 19).
https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/

2. Trend Micro. (2015, June 10).
https://blog.trendmicro.com/tv5-monde-russia-and-the-cybercaliphate/

3. Alperovitch, D. (2016, June 15).
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

4. FireEye, Inc. (2014). APT28: A Window int Russia’s Cyber Espionage Operations?
https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

5. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf