APT28 - SparTech Software

APT28, also known as Fancy Bear, Sofacy, Forest Blizzard, and several other aliases, is a Russian state-sponsored cyber espionage group attributed to the GRU’s 85th Main Special Service Center (military unit 26165). Active since at least 2004, APT28 is recognized for its advanced cyber operations targeting governments, military, defense, technology, logistics, and media sectors worldwide.

Tactics, Techniques, and Procedures (TTPs)

• Spearphishing: Highly targeted emails with malicious links or attachments, often exploiting zero-day vulnerabilities.
• Credential Harvesting: Use of phishing sites, malicious OAuth applications, and brute-force attacks to steal login credentials.
• Malware & Toolkits: Deployment of custom malware such as Sofacy, X-Agent, X-Tunnel, and CHOPSTICK for espionage, persistence, and data exfiltration.
• Strategic Web Compromise: Watering hole attacks and drive-by downloads via compromised websites frequented by targets.
• Lateral Movement & Persistence: Use of stolen credentials, privilege escalation, and rootkits (e.g., LoJax UEFI rootkit) to maintain long-term access.
• Data Exfiltration: Use of encrypted channels, public cloud services, and chunked data transfers to evade detection.

Common Targets

• Government agencies and critical infrastructure in NATO countries, Ukraine, and the U.S.
• Technology, logistics, and transportation firms, especially those supporting Ukraine.
• Media, political organizations, and international institutions.

Associated IP addresses

June 2024:
• 192.162.174.94
• 103.97.203.29
• 209.14.71.127
• 109.95.151.207
• 64.176.67.117
• 64.176.69.196
• 64.176.70.18
• 64.176.70.238
• 64.176.71.201
• 70.34.242.220
• 70.34.243.226
• 70.34.244.100
• 70.34.245.215
• 70.34.252.168
• 70.34.252.186
• 70.34.252.222
• 70.34.253.13
• 70.34.253.247
• 70.34.254.245

July 2024:
• 207.244.71.84
• 162.210.194.2
• 46.112.70.252
• 46.248.185.236
• 83.168.78.27
• 83.168.78.31
• 83.168.78.55
• 83.23.130.49
• 83.29.138.115
• 89.64.70.69
• 90.156.4.204
• 91.149.202.215
• 91.149.203.73
• 91.149.219.158
• 91.149.219.23
• 91.149.223.130
• 91.149.253.118
• 91.149.253.198
• 91.149.253.20

August 2024:
• 31.135.199.145
• 31.42.4.138
• 83.10.46.174
• 83.168.66.145
• 91.149.253.204
• 91.149.254.75
• 91.149.255.122
• 91.149.255.19
• 91.149.255.195
• 91.221.88.76
• 93.105.185.139
• 95.215.76.209
• 138.199.59.43
• 147.135.209.245
• 178.235.191.182
• 178.37.97.243
• 185.234.235.69
• 192.162.174.67
• 194.187.180.20
• 212.127.78.170
• 213.134.184.167

Synonyms:

Fancy Bear, Sofacy, Pawn Storm, Forest Blizzard, Strontium, Sednit, Tsar Team

How to hijack a television broadcast signal.
Broadcast signal hijacking—also known as broadcast signal intrusion—is the unauthorized takeover of television (or radio) signals, allowing attackers to inject their own content into a broadcast. Over the years, several methods have been used to achieve this, ranging from physical tampering to sophisticated cyberattacks.
Russia’s APT28 (Fancy Bear) uses Signal to deploy BEARDSHELL and COVENANT malware on Ukranian targets.
Russian state-sponsored hackers APT28 (also known as Fancy Bear or UAC-0001) have deployed a sophisticated malware campaign against Ukrainian government targets using Signal messenger to deliver malicious payloads. This operation leverages two previously undocumented malware families—BEARDSHELL and COVENANT—disguised within seemingly harmless files.
Microsoft, CrowdStrike Lead Effort to Map Threat Actor Names
Microsoft and CrowdStrike announced on Monday that they are spearheading an industry initiative to map threat actor names. Their objective is to simplify the process for the cybersecurity community to align intelligence effectively.
LameHug Malware: AI-Powered Data Theft on Windows Systems.
LameHug is a recently identified malware family that marks a significant evolution in cyberattack tactics. Distinctively, it harnesses a large language model (LLM) to generate Windows data-theft commands dynamically in real time, enhancing its ability to adapt, evade detection, and target sensitive information on compromised computers.
Russia’s state-sponsored APT28 threat actors are employing a previously unknown software called Authentic Antics against email systems.
The UK’s National Cyber Security Centre (NCSC) has identified a new cyber espionage campaign attributed to Russian military intelligence operatives. According to a recent report, threat actors associated with the GRU—specifically the well-known group APT28—have been actively utilizing a previously unknown malicious software known as “Authentic Antics” to carry out targeted cyber operations against email systems.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Tactics, Techniques, and Procedures (TTPs)

Common Targets

Associated IP addresses

Related