APT28 Aka Fancy Bear: A Familiar Foe By Many Names

We are looking at the biggest threats on the cybersecurity scene – and the most nefarious hacker groups behind them – and this week the spotlight turns to APT28, or Fancy Bear. Don’t let the name fool you. There is nothing cute about Fancy Bear, also known as APT28, Pawn Storm, Sednit, STRONTIUM, and Sofacy. Just like John Wick is known in the Russian underworld as ‘Baba Yaga,’ this group has Russian roots and probably has additional names on that scene.

A Big Name Among Big Names

APT28 is a notorious cyber espionage group that has been active since at least 2007. APT28 has been known to target governments, military organizations, and other high-value targets in various countries using their signature techniques. The group has been linked to several high-profile cyberattacks, including the alleged 2016 US presidential election hack and the 2017 NotPetya malware attack.

One of the most notable campaigns associated with APT28 is the 2016 hack of the Democratic National Committee (DNC) in the United States. This attack resulted in the theft of sensitive emails and other information that were later leaked to the public and was seen as an attempt to interfere with the US presidential election. It was widely condemned. More recently, CISA said it discovered the Russian hacking group had infiltrated a satellite communications provider with critical infrastructure customers.

A Profile in Malice

APT28 is considered to be a highly sophisticated and well-funded state-sponsored group backed by the Russian government. The group has been the subject of several high-profile reports and warnings from cybersecurity companies and government agencies, including the US Department of Homeland Security. It targets governments, military organizations, media, research, and private sector companies for the purpose of gathering intelligence, stealing sensitive information, and criminal financial gain.


APT28 is known for its use of advanced malware and hacking techniques to gain access to its targets’ networks. In addition to using advanced malware and spear-phishing tactics, the group is also known for using “watering hole” attacks, where it infects websites that are known to be frequented by targets. It also uses “living-off-the-land” tactics, whereby the group utilizes legitimate tools and infrastructure already present on a victim’s network in order to move laterally and evade detection.

APT28 is known for using a variety of command and control (C2) infrastructure to communicate with its malware and to exfiltrate stolen data. This infrastructure often uses a combination of different protocols, such as HTTP and DNS, making it difficult to detect and block. One of the group’s most well-known tools is Sednit, which has been used in several APT28 campaigns. Sednit is a sophisticated piece of malware that can steal sensitive information and maintain a persistent presence on a victim’s network.

The group also uses spear-phishing campaigns to target specific individuals and gain access to their networks. These campaigns often use social engineering tactics, such as sending emails that appear to be from a trusted source, to trick victims into clicking on malicious links or attachments.

Defending Against APT28

Organizations can protect themselves against APT28 and other advanced threat actors by implementing strong cybersecurity measures. These include:

  • Partnerships with reputable Managed Security Providers (MSSPs)
  • Regular software updates and patching
  • Employee education and training on security best practices
  • Incident response plans
  • Managed and comprehensive security monitoring and mitigation
  • Immediate action in the case of suspected breaches

APT28 is one of the most serious threats in existence today, and it’s important for organizations and individuals to be aware of its tactics in order to better protect themselves from attacks.

This article was originally published in Forbes, please follow me on LinkedIn.