Not Simon 🐐

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. Objective: Espionage WORK IN PROGRESS! (Page last updated: September 09, 2024)

Aliases:

• APT28 (MITRE, Mandiant)
• Fancy Bear (CrowdStrike)
• Sofacy (F-Secure)
• Sednit or Sednit Group (ESET)
• Group 74 (Cisco Talos Intelligence)
• IRON TWILIGHT (Secureworks)
• Strontium (formerly used by Microsoft)
• Forest Blizzard (Microsoft)
• Pawn Storm (Trend Micro)
• Swallowtail (Symantec)
• BlueDelta (Recorded Future)
• UAC-0028 (CERT-UA)
• TA422 (Proofpoint)
• Fighting Ursa (Unit 42)
• FROZENLAKE (Google Threat Analysis Group)

Possible Ties

• UAC-0063 (according to CERT-UA)

Identified Members

Still parsing through the indictments.

Vulnerabilities Exploited

Coming soon! There's a lot.

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• August 02, 2024 – Unit 42: Fighting Ursa Luring Targets With Car for Sale
• July 22, 2024 – Computer Emergency Response Team of Ukraine (CERT-UA): UAC-0063 атакує науково-дослідні установи України: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356) (Ukrainian)
• June 12, 2024 – Mandiant / Google TAG: Insights on Cyber Threats Targeting Users and Enterprises in Brazil
• May 3, 2024 – U.S. State Department: The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
• April 22, 2024 – Microsoft: Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
• February 27, 2024 – NSA: Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
• February 15, 2024 – U.S. Department of Justice: Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
• February 14, 2024 – Microsoft: Staying ahead of threat actors in the age of AI

2023

• April 18, 2023 – CISA: APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
• April 18, 2023 – NCSC-UK: Malware Analysis Report: Jaguar Tooth (PDF)
• March 24, 2023 – Microsoft: Guidance for investigating attacks using CVE-2023-23397

2022

• May 09, 2022 – CISA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
• April 07, 2022 – Microsoft: Disrupting cyberattacks targeting Ukraine

2021

• July 1, 2021 – U.S. Department of Defense: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (PDF)

2020

• October 22, 2020 – UK Government: UK enforces new sanctions against Russia for cyber attack on German Parliament
• September 10, 2020 – Microsoft: STRONTIUM: Detecting new patterns in credential harvesting

2018

• October 4, 2018 – UK Government: Minister for Europe statement: attempted hacking of the OPCW by Russian military intelligence
• October 4, 2018 – GCHQ: Reckless campaign of cyber attacks by Russian military intelligence service exposed
• May 23, 2018 – DOJ: Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

2016

• August 06, 2016 – Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Civil Action No: 1:16-CV-993)

2015

• November 16, 2015 – Microsoft: Microsoft Security Intelligence Report Volume 19 (PDF, page 13)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat