MITRE ATT&CK G0007: fancy bears

Sep 18

***Fig. 1:*** *What Fancy Russian bears might look like.*

Summary

MITRE ATT&CK ID G0007 refers to the threat group APT28, also known as Fancy Bear. APT28 is attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The group has been active since at least 2004 and is known for targeting government, military, and political organizations

(MITRE ATT&CK)

Historical Information

2004: APT28 becomes active.
2016: The group reportedly compromises the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.
2018: The US indicts five GRU Unit 26165 officers associated with APT28 for cyber operations against various organizations
(MITRE ATT&CK)

Techniques and Tactics

APT28 uses various techniques, including:

Access Token Manipulation: Using CVE-2015-1701 to access the SYSTEM token.
Account Manipulation: Granting additional email delegate permissions.
Acquire Infrastructure: Registering domains imitating legitimate organizations.
Active Scanning: Performing large-scale scans to find vulnerable servers.
Application Layer Protocol: Using HTTP, HTTPS, and other channels for command and control
(MITRE ATT&CK)

Notable Attacks

2015 Ukraine Electric Power Attack: Sandworm Team, associated with APT28, used valid accounts to escalate privileges and move laterally within the network.
SolarWinds Compromise: APT29, a related group, used compromised identities to access networks via SSH, VPNs, and other tools
(MITRE ATT&CK)

Mitigations

Account Use Policies: Implementing conditional access policies.
Active Directory Configuration: Disabling legacy authentication and requiring modern protocols.
Password Policies: Changing default usernames and passwords immediately after installation
(MITRE ATT&CK)