STRONTIUM, RUSSIA and the GRU
Fig. 1: A slightly different Fortress of Solitude
Summary
STRONTIUM, also widely known as Fancy Bear or APT28, is a highly sophisticated Russian advanced persistent threat (APT) group. This notorious cyber espionage unit is believed to be closely linked to Russia's military intelligence agency, the General Staff Main Intelligence Directorate (GRU), specifically its 85th Main Special Service Center (GTsSS) military unit 26165.
Active since at least the mid-2000s, STRONTIUM has earned a reputation as one of the most prolific and advanced state-sponsored hacking groups in the world. The group's activities primarily focus on cyber espionage, but they have also been implicated in disinformation campaigns, election interference, and destructive cyber attacks.
Key characteristics of STRONTIUM include:
Advanced Tactics: The group is known for employing a wide array of sophisticated hacking techniques, including zero-day exploits, spear-phishing campaigns, and custom malware.
High-Profile Targets: STRONTIUM has targeted government agencies, military organizations, defense contractors, political entities, and critical infrastructure across multiple countries.
Geopolitical Motivations: Many of the group's operations align with Russian geopolitical interests, often focusing on NATO member states, former Soviet republics, and countries of strategic importance to Russia.
Persistent Campaigns: True to the "advanced persistent threat" moniker, STRONTIUM is known for maintaining long-term access to compromised networks, sometimes for years.
Adaptive Strategies: The group continually evolves its tactics, techniques, and procedures (TTPs) to evade detection and circumvent improved security measures.
Notable cyber operations attributed to STRONTIUM include the 2016 Democratic National Committee (DNC) hack in the United States, attacks on the World Anti-Doping Agency (WADA), and numerous campaigns targeting government and military institutions in Eastern Europe and the Caucasus region.
Historical Information
Mid-2000s: STRONTIUM becomes active.
2016: The group gains notoriety for its role in the U.S. presidential election, targeting the Democratic National Committee (DNC) and Hillary Clinton's campaign.
2018: The U.S. indicts several GRU officers associated with STRONTIUM for their involvement in the 2016 election interference (MITRE ATT&CK)
Techniques and Tactics
STRONTIUM uses various techniques, including:
Spear Phishing: Targeting specific individuals with tailored emails to steal credentials.
Malware: Deploying malicious software like X-Tunnel, SPLM (CHOPSTICK), and X-Agent to breach networks.
IoT Exploitation: Compromising Internet of Things (IoT) devices to gain network access.
Disinformation: Spreading false information to influence public opinion and create discord
Notable Incidents
2016 U.S. Presidential Election: STRONTIUM targeted the DNC and Hillary Clinton's campaign, influencing the election outcome.
2015 Ukraine Power Grid Attack: The group was involved in the cyberattack that caused a power outage in Ukraine.
2018 Winter Olympics: STRONTIUM attempted to disrupt the Olympics, framing North Korea for the attack
Known Individuals
Yevgeny Prigozhin: A Russian oligarch linked to the funding of STRONTIUM. Accidently tragically fell out of a moving plane while leaving Moscow.
Andrei Vladimirovich Averyanov: A GRU officer associated with the group's operations
Implications
Geopolitical Tensions: STRONTIUM's activities have increased tensions between Russia and Western countries, leading to sanctions and diplomatic expulsions.
Cyber Security: The group's actions have prompted improvements in cyber security and intelligence sharing among Western allies
References
Fancy Bear: Fancy Bear
GRU (Russian Federation): GRU (Russian Federation)
Mueller Report: Mueller Report
