ICIC
🇷🇺

APT28

High ConfidenceCritical Threat

Fancy Bear • Sofacy • Pawn Storm • Sednit • STRONTIUM • Forest Blizzard +2 more

APT28, also known as Fancy Bear, Sofacy, and Forest Blizzard, is a highly skilled and persistent cyber espionage group attributed to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2004, the group is known for its sophisticated and well-resourced operations targeting governments, militaries, and security organizations worldwide. APT28's activities are closely aligned with Russian strategic interests, focusing on intelligence gathering, and the group has been linked to numerous high-profile attacks, including interference in the 2016 U.S. presidential election. The group's operations are characterized by a combination of technical sophistication and a deep understanding of their targets' networks and vulnerabilities. They are known for their use of zero-day exploits, custom malware, and a wide range of tactics, techniques, and procedures (TTPs) to achieve their objectives. APT28's ability to adapt and evolve its methods over time makes it a persistent and formidable threat in the cyber landscape.

Origin: Russia
Sponsor: GRU Unit 26165
Active: 2004 - Present
Victims: 1000+ organizations
Advanced
Active
EspionageInformation OperationsSabotage
Risk Assessment
91
Composite Risk Score
Critical Risk
ARCS Compliance90
Escalation Risk95
Grievance Index92
Infrastructure Impact88
History & Evolution

APT28, also known as Fancy Bear, Sofacy, and Forest Blizzard, is a highly skilled and persistent cyber espionage group attributed to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2004, the group is known for its sophisticated and well-resourced operations targeting governments, militaries, and security organizations worldwide. APT28's activities are closely aligned with Russian strategic interests, focusing on intelligence gathering, and the group has been linked to numerous high-profile attacks, including interference in the 2016 U.S. presidential election. The group's operations are characterized by a combination of technical sophistication and a deep understanding of their targets' networks and vulnerabilities. They are known for their use of zero-day exploits, custom malware, and a wide range of tactics, techniques, and procedures (TTPs) to achieve their objectives. APT28's ability to adapt and evolve its methods over time makes it a persistent and formidable threat in the cyber landscape.

Targeting

Target Sectors

GovernmentMilitaryDefenseMediaPolitical OrganizationsSports OrganizationsEnergy

Target Regions

United StatesEuropeNATO CountriesUkraineGeorgia
Attribution & Affiliations

Attributed to GRU Unit 26165 (Russia). Attribution confidence: High.

Intelligence Assessment
Critical
Threat Level
Highly
Targeting
Highly
Adaptability
Very High
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

APT28 is expected to continue operations targeting Government sectors.

Timeline of Key Events
2004
Major

First observed activity of APT28

2024
Moderate

Continued active operations

Related Threat Groups
🇷🇺Sandworm
Shared sponsor

Both attributed to GRU