Sofacy / APT28 / Fancy Bear (also known as APT28, Fancy Bear, Sednit, Strontium, Forest Blizzard) is a state-sponsored advanced persistent threat group attributed to Russia (GRU Unit 26165), active since 2004. The group primarily targets NATO governments, military, media, elections sectors. It is tracked by MITRE ATT&CK as G0007.
Overview & Attribution
Russia GRU military intelligence APT responsible for DNC hack, WADA breach, NotPetya, and persistent targeting of NATO governments and elections infrastructure worldwide.
Sofacy has been active since 2004, attributed to Russia (GRU Unit 26165). The group is known for targeting NATO governments, military, media, elections using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: Russia (GRU Unit 26165)
- Active since: 2004
- Primary targets: NATO governments, military, media, elections
- Also known as: APT28, Fancy Bear, Sednit, Strontium, Forest Blizzard
Arsenal & Tools
Sofacy employs a diverse arsenal of custom and shared tooling:
- X-Agent: Custom/shared tooling used in operations
- Zebrocy: Custom/shared tooling used in operations
- OCEANMAP: Custom/shared tooling used in operations
- Cannon: Custom/shared tooling used in operations
- Skinnyboy: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on NATO governments, military, media, elections sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Sofacy is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Spearphishing campaigns |
| Execution | T1059.001 PowerShell | PowerShell execution |
| Persistence | T1137 Office Application Startup | Outlook macro persistence |
| Credential Access | T1110 Brute Force | Password spraying campaigns |
| Collection | T1114 Email Collection | Email harvesting |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 |
Notable Campaigns
Sofacy has been linked to multiple significant campaigns targeting NATO governments, military, media, elections organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Sofacy IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with X-Agent and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Sofacy TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Sofacy
Mjolnir Security provides specialized capabilities to detect and respond to Sofacy operations.
- APT Threat Hunting Proactive hunting for Sofacy TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Sofacy campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts