APT28 is a Russian military intelligence cyber unit operating under GRU Unit 26165 (85th Main Special Service Center). Active since at least 2004, the group is responsible for some of the most consequential cyber operations in history including the 2016 US Democratic National Committee breach, Olympic anti-doping agency attacks, and the NotPetya destructive campaign.
| Attribute | Detail |
|---|---|
| Names | APT28 / Fancy Bear / Forest Blizzard |
| Attribution | Russia (GRU Unit 26165) |
| Active Since | 2004 |
| Primary Focus | Military intelligence. Election interference, Olympic targeting, NotPetya. |
Overview
APT28 is a Russian military intelligence cyber unit operating under GRU Unit 26165 (85th Main Special Service Center). Active since at least 2004, the group is responsible for some of the most consequential cyber operations in history including the 2016 US Democratic National Committee breach, Olympic anti-doping agency attacks, and the NotPetya destructive campaign.
Attribution
APT28 / Fancy Bear / Forest Blizzard is attributed to Russia (GRU Unit 26165), active since at least 2004. Military intelligence. Election interference, Olympic targeting, NotPetya.
Notable Campaigns
- DNC breach and US election interference (2016)
- Bundestag (German Parliament) compromise (2015)
- WADA and Olympic anti-doping agency attacks (2016-2018)
- NotPetya destructive wiper campaign (2017)
- NATO and European government targeting
- Ukrainian military and government espionage (ongoing)
- Cisco ASA and Outlook vulnerability exploitation (2023-2024)
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1566 | Phishing | High |
T1059 | Command and Scripting Interpreter | High |
T1071 | Application Layer Protocol | High |
T1027 | Obfuscated Files or Information | High |
T1190 | Exploit Public-Facing Application | High |
T1078 | Valid Accounts | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for APT28 activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting APT28 TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875