Threat Actor Profile
High APT
Description

APT28is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2]This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13] APT28reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5]In 2018, the US indicted five GRU Unit 26165 officers associated withAPT28for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14]Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to asSandworm Team.

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 43 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (74)
T1005 - Data from Local System
Collection
T1025 - Data from Removable Media
Collection
T1039 - Data from Network Shared Drive
Collection
T1056 - Input Capture
Collection
T1074 - Data Staged
Collection
T1113 - Screen Capture
Collection
T1114 - Email Collection
Collection
T1119 - Automated Collection
Collection
T1213 - Data from Information Repositories
Collection
T1560 - Archive Collected Data
Collection
T1001 - Data Obfuscation
Command and Control
T1071 - Application Layer Protocol
Command and Control
T1090 - Proxy
Command and Control
T1092 - Communication Through Removable Media
Command and Control
T1102 - Web Service
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1573 - Encrypted Channel
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1040 - Network Sniffing
Credential Access
T1110 - Brute Force
Credential Access
T1528 - Steal Application Access Token
Credential Access
T1557 - Adversary-in-the-Middle
Credential Access
T1006 - Direct Volume Access
Defense Evasion
T1014 - Rootkit
Defense Evasion
T1027 - Obfuscated Files or Information
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1070 - Indicator Removal
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1134 - Access Token Manipulation
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1211 - Exploitation for Defense Evasion
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1221 - Template Injection
Defense Evasion
T1542 - Pre-OS Boot
Defense Evasion
T1550 - Use Alternate Authentication Material
Defense Evasion
T1564 - Hide Artifacts
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1057 - Process Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1120 - Peripheral Device Discovery
Discovery
T1059 - Command and Scripting Interpreter
Execution
T1203 - Exploitation for Client Execution
Execution
T1204 - User Execution
Execution
T1559 - Inter-Process Communication
Execution
T1030 - Data Transfer Size Limits
Exfiltration
T1048 - Exfiltration Over Alternative Protocol
Exfiltration
T1567 - Exfiltration Over Web Service
Exfiltration
T1498 - Network Denial of Service
Impact
T1561 - Disk Wipe
Impact
T1189 - Drive-by Compromise
Initial Access
T1190 - Exploit Public-Facing Application
Initial Access
T1199 - Trusted Relationship
Initial Access
T1566 - Phishing
Initial Access
T1669 - Wi-Fi Networks
Initial Access
T1021 - Remote Services
Lateral Movement
T1091 - Replication Through Removable Media
Lateral Movement
T1210 - Exploitation of Remote Services
Lateral Movement
T1037 - Boot or Logon Initialization Scripts
Persistence
T1098 - Account Manipulation
Persistence
T1133 - External Remote Services
Persistence
T1137 - Office Application Startup
Persistence
T1505 - Server Software Component
Persistence
T1547 - Boot or Logon Autostart Execution
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1546 - Event Triggered Execution
Privilege Escalation
T1589 - Gather Victim Identity Information
Reconnaissance
T1591 - Gather Victim Org Information
Reconnaissance
T1595 - Active Scanning
Reconnaissance
T1596 - Search Open Technical Databases
Reconnaissance
T1598 - Phishing for Information
Reconnaissance
T1583 - Acquire Infrastructure
Resource Development
T1584 - Compromise Infrastructure
Resource Development
T1586 - Compromise Accounts
Resource Development
T1588 - Obtain Capabilities
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': "APT28is a threat group that has been attributed to Russia's "
                'General Staff Main Intelligence Directorate (GRU) 85th Main '
                'Special Service Center (GTsSS) military unit 26165.[1][2]This '
                'group has been active since at least '
                '2004.[3][4][5][6][7][8][9][10][11][12][13] APT28reportedly '
                'compromised the Hillary Clinton campaign, the Democratic '
                'National Committee, and the Democratic Congressional Campaign '
                'Committee in 2016 in an attempt to interfere with the U.S. '
                'presidential election.[5]In 2018, the US indicted five GRU '
                'Unit 26165 officers associated withAPT28for cyber operations '
                '(including close-access operations) conducted between 2014 '
                'and 2018 against the World Anti-Doping Agency (WADA), the US '
                'Anti-Doping Agency, a US nuclear facility, the Organization '
                'for the Prohibition of Chemical Weapons (OPCW), the Spiez '
                'Swiss Chemicals Laboratory, and other organizations.[14]Some '
                'of these were conducted with the assistance of GRU Unit '
                '74455, which is also referred to asSandworm Team.',
 'external_references': [{'external_id': 'G0007',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0007/'}],
 'id': 'threat-actor--G0007',
 'metadata': {'crawled_at': '2026-04-29T14:32:40.233243+00:00',
              'mitre_group_id': 'G0007',
              'page_title': 'APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, '
                            'Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, '
                            'STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, '
                            'Forest Blizzard, FROZENLAKE, GruesomeLarch, Group '
                            'G0007 | MITRE ATT&CK®'},
 'name': 'APT28',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (74)
Data from Local System
Collection
Data from Removable Media
Collection
Data from Network Shared Drive
Collection
Input Capture
Collection
Data Staged
Collection
View All 74 TTPs
Back to Threat Actors
Dashboard Home