Cyber Threats from Russia
Understand more about cyber threat actors and intrusion sets attributed to Russia.
Cyber Threat Graph
Explore how the related entities on the cyber threat graph.
Intrusion Sets
Cyber intrusion sets attributed to Russia.
APT28
APT28 is a Russian intrusion set, originally named by FireEye/Mandiant. They allegedly stole information in an attempt to interfere with the 2016 ...
APT29
APT29 is a Russian cyber intrusion set. They have been linked to attacks including the SolarWinds compromise and an attack against the US ...
APT44
APT44 is an intrusion set tracked by Google's Mandiant and graduated to 'APT' status in April 2024, having been active since at least 2009. Also ...
Berserk Bear
BERSERK BEAR is reportedly linked to the FSB and has been observed targeting entities in Western Europe and North America including state, local, ...
Callisto Group
Callisto Group has been reported as active since at least 2015, with a strong history of spear phishing targets.
Cozy Bear
COZY BEAR is a Russian adversary tracked by CrowdStrike and linked to the SVR. COZY BEAR is one of the adversaries identified during the intrusion ...
Crouching Yeti
Crouching Yeti is a Russian-speaking advanced persistent threat (APT) group that Kaspersky Lab has been tracking since 2010. Targeted sectors ...
Dragonfly
Dragonfly is a group reportedly linked to Russia's FSB and responsible for conducting cyber operations against a range of sectors including ...
ELECTRUM
ELECTRUM is a nation state actor, likely related to Sandworm and attributed to the Russian government. Targeting includes critical national ...
Energetic Bear
Crowdstrike identified Energetic Bear in 2012 as a Russian cyber actor targeting the energy sector.
FROZENBARENTS
FROZENBARENTS is an intrusion set tracked by Google's Threat Analysis Group that has been active since at least 2009. The group is also known as ...
Fancy Bear
Fancy Bear, also known as APT28 or Sofacy, is a cyberespionage group that is linked to the Russian government. The group has been in operation ...
Forest Blizzard
Forest Blizzard is an intrusion set tracked by researchers at Microsoft and formerly known by them as STRONTIUM. The group reportedly shows ...
ITG05
ITG05 is a likely Russian state-sponsored intrusion set tracked by researchers at IBM X-Force. According to X-Force, the ITG05 is made up of ...
Midnight Blizzard
Microsoft identied Midnight Blizzard as the attackers behind the 2020 attack against SolarWinds. The group have been linked to the APT29 intrusion ...
NOBELIUM
Microsoft identied NOBELIUM as the attackers behind the 2020 attack against SolarWinds. The group have subsequently been linked to APT29 and ...
STRONTIUM
STRONTIUM, also known as Fancy Bear or APT28, is a cyber espionage group historically tracked by Microsoft. It is believed to be associated with ...
Sandworm
Sandworm is a cyber threat actor reportedly linked to the Russian government and responsible for conducting numerous cyber attack campaigns. The ...
TA473
TA473 is an intrusion set tracked by cyber threat researchers at Proofpoint, which shows overlap with the Winter Vivern actor. Proofpoint ...
TAG-70
TAG-70 is a cyber threat group identified by Recorded Future’s Insikt Group. They assess the intrusion set as likely acting on behalf of Belarus ...
TEMP.Veles
TEMP.Veles is the name given by Mandiant (formerly FireEye Intelligence) to the intrusion set which deployed the TRITON malware which impacted ...
TEMP.isotope
TEMP.Isotope is a threat actor tracked by Mandiant researchers. It is assessed that the group have a destructive mandate however they have not ...
The Dukes
F-Secure track the Dukes as a well-resourced, highly dedicated and organized cyberespionage group that they attribute to the Russian Federation. ...
Turla
Turla is an intrusion set attributed to Russia and specifically FSB Center 16. The group is also known as Venomous Bear and is associated with the ...
UAC-0002
UAC-0002 is a designation given by Ukraine's CERT (CERT-UA) to a Russia attributed actor known more widely as Sandworm or APT44. CERT-UA identify ...
UAC-0050
The UAC-0050 cyber threat group was originally identified by the Ukrainian CERT (CERT-UA). They are known for launching targeted phishing ...
UAC-0114
UAC-0114 is a designation assigned by the Ukraine CERT to a group which they assess as being Russian speaking. The group has been observed ...
UAC-0133
UAC-0133 is an intrusion set tracked by Ukraine's CERT (CERT-UA). The group is identified with high confidence as a subcluster of Sandworm/APT44. ...
Winter Vivern
Winter Vivern is a cyber intrusion set named by Domain Tools researchers after a string ('wintervivern') found in the command and control beacon ...
XENOTIME
According to Dragos threat researchers, XENOTIME "is easily the most dangerous threat activity publicly known" due to their targeting of ...
Threat Actors
Cyber threat actors attributed to Russia.
FSB - Russian Federal Security Service
The FSB (Russia's Federal Security Service) is the successor to the KGB. The FSB's primary responsibilities are within Russia and include counter- ...
FSB Center 16
FSB Center 16's full title is Center for Radio-Electronic Intelligence by Means of Communication and it is also known as Military Unit 71330. The ...
FSB Center 18
FSB Center 18 is a unit within the FSB, Russia's Intelligence Services. The UK and the US have linked Center 18 to intrusion sets tracked as ...
GRU - Russian Main Directorate of the General Staff
The GRU is Russia's military intelligence agency. GRU officers have been indicted for multiple cyber related offences including NotPetya (2017), ...
GRU Unit 26165
GRU Unit 26165 is also known as the 85th Main Special Service Center (GTsSS). GTsSS has been publicly attributed as the threat actor behind APT28 ...
GRU Unit 74455
GRU Unit 74455's full title is the Main Center of Special Technologies (GTsST). As a cyber adversary, they have operated since 2009 widely ...
NTC Vulkan
NTC Vulkan is a Russian cybersecurity consultancy, identified as a key player in enhancing Russia's cyberwarfare capabilities. It develops ...
Russian Central Scientific Research Institute of Chemistry (CNIIHM)
The Central Scientific Research Institute of Chemistry (CNIIHM) is identified by FireEye intelligence as 'a Russian government-owned technical ...
Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM)
According to the US government, the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics, or TsNIIKhM, is linked to ...
SVR - Russian Foreign Intelligence Service
The SVR, Russia's civilian foreign intelligence service, is the successor to the KGB's First Chief Directorate. CISA report that SVR has been ...
The DaVinci Group
According to public reporting, The DaVinci Group is the real world threat actor behine the UAC-0050 intrusion set. The DaVinci Group are ...
Threat Reports
Publicly available threat reporting on cyber attacks and campaigns attributed to Russia.
APT44: Unearthing Sandworm
This report from researchers at Mandiant marks the graduation of the Sandworm intrusion set to the Mandiant APT label: APT44. It provides a ...
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
TinyTurla Next Generation - Turla APT spies on Polish NGOs
'TinyTurla-NG' is a backdoor identified by Cisco Talos researchers which shows similarities to a previously used implant 'TinyTurla' - both used ...
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Proofpoint researchers describe espionage activity targeting US elected officials and staffers which they attribute to TA473 (also known as Winter ...
Winter Vivern: Uncovering a Wave of Global Espionage
SentinelLabs conducted an investigation into the Winter Vivern Advanced Persistent Threat (APT) group, in part leveraging observations made by The ...
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The ...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
This blog post by FireEye intelligence outlines how they attributed TEMP.Veles to a Russian government sponsored research institute - CNIIHM. ...
Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)
Technical analysis of the 'Pelmeni Wrapper' using samples found on VirusTotal by researchers from Lab52. The investigation outlines how Pelmeni is ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Midnight Blizzard: Guidance for responders on nation-state attack
Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
This Security Intelligence blog post by researchers at IBM's X-Force describes activity by ITG05 - a group which shows overlap with APT28/Forest ...
AcidPour - New Embedded Wiper Variant of AcidRain Appears in Ukraine
This blog post by researchers at SentinelLabs describes a new variant of the AcidRain malware which they call AcidPour. The report includes ...
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by Russia.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1497.003 | Time Based Evasion | Defense Evasion, Discovery |
| T1012 | Query Registry | Discovery |
| T1001.001 | Junk Data | Command and Control |
| T1059.003 | Windows Command Shell | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1124 | System Time Discovery | Discovery |
| T1090.001 | Internal Proxy | Command and Control |
| T1112 | Modify Registry | Defense Evasion |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1559.001 | Component Object Model | Execution |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1614.001 | System Language Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1070.004 | File Deletion | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1218.011 | Rundll32 | Defense Evasion |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1033 | System Owner/User Discovery | Discovery |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1571 | Non-Standard Port | Command and Control |
| T1083 | File and Directory Discovery | Discovery |
| T1056 | Input Capture | Collection, Credential Access |
| T1114 | Email Collection | Collection |
| T1203 | Exploitation for Client Execution | Execution |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1566 | Phishing | Initial Access |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1114.002 | Remote Email Collection | Collection |
| T1110.003 | Password Spraying | Credential Access |
| T1590.004 | Network Topology | Reconnaissance |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1036 | Masquerading | Defense Evasion |
| T1564 | Hide Artifacts | Defense Evasion |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1020 | Automated Exfiltration | Exfiltration |
| T1057 | Process Discovery | Discovery |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1027.001 | Binary Padding | Defense Evasion |
| T1568 | Dynamic Resolution | Command and Control |
| T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1047 | Windows Management Instrumentation | Execution |
| T1558.001 | Golden Ticket | Credential Access |
| T1046 | Network Service Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1592.002 | Software | Reconnaissance |
| T1572 | Protocol Tunneling | Command and Control |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1007 | System Service Discovery | Discovery |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |