APT28
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 08/04/2026 13:02
- Updated at
- 08/04/2026 13:02
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 11 reports, 121 attack patterns (mitre), 38 malware, 10 sectors, 19 countries, 100 indicators, 12 vulnerabilities (cve), 4 tool
Aliases
IRON TWILIGHT SNAKEMACKEREL Swallowtail Group 74 Sofacy STRONTIUM Tsar Team Threat Group-4127 TG-4127 FROZENLAKE GruesomeLarch Fancy Bear Forest Blizzard Sednit Pawn Storm
Description
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)
[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- mitre-attack (G0007)
- NSA/FBI Drovorub August 2020
- TrendMicro Pawn Storm Dec 2020
- ESET Zebrocy May 2019
- Kaspersky Sofacy
- Sofacy DealersChoice
- Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020
- Microsoft Threat Actor Naming July 2023
- SecureWorks TG-4127
- Nearest Neighbor Volexity
- Securelist Sofacy Feb 2018
- Symantec APT28 Oct 2018
- FireEye APT28
- GRIZZLY STEPPE JAR
- DOJ GRU Indictment Jul 2018
- Crowdstrike DNC June 2016
- Ars Technica GRU indictment Jul 2018
- Palo Alto Sofacy 06-2018
- Secureworks IRON TWILIGHT Profile
- Microsoft STRONTIUM Aug 2019
- Cybersecurity Advisory GRU Brute Force Campaign July 2021
- Leonard TAG 2023
- US District Court Indictment GRU Oct 2018
- Talos Seduploader Oct 2017
- Secureworks IRON TWILIGHT Active Measures March 2017
- FireEye APT28 January 2017
- ESET Sednit Part 3
- Accenture SNAKEMACKEREL Nov 2018