Event Details

ONE-ISAC and SilentPush Workshop

View Calendar
April 15, 2025 1:00 pm - 2:30 pm

ONE-ISAC and SilentPush Workshop

Title: Hunting APT28: Fancy Bear Found Hiding Deep In The Snow

CPE Credit: 1 hour

Abstract:

APT28 (aka Fancy Bear or Forest Blizzard) is a Russian cyber espionage group linked to Unit 26165 of the GRU intelligence agency. APT28 has been associated with attacks on Ukraine's energy sector, has strong technical overlaps with a group tracked by Dragos as GRAPHITE, and was discovered in 2024 to be conducting phishing campaigns targeting hydroelectric generation and natural gas pipeline operators.

In July 2024, CERT-UA, Ukraine’s national CERT, reported on a new malware called CHERRYSPY used by the group which is a Windows backdoor written in Python. Research was previously published by Bitdefender on tracking APT28 C2s via their malware, but Silent Push analysts have recently succeeded in fingerprinting Fancy Bear's newest server setup based on a combination of unique technical characteristics and infrastructure management decisions being made by the group.

Our presentation will cover what we know about APT28, detailing how to use the details we've uncovered to create a fingerprint capable of finding their C2 domains. We'll also explain why we undertake these types of challenging research efforts, even when there's only a small number of initial leads, due to the significant benefits that come from discovering a C2 domain before it can be weaponized for an attack. We also further encourage sharing in groups like ONE-ISAC to support private efforts to find technical fingerprints for tracking serious APT groups.

Key Takeaways:

  • What we know about APT28 and GRAPHITE is substantial
  • CHERRYSPY is a windows backdoor being used in APT28 attacks
  • APT28 is diversifying domain registrations and domain names, trying to hide C2 infrastructure
  • Knowing an APT's infrastructure management techniques is key to exposing pre-weaponized infrastructure

Speaker: Martijn Grooten, Senior Threat Analyst, Silent Push

Bio: Martijn Grooten has been working in threat intelligence since 2007. He spent many years at Virus Bulletin, where he ran the annual conference. He has done various kinds of work on security for high-risk groups and is currently working as a senior threat intelligence researcher for Silent Push.