The Phantom: APT28

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 1

Russia (GRU Unit 26165)

G0007

★★★★★

risk 5/5

✦ The Phantom ✦

APT28

Fancy Bear · STRONTIUM · Sofacy · Pawn Storm · Sednit

GovernmentDefensePolitical organizationsMediaNATO countries

Active since ~2004 · Espionage, Political influence, Disinformation

A phantom built for embarrassment as much as intelligence. It does not merely steal - it releases. The document dump, the timed leak, the hack-and-dump: these are its weapons of political theatre.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1059.001

PowerShell

Execution

T1078

Valid Accounts

Persistence

T1003.001

LSASS Memory

Credential Access

T1566.002

Spearphishing Link

Initial Access

T1134

Access Token Manipulation

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Privilege Escalation

Notable Operations

◆DNC hack and email leak (2016)
◆Bundestag breach (2015)
◆WADA doping agency hack (2016)
◆French election interference (2017)
◆Olympic Destroyer (2018)

Defenses

▸
Phishing-resistant MFA (FIDO2/hardware keys)
NIST SP 800-63B ↗
▸
Email sandboxing and attachment filtering
CIS Control 9 ↗
▸
Credential Guard on Windows endpoints
CIS Control 5 ↗
▸
Network traffic monitoring for C2 beaconing
NIST CSF: DE.CM ↗

Reversed: Their Weakness

Fancy Bear's operational security failures have been its undoing: the same Cyrillic keyboard registered the X-Agent compiler; the same VPN exited at the same IP. Attribution came from their own carelessness.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Ghost Next →The Shadow Court

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.