APT28, an evolution of tradecraft
Sekoia's Threat Detection & Research team details the two-decade evolution of APT28's tradecraft, highlighting a strategic shift from monolithic implants to disposable, single-purpose tools and compromised edge-router infrastructure. Recent operations demonstrate a return to custom cloud-resident backdoors and novel experimentation with LLM-driven infostealers.
Authors: Amaury G., Sekoia TDR
Detection / HunterGoogle
What Happened
A Russian state-sponsored hacking group known as APT28 has continuously updated its cyberattack methods over the past twenty years. They have recently shifted to using compromised home and small business internet routers to hide their tracks while stealing sensitive information. The group targets government, defense, and civil society organizations, particularly in Ukraine and NATO countries. This evolution shows they are highly adaptable, even experimenting with Artificial Intelligence to control their malicious software. Organizations should ensure their internet-facing devices are updated and monitor for unusual network traffic.
Key Takeaways
- APT28 has shifted from monolithic implants (like X-Agent) to fragmented, single-purpose, and short-lived modules.
- The group heavily leverages compromised SOHO and edge devices (Ubiquiti, MikroTik, TP-Link) to proxy traffic, host phishing pages, and harvest credentials.
- Recent operations show a return to custom cloud-resident backdoors (BeardShell, Slimagent) that abuse legitimate cloud storage APIs for C2.
- APT28 is actively experimenting with LLM-integrated malware (LameHug) to dynamically generate execution and collection commands.
Affected Systems
- Windows
- SOHO and Edge Routers (Ubiquiti, MikroTik, TP-Link)
- Microsoft Exchange and Outlook
- Webmail platforms (Roundcube, Horde, MDaemon, Zimbra)
- UKR.NET Webmail
Vulnerabilities (CVEs)
- CVE-2022-38028
- CVE-2023-23397
Attack Chain
APT28's attack chains have evolved significantly, currently favoring initial access via spear-phishing with shortened URLs or weaponized Office documents sent via alternative messaging apps like Signal Desktop. Exploitation often involves zero-click vulnerabilities (like CVE-2023-23397) or XSS flaws in webmail platforms to harvest credentials. Post-compromise, the group leverages compromised SOHO routers for proxying traffic and staging payloads, while deploying custom backdoors that use legitimate cloud storage APIs (Koofr, icedrive, Filen) for command and control. Recently, they have experimented with LLM APIs to dynamically generate and execute local discovery and collection commands.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides a historical overview of APT28's tradecraft evolution and does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are well-positioned to detect the execution of custom implants, privilege escalation attempts (like Print Spooler exploitation), and anomalous processes spawned by LLM-driven tools. Network Visibility: Medium — While network monitoring can catch unencrypted exfiltration, APT28's heavy reliance on compromised SOHO routers and legitimate cloud services (Koofr, icedrive) blends malicious traffic with benign activity. Detection Difficulty: Hard — The use of disposable implants, legitimate cloud services for C2, and compromised edge devices for proxying makes distinguishing APT28 activity from normal administrative or user behavior highly challenging.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- DNS Queries (Sysmon 22)
- File Creation (Sysmon 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unusual outbound network connections from endpoint processes to legitimate cloud storage APIs (e.g., Koofr, icedrive, Filen) that are not officially sanctioned by the organization. | Network/Process | Command and Control | Medium |
| Evaluate whether there are unexpected modifications to IMAP settings or the creation of app passwords following logins from unknown or residential IP ranges. | Application/Cloud Logs | Credential Access | Low |
| Look for anomalous child processes spawned by webmail server processes (e.g., Roundcube, Zimbra) which could indicate XSS or direct exploitation. | Process | Execution | Low |
| Consider hunting for scripts or unusual binaries executing commands dynamically generated via API calls to LLM services (e.g., Hugging Face). | Process/Network | Execution | Medium |
Control Gaps
- Lack of visibility into SOHO/edge router integrity
- Inability to inspect traffic to legitimate cloud storage providers
- Missing Mark-of-the-Web (MotW) enforcement on alternative messaging apps like Signal
Key Behavioral Indicators
- Office documents delivered via Signal Desktop lacking MotW
- Python scripts modifying 2FA or IMAP settings on webmail platforms
- SMB authentication attempts triggered by Outlook reminders (CVE-2023-23397)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Ensure all edge devices, particularly SOHO routers (Ubiquiti, MikroTik, TP-Link), are patched to the latest firmware and have default credentials changed.
- Verify that Microsoft Exchange and Outlook clients are fully patched against CVE-2023-23397.
Infrastructure Hardening
- Consider restricting outbound SMB traffic (Port 445) at the network perimeter to prevent Net-NTLMv2 hash relay attacks.
- Evaluate implementing strict DNS filtering and monitoring to detect unauthorized changes to DNS resolvers on edge devices.
- If applicable, restrict access to unsanctioned cloud storage services (Koofr, icedrive, Filen) at the proxy or firewall level.
User Protection
- Consider enforcing phishing-resistant MFA (e.g., FIDO2) to mitigate the impact of credential harvesting and Adversary-in-the-Middle attacks.
- Evaluate policies restricting the use of unmanaged messaging applications (like Signal Desktop) for receiving work-related documents.
Security Awareness
- Consider updating security awareness training to highlight the risks of opening documents received through alternative messaging platforms.
- Educate users on identifying sophisticated webmail phishing clones and the importance of verifying URLs.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1190 - Exploit Public-Facing Application
- T1068 - Exploitation for Privilege Escalation
- T1212 - Exploitation for Credential Access
- T1584.004 - Compromise Infrastructure: Botnet
- T1090.002 - Proxy: External Proxy
- T1102.002 - Web Service: Bidirectional Communication
- T1556 - Modify Authentication Process
- T1114.002 - Email Collection: Remote Email Collection
- T1583.006 - Acquire Infrastructure: Web Services
