January 30, 2024

How to detect network artifacts related to APT28 in Sycope?

Detecting network artefacts related to APT28 involves a combination of network monitoring, threat intelligence, and security best practices.

APT28, also known as Fancy Bear, is a sophisticated and notorious Advanced Persistent Threat group associated with state-sponsored cyber-espionage activities. APT28 is believed to be connected to the Russian government and has been active since at least 2004. The group has been implicated in various high-profile cyber campaigns targeting governmental, military, diplomatic, defence industry, and non-governmental organizations across the world. Additionally, this group primarily engages in cyber-espionage activities, seeking to gather intelligence and sensitive information from targeted organizations. Their focus extends to political, military, and economic targets. The group conducts highly targeted and persistent attacks against specific entities, often tailoring their tactics, techniques, and procedures (TTPs) to the characteristics of the target. APT28 is known for using advanced and sophisticated techniques, including zero-day exploits, custom malware, social engineering, and phishing campaigns. They continuously evolve their tools and methods to avoid detection.

Detecting network artefacts related to APT28 involves a combination of network monitoring, threat intelligence, and security best practices. Here are some general steps you can take:

1. Network Monitoring:

- Traffic Analysis: Monitor network traffic for unusual patterns or spikes in data transfer.

- Anomaly Detection: Use network anomaly detection tools to identify deviations from baseline behaviour.

- Packet Inspection: Analyze network packets for suspicious activities, such as unusual communication patterns or encrypted traffic.

2. Log Analysis:

- Firewall Logs: Regularly review firewall logs for any unauthorized access attempts or suspicious connections.

- Proxy Server Logs: Analyze proxy server logs for unusual user behaviour, particularly if there are unexpected connections or data transfers.

- DNS Logs: Monitor DNS logs for any unusual domain requests or patterns indicative of command and control (C2) communications.

3. Threat Intelligence Integration:

- Use Threat Feeds: Integrate threat intelligence feeds into your security infrastructure to identify known indicators of compromise (IoCs) associated with APT28.

- IOC Databases: Regularly check and compare your network logs against public and private databases of APT28-related IoCs.

4. Signature-Based Detection:

- Intrusion Detection/Prevention Systems (IDS/IPS): Implement signature-based detection mechanisms on your IDS/IPS to identify known APT28 attack patterns.

- Antivirus/Anti-malware: Ensure that your antivirus solutions are updated with signatures that detect malware associated with APT28 campaigns.

5. Behavioural Analysis:

- User Behaviour Analytics (UBA): Implement UBA solutions to identify unusual or suspicious user activities on the network.

- Endpoint Detection and Response (EDR): Use EDR solutions to monitor endpoint behavior for signs of compromise.

6. Incident Response:

- Incident Response Plan: Have a well-defined incident response plan in place, including procedures for investigating and mitigating APT28-related incidents.

- Forensic Analysis: Conduct thorough forensic analysis in the event of a suspected compromise to identify the extent of the breach.

7. Employee Training:

- Phishing Awareness: Educate employees on phishing threats and social engineering tactics commonly used by APT28.

Between December 15 and 25, 2023, several cases of distribution of emails containing links to "documents" were detected among state organizations whose visits led to computers being damaged by malicious programs used, probably by APT28 group. Computer Emergency Response Team of Ukraine (CERT-UA) published (https://cert.gov.ua/article/6276894) indicators of compromise (IoC) regarding this activity, and based on it, the Sycope team prepared a search on how to detect malicious activities based on network flows.

lookupKeyExists("APT28_IPs", {"ip": clientIp} ) OR lookupKeyExists("APT28_IPs", {"ip": serverIp}) OR lookupKeyExists("APT28_Domains", {"domain": dnsQuery}) | set bytes=add(clientBytes, serverBytes) | aggr bytes=sum(bytes) by clientIp,serverIp unwind=true | sort bytes desc | bytes > 500 | project +clientIp,+serverIp,+bytes as clientBytes

Malicious IPs detected by CERT-UA
Malicious domains detected by CERT-UA

It's important to note that APT28 is known for employing sophisticated and targeted attacks, often customizing their tools to evade detection. Regularly updating security measures, staying informed about the latest threats, and collaborating with relevant threat intelligence communities can enhance your organization's ability to detect and respond to APT28-relatednetwork artefacts.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.