LLMpediaThe first transparent, open encyclopedia generated by LLMs

Advanced Persistent Threat 28

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: National Cyber Security Centre (United Kingdom) Hop 4
Expansion Funnel Raw 97 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted97
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Advanced Persistent Threat 28
NameAdvanced Persistent Threat 28
TypeCyber threat actor
OriginUnknown
Active2017–present
AffiliationSuspected state-sponsored
MotivesEspionage, data exfiltration, intellectual property theft

Advanced Persistent Threat 28 is a designation used by multiple Microsoft and CrowdStrike style threat intelligence teams to label a sophisticated cyber espionage actor implicated in long-running campaigns against diplomatic, energy, and defense-related entities. Analysts from FireEye, Kaspersky Lab, Palo Alto Networks, and Mandiant have published findings attributing techniques consistent with nation-state tradecraft to this actor, linking activity to pieces of infrastructure observed in operations against targets associated with NATO, United Nations, and multinational corporations like Siemens and Schneider Electric. Reporting from Symantec and Trend Micro has chronicled overlaps with tooling seen in campaigns attributed to actors linked to national bureaus such as the General Staff of the Armed Forces-adjacent units and signals associated with units like those in People's Liberation Army-aligned threat clusters.

Overview

APT28 displays hallmarks of a persistent adversary with capabilities in custom malware development, supply chain intrusion, and strategic reconnaissance; security firms ESET, Bitdefender, and Cisco Talos have compared its operational tempo to actors such as those tracked as APT29, Lazarus Group, and Turla. Observed victimology spans embassies tied to European Union member states, think tanks like Chatham House and Council on Foreign Relations, defense contractors including Raytheon and BAE Systems, and energy firms such as ExxonMobil and Rosneft. Open-source analysts referencing datasets from VirusTotal, Shodan, and Hybrid Analysis find correlations between command-and-control domains registered through registrars used by groups linked to operations against entities like Munich Security Conference attendees.

History and Attribution

First public indicators were reported in analyses by groups including FireEye and incident responders at CrowdStrike following breaches concurrent with political events such as the 2016 United States presidential election and diplomatic disputes involving NATO-Russia Council interactions. Subsequent technical reporting from Kaspersky Lab and incident timelines compiled by Microsoft Threat Intelligence linked overlapping IP infrastructure to campaigns affecting organizations in Ukraine, Germany, and France. Attribution debates have involved intelligence communities like the Five Eyes alliance and independent researchers at universities such as Stanford University and University of Oxford who have compared code reuse, compile times, and language artifacts to other adversary profiles tracked by National Security Agency leak analyses and public disclosures from Department of Homeland Security-affiliated CERTs.

Tools, Techniques, and Procedures

Tooling attributed to this actor includes bespoke backdoors, credential harvesters, and lateral movement frameworks documented by analysts at SentinelOne, Carbon Black, and Huntsman Security. Techniques mirror advanced persistence frameworks used in notable operations against targets like WannaCry-impacted organizations and include spear-phishing campaigns leveraging themes tied to conferences such as the Munich Security Conference and Atlantic Council events. The actor has used vulnerabilities disclosed by vendors like Microsoft and Adobe in zero-day chains referenced in advisories from CERT-EU and US-CERT, and leveraged legitimate platforms including WordPress, GitHub, and Dropbox for command-and-control obfuscation. Forensic reporting often cites use of encryption libraries from projects like OpenSSL and tunneling via services comparable to Cloudflare and Akami infrastructure.

Notable Campaigns and Targets

Campaigns attributed include espionage operations against diplomatic missions during negotiations such as the Iran nuclear deal talks and against energy sector entities during incidents involving Nord Stream disputes. High-profile intrusions reported by corporate responders affected contractors like Lockheed Martin and research institutions including Massachusetts Institute of Technology and Karlsruhe Institute of Technology. Other campaigns targeted non-governmental organizations similar to Human Rights Watch and Amnesty International, as well as media organizations akin to The New York Times and The Guardian during politically sensitive reporting periods. Investigations by Europol and national CERTs often correlate activity with credential theft operations tied to conferences hosted by Brookings Institution and Wilson Center.

Impact and Mitigation

Impacts have ranged from strategic intelligence collection to intellectual property loss affecting conglomerates such as Thyssenkrupp and General Electric. Mitigation guidance issued by vendors like Microsoft Security Response Center, Cisco, and Fortinet emphasizes patch management for CVEs cataloged in advisories by MITRE and deployment of endpoint detection solutions from CrowdStrike Falcon, SentinelOne Singularity, and Sophos Intercept X. Incident response engagements have involved firms such as Deloitte, Accenture, and PwC alongside national bodies like CISA and National Cyber Security Centre which recommend network segmentation, multifactor authentication rollouts with providers like Duo Security and Authy, and supply chain risk assessments referencing standards from ISO and NIST.

Detection and Intelligence Sharing

Detection efforts rely on telemetry aggregated by platforms including VirusTotal, AlienVault OTX, and Recorded Future, with threat hunting playbooks circulated among communities such as FIRST and ISACs like Financial Services ISAC and Health-ISAC. Intelligence sharing between entities such as Five Eyes, NATO Cooperative Cyber Defence Centre of Excellence, and regional CERTs has resulted in coordinated advisories and takedown operations alongside private sector partnerships involving Microsoft Threat Intelligence and Google Threat Analysis Group. Public-private collaboration efforts reference frameworks from ENISA and reporting mechanisms used in disclosures to regulators like European Securities and Markets Authority.

Category:Cyber threat groups