Our Approach

Definitive Guide to Ransomware

Threat Actor ProfileAPT28 / Fancy Bear

Cybersecurity threats and attacks are often associated with malicious actors aiming to gain financial profit by utilizing phishing campaigns or ransomware attacks. However, a less common but equally - if not more – severe form of attack is worth paying attention to; the prevalence of espionage and information theft by state-funded or affiliated threat actors. Their campaigns are increasing significantly, with over 11% of cyber incidents motivated by espionage. One such threat actor is a Russian advanced persistent threat (APT) group referred to by over 20 different aliases, but most commonly known as APT28, Fancy Bear, Sofacy, or PawnStorm. Based on the group’s known activities, they are generally considered to be one of Russia’s most prolific threat actors.

The main targets of APT28 are governments and embassies, military organizations, and the energy sector, indicating Russian state influence in the group’s operation. The group is characterized by its ever-evolving toolset, and they have shown the ability to compromise the networks of high-profile agencies and institutions by the way of simple but convincing phishing emails and self-developed malware. In order to be able to make any reliable predictions regarding the group’s future activities, this overview will assess their background, motivations, tools, and techniques used, and the overall trends describing the behavior of APT28. 

  • Aliases: APT28, Pawn Storm, Fancy Bear, Sednit, SNAKEMACKEREL, TsarTeam, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, APT-C-20, UAC-0028, FROZENLAKE, Sofacy, Forest Blizzard, BlueDelta, Group-4127, Grey-Cloud, T-APT12, TAG-0700, Threat Group-4127
  • Strategic motives: Espionage, Information theft
  • Affiliation: Russian Main Intelligence Directorate (GRU)
  • Cyber capabilities: ★★★☆☆
  • Target sectors: Defence, Embassies, Government, Media, Energy infrastructure
  • Observed countries: Afghanistan, Albania, Armenia, Asia Pacific Economic Cooperation, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, European Commission, France, Georgia, Germany, Greece, Hungary, Iceland, India, Iran, Iraq, Italy, Japan, Jordan, Kazakhstan, Latvia, Lithuania, Luxembourg, Malaysia, Mexico, Mongolia, Montenegro, Netherlands, North Macedonia, Norway, Pakistan, Poland, Portugal, Romania, Saudi Arabia, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan

Request a free membership to access our full research insights

Already a member? Login here

Origins, Motivations & Targets

Origins

Although Fancy Bear was first detected in 2010[2] and the first exhaustive report on the group’s extensive cyber espionage activities was published in 2014,[3] it was revealed based on the pattern of organized development of Fancy Bear that the group had likely been active since 2007.[4] Moreover, an antivirus report from 2004 describes an access method that appears to be an early version of EvilToss, a backdoor commonly utilized by Fancy Bear, indicating that a portion of the group had likely been operating for much longer than is known.[5]

It is widely accepted that Fancy Bear originates from the Russian Federation as the majority of their malware compiled between 2007 and 2013 included Russian language settings, and the time of their attacks are consistent with European-Russian working times, indicating a government setting.[6] The group’s affiliation with Russian intelligence agencies had been theorized since the detection of their activities,[7] which was later confirmed; Fancy Bear is believed to be Unit 26165 of the Russian military intelligence agency Main Intelligence Directorate (GRU). Their operation is consistent with the flexibility and variety enabled by extensive state funding. As to the composition of the group, the Kremlin has been known to recruit talent through social media and college campuses, as well as by blackmailing hackers with criminal histories into joining cyber-intelligence groups.[8] The result of this is a group consisting of highly skilled, selected individuals operating in the interest of the Russian Federation. Considering Fancy Bear’s long undetected activity, the resources provided by the Russian state, and their history of successful attacks and campaigns, the group continues to pose an imminent threat to various sectors globally.[9]

 

Motivations & Targets

The main focus of Fancy Bear’s observed attacks relates to governmental and military agencies, the energy sector, and the media, with the primary motivations of espionage and information theft aligning with Russian state interests.[10] The first decade of their activities targeted countries in the Caucasus region, Eastern European governments, and international security organizations such as NATO with the aims of gaining geopolitical advantage based on the intelligence collected through phishing campaigns. For instance, in 2014, Fancy Bear was discovered to be targeting attendees of a joint military training event between the three Baltic states and the US Army.[11] As the Baltic states’ integration into NATO and the EU is considered by Russia as a threat,[12] the attacks by Fancy Bear had the potential of providing Russia with “sensitive tactical and strategic intelligence concerning regional military capabilities and relationships.”[13] This example demonstrates the group’s abilities through their geopolitically motivated campaigns up until the 2014 FireEye report.[14] Contrary to some expectations, however, Fancy Bear did not disappear after their 2014 exposure by the FireEye report, quite the opposite; the range of their targeted states and sectors only broadened.

In 2015, Fancy Bear carried out the Operation Russian Doll and the CyberCaliphate attacks - both described in more detail in the Campaign Overview section. Although the immediate aim of these attacks was not directly information gathering, but rather to cause confusion and political turmoil, the motivation behind them can be deduced to be the furthering of Russia’s political gains by turning Western governments’ attention to the Middle East.

In 2016, Fancy Bear conducted two high-profile campaigns, drawing global attention to the group’s activity aligning with Russian state interests; the Olympic Games attacks and the DNC attacks. Both of these were motivated by information gathering and furthering Russia's reputation and interests. 

After these widely publicized campaigns, Fancy Bear withdrew from sensational activities and focused on more covert information theft until the Russian invasion of Ukraine in 2022,[15] which provided new opportunities for attacks against Ukrainian governmental and media institutions, as well as US and EU institutions involved in foreign policy.[16]

Campaigns Overview

January 1, 2022
16:00 PM

Georgia Attacks

2008

Following the 2008 Russian-Georgian war, during which Georgia severed all diplomatic connections with Russia, the group targeted the Georgian Ministry of Internal Affairs and the Ministry of Defence in order to obtain information about the country’s diplomatic relations, counterintelligence, counterterrorism, and security strategy.[17] 

January 1, 2022
16:00 PM

Operation Russian Doll

2015

Throughout 2015, the group conducted the campaign “Operation Russian Doll” targeting multiple foreign governments and taking advantage of a zero-day vulnerability in Adobe Flash Player.[18]

January 1, 2022
16:00 PM

CyberCaliphate Attacks

2015

Also in 2015, wives of US military personnel received death threats from what seemed to be a group associated with ISIS. Later, however, this group going by the name of CyberCaliphate was identified as a subsection of Fancy Bear.[19] Prior to their identification, CyberCaliphate also targeted a French TV network, forcing all 12 of its channels off air.[20] Such a campaign reflects the broadening objectives of Fancy Bear.

January 1, 2022
16:00 PM

MH17 Information Gathering Campaign

2015

Fancy Bear conducted several high-profile attacks following the downing of Malaysian Airlines Flight MH17 in 2014. They targeted Dutch, Malaysian, and other international authorities investigating the crash, as well as Bellingcat, a journalism team investigating Russia's involvement. The group used mimicking VPN servers and phishing to gather sensitive information, although the attacks were reportedly unsuccessful. For more information, see the Fancy Bear in the Netherlands section.

January 1, 2022
16:00 PM

Olympic Games Attacks

2016

After the Russian team was banned from participating in the 2016 Olympic Games in light of the evidence of widespread, and possibly state-run, doping, Fancy Bear infiltrated the database of the World Anti-Doping Agency (WADA) and released the medical data of a vast number of Olympic athletes to the public. It is assumed that the goal of this information leak was to “counteract a damaging narrative and delegitimize the institutions leveling criticism”[21] by a state-sponsored Russian entity.

January 1, 2022
16:00 PM

DNC Attacks

2016

One of the most well-known campaigns carried out by Fancy Bear is the network infiltration of the Democratic National Committee (DNC) in the US. During Hillary Clinton’s 2016 presidential campaign, the DNC detected unusual activity in their network, and the presence of malware was discovered.[22] By this time hundreds of gigabytes worth of data had been stolen.[23] It came to light that two different Russian groups (Fancy Bear and Cozy Bear), supposedly operating independently from each other, had infiltrated the network. Fancy Bear specifically focused on the DNC’s research department, downloading materials collected on Donald Trump and the Republican Party.[24] Although denied by Wikileaks founder Julian Assange,[25] a connection between the infiltration and the DNC email leak – which was a potential contributing factor to Hillary Clinton’s loss at the 2016 US elections – has been alleged.

January 1, 2022
16:00 PM

OPCW Attack

2018

In April 2018, Dutch security services, with the help of the UK, thwarted a Russian GRU operation targeting the OPCW's Wi-Fi network. Four suspected Russian agents traveling on diplomatic passports planned to hack the OPCW in The Hague using specialized electronic equipment in a car parked near the OPCW headquarters. The operatives were detained, their equipment seized, and they were expelled to Moscow. Russia has dismissed the allegations as baseless.[26]

January 1, 2022
16:00 PM

Ukraine Cyber Warfare

2022

During the ongoing Russia-Ukraine war, Fancy Bear has been actively involved in cyber espionage and attacks primarily targeting Ukraine and its allies. Fancy Bear has employed various phishing campaigns and exploited software vulnerabilities to target Ukrainian government bodies, military institutions, and other European entities. For instance, in June 2022, Fancy Bear sent phishing emails with a malicious document titled "Nuclear Terrorism A Very Real Threat.rtf" to exploit the Follina vulnerability and install the CredoMap malware. In April 2023, they targeted Ukrainian government bodies with emails impersonating system administrators, tricking recipients into running malicious PowerShell commands disguised as Windows updates.
These attacks extend beyond Ukraine; Fancy Bear has also targeted NATO countries and other European Union members. In December 2023, they exploited a Microsoft Outlook zero-day vulnerability (CVE-2023-23397) to breach networks of European government and military organizations. Fancy Bear's campaigns aim to gather intelligence, steal sensitive data, and disrupt critical infrastructure, reflecting an ongoing attempt by Russian military intelligence to support its wartime objectives. Their attacks have led to widespread condemnation and responses from Western governments.[27]

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Significant resources available from the Russian state
  • Knowledge and experience to create customized tools

Weaknesses

  • Relies heavily on human error
  • Relative lack of care regarding operational security

Opportunities

  • Ability to operate in Russia without the fear of prosecution
  • Opportunities to further develop and utilize their tools during the Russia-Ukraine conflict

Threats

  • Increased attention on Russian activity in general
  • Opportunity for their adversaries to infiltrate and expose the group due to their poor internal cybersecurity practices

More detailed information about this actor?

Already a member? Login here

Fancy Bear in the Netherlands

Fancy Bear activity has been observed in at least 59 countries around the world, including the Netherlands. The first well-documented attacks against Dutch agencies and nationals occurred after the MH17 tragedy. In July 2014, 298 people lost their lives when Malaysian Airlines Flight 17 was shot down by Russian forces in Ukrainian airspace. The majority of victims (193 passengers) were Dutch, which caused the Netherlands and its citizens extreme grief and distress. The Dutch Safety Board (‘Onderzoeksraad Voor Veiligheid’) was tasked with investigating the tragedy. In October 2015, while the investigation was still ongoing, a coordinated attack was directed at “Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities” in an attempt to gather information regarding the investigation into the downing of MH17.[61]

The attackers mimicked DSB’s VPN servers in order to gain access to the credentials of its users, as well as utilized a “rogue” Outlook Web Access server targeting DSB’s partner organizations.[62] Based on these tools and techniques, researchers at Trend Micro were able to identify the group as Fancy Bear. Later the same group was named to have been behind the phishing emails between February 2015 and July 2016 aimed at Bellingcat, an investigative global journalism team headquartered in Amsterdam.[63] The journalists were covering the MH17 case, claiming the Russian 53rd Anti-Aircraft missile brigade's involvement to the crash years before European authorities confirmed this.[64]

Both the DSB and Bellingcat were collecting and analyzing data regarding not only the circumstances of the crash but also the movement of two members of Unit 29155 in and out of the Netherlands.[65] Although this unit had been involved in politically motivated international criminal activities, the two tracked members are not amongst those later convicted for their involvement in the MH17 crash.[66] Nevertheless, for a group such as Fancy Bear, retaining this information would be a characteristic motivation for organizing the attacks. Experts, however, believe that the attacks were unsuccessful.[67]

Over the years Russian groups have been connected to a multitude of attacks in the Netherlands, although the specific APT is not always clearly identified. During the months leading up to the 2017 elections, hundreds of Dutch government employees were targeted with phishing emails in an attempt to gather sensitive political information, including within the Ministry of General Affairs in The Hague.[68] Dutch General Intelligence and Security Service (AIVD) director–general Rob Bertholee characterized these attacks as “a threat to our democracy.”[69] The AIVD cautioned about the potential dangers of using specific outdated election software, which resulted in the ballots being counted by hand. Interference in the Dutch election may not entirely align with Russian interests, as even the most radical parties were uninterested in building a closer relationship with Russia after the MH17 crash. However, as Hunt & Hackett founder Ronald Prins pointed out, “the Dutch elections are a good practice for them.”[70] Although it is theorized that Fancy Bear and Cozy Bear were behind the initial attacks, the AIVD never confirmed the specific groups. Interference in the election itself was not reported.

The latest known activity of Fancy Bear in the Netherlands was detected by Kaspersky Lab in 2018. The Dutch Military Intelligence and Security Service stopped an attack attributed to Fancy Bear against The Hague-based international organization, the Organization for the Prohibition of Chemical Weapons (OPCW).[71] Since then, the group’s focus seems to have shifted away from the Netherlands.

Trends & Connections

After some highly publicized campaigns from 2016 to 2018 - as described in the previous sections, - the group had been avoiding high-profile activities. That is until the Russian invasion of Ukraine in 2022. Weeks before the military operations began, however, security companies had been detecting signs suggesting a possible increase in Russia-backed cyber-attacks across Europe, and it was already theorized in January that Fancy Bear was tasked to gather intelligence surrounding the escalating conflict with Ukraine.[72] Although in April Microsoft successfully removed several domains used by Fancy Bear to carry out attacks against Ukraine,[73] the group continued their activities. In June, Fancy Bear was spotted to have joined a number of attackers participating in the exploit of the so-called “Follina” vulnerability (CVE-2022-30190). Follina was a remote code execution vulnerability in the Microsoft Support Diagnostic Tool, discovered as a zero-day in late May 2022 [74] and its exploitation was attributed to multiple different threat groups, including from China, Belarus, and Russia.[75] Fancy Bear’s campaign using Follina was aligned with their earlier methods of distributing phishing emails, this time taking advantage of public fear over nuclear weapons. Upon the opening of the document, the credential stealer malware CredoMap was uploaded to the user’s system utilizing the Follina vulnerability.[76] The magnitude of the damage caused by Fancy Bear exploiting this specific vulnerability in the Ukrainian conflict is unknown, however, it exquisitely exemplifies the possible usage of cyberattacks within an international armed conflict.

The war between Russia and Ukraine not only created new channels for established APTs to exploit, but new actors entered the arena as well, often motivated by ideology or personal political affiliation with either side. Hacktivist operations are most often distinguishable from APT groups based on their level of sophistication. This phenomenon, often referred to as hacktivism, was rapidly growing during the first months of the war.[77] During the turbulent events of the war three groups emerged identifying themselves as Russian hacktivist teams: Xaknet, Infoccentr and CyberArmyofRussia_Reborn. These groups were responsible for data leaks on their Telegram channels after attacks on Ukrainian victims.[78] Their activity was consistent with previous Fancy Bear operations, suggesting coordination with the GRU or even directly with Fancy Bear itself.

 

Links to other APTs

However, not only hacktivists have been connected to the group. Earworm, also known as Zebocracy, has been observed to carry out similar activities to Fancy Bear, including reconnaissance, taking screenshots, and executing files and commands.[79] The command and control infrastructure used by Earworm has been found to largely overlap with that of Fancy Bear, indicating some level of cooperation between the two groups. Nevertheless, since not much is known about Earworm, the extent of the connection between the two groups is not clear.

Fancy Bear’s most famous connection to another group, however, is the infiltration of the US Democratic National Committee’s network. In 2016, after installing a proprietary software package called Falcon, the DNC was alarmed that Russian actors were present in their system, and two separate actors were identified: Fancy Bear, and Cozy Bear, also known as APT29. The latter is considered to be affiliated with the Russian Foreign Intelligence Service. At the time of discovery, Fancy Bear had been inside the network for only a few weeks, specifically focusing on the research department and materials on Donald Trump, whereas Cozy Bear had been stealing emails for over a year.[80] The breach was significant and resulted in international coverage which was further escalated by the fact that not only one but two separate groups were infiltrating the DNC. Nevertheless, it is not believed that the two groups were acting in a coordinated manner or that they even knew of each other’s presence in the system.[81]

After the DNC attacks, a self-proclaimed hacker under the pseudonym Guccifer2.0 claimed responsibility for the breach, however, his claims were quickly dismissed. As to the real identities of Fancy Bear’s members, it remains largely unknown. A 2018 US indictment and consequent charges brought against GRU officers in 2020 revealed six alleged GRU officials’ names, however, those officials are associated with Unit 74455, which is believed to be the APT group Sandworm.

Actions have been taken against members of the group in the EU, although only reflecting the early activities of the group. In 2020 sanctions including travel bans and asset freezes were imposed against two Fancy Bear members by the EU Council based on the group’s 2015 campaign against the German Federal Parliament.[82] The time lapse between the attacks and the imposing of punishment reflects the huge gap between criminal activity in cyberspace and the slow and rigid legal mechanisms.

Conclusions & Future Implications

To summarize, it is clear that Fancy Bear is a significant danger to both public and private institutions all over the world. Due to their connection to GRU, the group is well-funded and able to undertake long-term projects to develop new tools for their attacks. They use a wide variety of tools and techniques, although they often utilize simple phishing emails to deploy malware on users' networks. Targets of the group are not restricted to a geographical area or sector, but they rather focus on strategically important institutions. These are ranging from the WADA to the DNC, from TV networks to national investigative bodies. The motivation for strategic intelligence gathering was highlighted during their attacks against the Dutch Safety Board and Bellingcat. If the campaigns succeeded, the Russian state could have used the information about the state of the Dutch investigation in the MH17 case to withdraw cooperation, interfere with the investigation and sidetrack the investigative agencies.

Consistent with their state-controlled status, Fancy Bear primarily engages in activities motivated by not only information gathering but also espionage. This has been escalated by the actual war launched by the Russian Federation against Ukraine. The war and the consequent economic sanctions and export controls imposed by governments and international organizations have caused an economic decline in the country, which is expected to last as long as the war continues.[83] It is theorized that the recession may cause an even further increased cyber response from Russian actors, particularly state-sponsored ones. For instance, attacks against critical Western infrastructures could be carried out as blackmail to force governments to lift their sanctions.[84] Although Fancy Bear is not known for ransomware activities, they have proven to be able to infiltrate and cause destruction in the presumably well-protected networks of government agencies and international organizations. Therefore, it is crucial that advanced awareness of their activities is raised, particularly on the user level.

Learn more about our threat research?

Get in touch

Sources

[1] ENISA ETL2020 - Cyber Espionage (europa.eu)

[2] Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack - CSMonitor.com

[3] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014)

[4] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.24.

[5] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.23.

[6] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.5.

[7] Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack - CSMonitor.com

[8] The Kremlin’s cyber contractors. Their motives and risks - Euromaidan Press

[9] The Kremlin’s cyber contractors. Their motives and risks - Euromaidan Press

[10] Hunt & Hackett Threat Diagnostic System

[11] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.13.

[12]The Baltic States as Targets and Levers: The Role of the Region in Russian Strategy | George C. Marshall European Center For Security Studies (marshallcenter.org)

[13]FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.13.

[14] Anomali

[15] Anomali 

[16] Microsoft disrupted APT28 attacks on Ukraine through a court order Security Affairs

[17] FireEye Report: APT 28: A Window into Russia’s Cyber Espionage Operations? (2014) p.7

[18] Anomali

[19] Russian hackers posed as IS to threaten military wives - Chicago Tribune (archive.org)

[20] How France's TV5 was almost destroyed by 'Russian hackers' - BBC News

[21] FireEye iSIGHT Reoprt: APT28: At the Center of the Storm (2017) p.6.

[22] Russian Expat Founds CrowdStrike to Guard Against Russian Email Hackers - Who Is Dmitri Alperovitch? (esquire.com)

[23] Our Work with the DNC: Setting the record straight (crowdstrike.com)

[24] Russian Expat Founds CrowdStrike to Guard Against Russian Email Hackers - Who Is Dmitri Alperovitch? (esquire.com)

[25] Julian Assange’s claim that there was no Russian involvement in WikiLeaks emails - The Washington Post

[26] https://www.gov.uk/government/speeches/minister-for-europe-statement-attempted-hacking-of-the-opcw-by-russian-military-intelligence

[27] Hunt & Hackett Threat Diagnostic System

[28] APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Group G0007 | MITRE ATT&CK®

[29] APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated | The Daily Swig (portswigger.net)

[30] Pawn Storm’s Lack of Sophistication as a Strategy (trendmicro.com)

[31] Trend Micro Report: Two Years of Pawn Storm (2017) p.19

[32] Trend Micro Report: Two Years of Pawn Storm (2017) p.22-23.

[33] FireEye iSIGHT Reoprt: APT28: At the Center of the Storm (2017) p.11.

[34] Trend Micro Report: Two Years of Pawn Storm (2017) p.25.

[35] Trend Micro Report: Two Years of Pawn Storm (2017) p.27.

[36] FireEye iSIGHT Report: APT28: At the Center of the Storm (2017) p.11.

[37] Trend Micro Report: Two Years of Pawn Storm (2017) p.30-31.

[38] New ESET research paper puts Sednit under the microscope | WeLiveSecurity

[39] Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack | Mandiant

[40] Drive-by Compromise, Technique T1189 - Enterprise | MITRE ATT&CK®

[41] FireEye iSIGHT Report: APT28: At the Center of the Storm (2017) p.12.

[42] Trend Micro Report: Two Years of Pawn Storm (2017) p.29.

[43] https://attack.mitre.org/groups/G0007/

[44] Hunt & Hackett Threat Diagnostic System

[45] APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Group G0007 | MITRE ATT&CK®

[46] National Cyber Security Centre: Indicators of Compromise for Malware used by APT28 (2018) p.2.

[47] CHOPSTICK, Software S0023 | MITRE ATT&CK®

[48] Our Work with the DNC: Setting the record straight (crowdstrike.com)

[49] ESET: En Route with Sednit Part 2: Observing the Comings and Goings (2016En Route with Sednit Part 2: Observing the Comings and Goings) p.55.

[50] National Cyber Security Centre: Indicators of Compromise for Malware used by APT28 (2018) p.4.

[51] CHOPSTICK, Software S0023 | MITRE ATT&CK®

[52] National Cyber Security Centre: Indicators of Compromise for Malware used by APT28 (2018) p.6.

[53] Zebrocy, Software S0251 | MITRE ATT&CK®

[54] National Cyber Security Centre: Indicators of Compromise for Malware used by APT28 (2018) p.6.

[55] APT28 Attacks Evolution (marcoramilli.com)

[56] APT28 Attacks Evolution (marcoramilli.com)

[57] What is a Data Source? Definitions and Examples | Talend 

[58] Network Traffic, Data Source DS0029 | MITRE ATT&CK® 

[59] Hunt & Hackett Threat Diagnostic System.

[60] Hunt & Hackett Threat Diagnostic System.

[61] Pawn Storm Attackers Target MH17 Plane Crash Investigators - SecurityWeek

[62] Pawn Storm Attackers Target MH17 Plane Crash Investigators - SecurityWeek

[63] Russische manipulatie en sabotage in MH17-onderzoek | De Volkskrant

[64] bellingcat - the home of online investigations

[65] Russische manipulatie en sabotage in MH17-onderzoek | De Volkskrant

[66] MH17 plane crash | Public Prosecution Service

[67] Russische manipulatie en sabotage in MH17-onderzoek | De Volkskrant

[68] Russian hackers use Dutch polls as practice | DW Learn German

[69] Hundreds of cyber attacks by Russia and China - EenVandaag (avrotros.nl)

[70] Russian hackers use Dutch polls as practice | DW Learn German 

[71] Activiteiten APT-groepen in Nederland in kaart gebracht door Kaspersky Lab - Persberichten.com

[72] Mandiant analysts: Russia-backed APTs likely to ramp up attacks | Computer Weekly

[73] Microsoft prevented hacker attacks against Ukraine by deleting APT28 domains • Mezha.Media

[74] China-linked hackers are exploiting a new vulnerability in Microsoft Office - The Verge

[75] Follina — Microsoft Office code execution vulnerability | Infosec Resources (infosecinstitute.com)  

[76] Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign (darkreading.com)

[77] Hacktivism Is Back and Messier Than Ever | WIRED UK 

[78] GRU: Rise of the (Telegram) MinIOns | Mandiant 

[79] TIR-20220718 Everything You Need to Know About the APT, Fancy Bear (avertium.com) 

[80] Russian Expat Founds CrowdStrike to Guard Against Russian Email Hackers - Who Is Dmitri Alperovitch? (esquire.com) 

[81] Russian Expat Founds CrowdStrike to Guard Against Russian Email Hackers - Who Is Dmitri Alperovitch? (esquire.com) 

[82] Malicious cyber-attacks: EU sanctions two individuals and one body over 2015 Bundestag hack - Consilium (europa.eu)

[83] Russian economy likely to remain in recession throughout 2023 (bofit.fi)

[84] Anticipating a Russian Cyber Response to Economic Sanctions - Truesec