APT Profile – Fancy Bear – CYFIRMA

MITRE Techniques

• [T1591 ] Gather Victim Org Information – Used for reconnaissance to select strategic targets (‘Gather Victim Org Information’).
• [T1598.003 ] Phishing for Information: Spearphishing Link – Employed spear‑phishing campaigns to harvest credentials and lure users (‘Phishing for Information: Spear phishing Link’).
• [T1598 ] Phishing for Information – Phishing is a primary vector for credential harvesting and initial access (‘Phishing for Information’).
• [T1596 ] Search Open Technical Databases – Reconnaissance includes searching open sources for target information (‘Search Open Technical Databases’).
• [T1583.001 ] Acquire Infrastructure: Domains – Adversary obtains domains to host phishing pages and C2 infrastructure (‘Acquire Infrastructure: Domains’).
• [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Use of VPSs to host tools and services was noted (‘Acquire Infrastructure: Virtual Private Server’).
• [T1583.006 ] Acquire Infrastructure: Web Services – Web services are acquired to support phishing pages and C2 (‘Acquire Infrastructure: Web Services’).
• [T1586.002 ] Compromise Accounts: Email Accounts – The actor compromises email accounts to enable spear‑phishing and persistence (‘Compromise Accounts: Email Accounts’).
• [T1584.008 ] Compromise Infrastructure: Network Devices – Network devices are targeted or abused to maintain infrastructure access (‘Compromise Infrastructure: Network Devices’).
• [T1588.002 ] Obtain Capabilities: Tool – Fancy Bear sources or develops tools to support operations (‘Obtain Capabilities: Tool’).
• [T1189 ] Drive-by Compromise – Drive‑by compromise techniques are listed as initial access options for web‑based exploitation (‘Drive-by Compromise’).
• [T1190 ] Exploit Public‑Facing Application – Recent campaigns weaponized public‑facing Office vulnerabilities for initial access (‘weaponized a recently disclosed Microsoft Office vulnerability (CVE-2026-21509 CVSS Score:7.8)’).
• [T1133 ] External Remote Services – Use of external remote services (e.g., VPNs, RDP) as access vectors and persistence mechanisms (‘External Remote Services’).
• [T1091 ] Replication Through Removable Media – Removable media replication is included as a lateral movement/initial access technique (‘Replication Through Removable Media’).
• [T1199 ] Trusted Relationship – Exploitation of trusted relationships to move between organizations or leverage third parties (‘Trusted Relationship’).
• [T1078 ] Valid Accounts – Use and abuse of valid accounts to gain access and persist (‘Valid Accounts’).
• [T1078.004 ] Valid Accounts: Cloud Accounts – Cloud account compromise is used for access and persistence (‘Valid Accounts: Cloud Accounts’).
• [T1566.001 ] Phishing: Spearphishing Attachment – Spear‑phishing attachments (malicious Office docs) were used to deliver exploits (‘spear‑phishing, credential theft, and long‑term covert access’).
• [T1204.001 ] User Execution: Malicious Link – Malicious links were employed to induce user execution and deliver payloads (‘User Execution: Malicious Link’).
• [T1203 ] Exploitation for Client Execution – Exploits embedded in client documents enabled remote code execution (’embedded exploit logic within crafted Office documents’).
• [T1559.002 ] Inter‑Process Communication: Dynamic Data Exchange – IPC mechanisms like DDE have been used to execute and persist (‘Inter-Process Communication: Dynamic Data Exchange’).
• [T1204.002 ] User Execution: Malicious File – Malicious files delivered via attachments triggered user execution (‘User Execution: Malicious File’).
• [T1098.002 ] Account Manipulation: Additional Email Delegate Permissions – Actor manipulates email delegate permissions to maintain persistence and surveillance (‘Account Manipulation: Additional Email Delegate Permissions’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry run keys/startup folders used for persistence on Windows hosts (‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder’).
• [T1037.001 ] Boot or Logon Initialization Scripts: Logon Script (Windows) – Logon scripts are used to execute code at user login for persistence (‘Boot or Logon Initialization Scripts: Logon Script (Windows)’).
• [T1546.015 ] Event Triggered Execution: COM Hijacking – Component Object Model hijacking used for event‑triggered persistence (‘Event Triggered Execution: Component Object Model Hijacking’).
• [T1137.002 ] Office Application Startup: Office Test – Office startup persistence techniques are used to maintain footholds (‘Office Application Startup: Office Test’).
• [T1542.003 ] Pre‑OS Boot: Bootkit – Pre‑OS boot components (bootkits) are listed as a persistence/defense evasion approach (‘Pre-OS Boot: Bootkit’).
• [T1505.003 ] Server Software Component: Web Shell – Web shells are used for persistence on compromised servers (‘Server Software Component: Web Shell’).
• [T1134.001 ] Access Token Manipulation: Token Impersonation/Theft – Access token manipulation supports credential theft and defense evasion (‘Access Token Manipulation: Token Impersonation/Theft’).
• [T1564.001 ] Hide Artifacts: Hidden Files and Directories – Hidden files and directories are used to conceal tools and payloads (‘Hide Artifacts: Hidden Files and Directories’).
• [T1564.003 ] Hide Artifacts: Hidden Window – Hidden windows and UI obfuscation used to evade detection during execution (‘Hide Artifacts: Hidden Window’).
• [T1070.001 ] Indicator Removal on Host: Clear Windows Event Logs – Event logs are cleared to remove forensic traces (‘Indicator Removal: Clear Windows Event Logs’).
• [T1070.004 ] Indicator Removal on Host: File Deletion – Files are deleted to eliminate indicators of compromise (‘Indicator Removal: File Deletion’).
• [T1070.006 ] Indicator Removal on Host: Timestomp – Timestomping used to alter timestamps and hinder detection (‘Indicator Removal: Timestomp’).
• [T1036 ] Masquerading – Tools and files are renamed or placed to mimic legitimate resources (‘Masquerading’).
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Matching legitimate resource names/locations to blend in is used in phishing infrastructure and payloads (‘Masquerading: Match Legitimate Resource Name or Location’).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Payloads and staging files are obfuscated or encrypted to evade inspection (‘Obfuscated Files or Information: Encrypted/Encoded File’).
• [T1014 ] Rootkit – Rootkit techniques are referenced for deep persistence and stealth (‘Rootkit’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32 – System binaries like rundll32 are used to proxy execution of malicious code (‘System Binary Proxy Execution: Rundll32’).
• [T1221 ] Template Injection – Template injection in documents may be used to trigger malicious behavior on open (‘Template Injection’).
• [T1550.001 ] Use Alternate Authentication Material: Application Access Token – Use of application tokens is part of credential access and lateral movement (‘Use Alternate Authentication Material: Application Access Token’).
• [T1550.002 ] Use Alternate Authentication Material: Pass the Hash – Pass‑the‑hash techniques facilitate lateral movement using stolen credential material (‘Use Alternate Authentication Material: Pass the Hash’).
• [T1557.004 ] Adversary‑in‑the‑Middle: Evil Twin – Evil twin Wi‑Fi or MitM techniques used to capture credentials and intercept communications (‘Adversary-in-the-Middle: Evil Twin’).
• [T1110 ] Brute Force – Brute force approaches are used against accounts to obtain access (‘Brute Force’).
• [T1110.001 ] Brute Force: Password Guessing – Password guessing tactics are applied to compromise weak accounts (‘Brute Force: Password Guessing’).
• [T1110.003 ] Brute Force: Password Spraying – Password spraying is used to test common passwords across many accounts (‘Brute Force: Password Spraying’).
• [T1056.001 ] Input Capture: Keylogging – Keylogging and input capture used to harvest credentials and keystrokes (‘Input Capture: Keylogging’).
• [T1040 ] Network Sniffing – Network sniffing to capture credentials and network traffic is part of their collection tradecraft (‘Network Sniffing’).
• [T1003 ] OS Credential Dumping – OS credential dumping tools and techniques (e.g., LSASS extraction) are used to steal credentials (‘OS Credential Dumping’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Dumping LSASS memory to obtain credentials is used by the group (‘OS Credential Dumping: LSASS Memory’).
• [T1003.002 ] OS Credential Dumping: Security Account Manager – SAM database dumping is used for offline credential retrieval (‘OS Credential Dumping: Security Account Manager’).
• [T1003.003 ] OS Credential Dumping: NTDS – NTDS dumping from domain controllers supports credential harvesting and lateral movement (‘OS Credential Dumping: NTDS’).
• [T1528 ] Steal Application Access Token – Application tokens are stolen to access services and move laterally (‘Steal Application Access Token’).
• [T1083 ] File and Directory Discovery – Discovery of files and directories to identify valuable data for collection and exfiltration (‘File and Directory Discovery’).
• [T1120 ] Peripheral Device Discovery – Discovery of peripheral devices supports replication and data staging strategies (‘Peripheral Device Discovery’).
• [T1057 ] Process Discovery – Process discovery is used to identify security tools and target processes for injection or dumping (‘Process Discovery’).
• [T1210 ] Exploitation of Remote Services – Exploitation of remote services is used for lateral movement and access escalation (‘Exploitation of Remote Services’).
• [T1560 ] Archive Collected Data – Collected data is archived prior to exfiltration to reduce transfer size and maintain organization (‘Archive Collected Data’).
• [T1560.001 ] Archive Collected Data: Archive via Utility – Standard utilities are used to compress and archive stolen data (‘Archive Collected Data: Archive via Utility’).
• [T1119 ] Automated Collection – Automated collection routines are used to gather target data at scale (‘Automated Collection’).
• [T1213 ] Data from Information Repositories – Data is collected from repositories such as SharePoint and other information stores (‘Data from Information Repositories’).
• [T1213.002 ] Data from Information Repositories: SharePoint – SharePoint repositories explicitly noted as collection sources (‘Data from Information Repositories: SharePoint’).
• [T1005 ] Data from Local System – Local system data collection for sensitive files and credentials is performed (‘Data from Local System’).
• [T1039 ] Data from Network Shared Drive – Network share collection is used to gather organizational data (‘Data from Network Shared Drive’).
• [T1025 ] Data from Removable Media – Data collection from removable media is part of the actor’s collection repertoire (‘Data from Removable Media’).
• [T1074.001 ] Data Staged: Local Data Staging – Staging data locally prior to exfiltration is used to prepare transfers (‘Data Staged: Local Data Staging’).
• [T1074.002 ] Data Staged: Remote Data Staging – Remote repositories or C2 servers are used to stage exfiltrated data (‘Data Staged: Remote Data Staging’).
• [T1114.002 ] Email Collection: Remote Email Collection – Remote email collection techniques are used to harvest communications and attachments (‘Email Collection: Remote Email Collection’).
• [T1113 ] Screen Capture – Screen capture is used to collect visible information or credentials from targets (‘Screen Capture’).
• [T1001.001 ] Data Obfuscation: Junk Data – Junk data obfuscation is used to hide exfiltration and C2 communications (‘Data Obfuscation: Junk Data’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Web protocols are used for C2 and data exfiltration (‘Application Layer Protocol: Web Protocols’).
• [T1071.003 ] Application Layer Protocol: Mail Protocols – Mail protocols are leveraged for command and control or data transfer (‘Application Layer Protocol: Mail Protocols’).
• [T1092 ] Communication Through Removable Media – Removable media is used as a C2/exfiltration channel in some scenarios (‘Communication Through Removable Media’).
• [T1573.001 ] Encrypted Channel: Symmetric Cryptography – Encrypted channels (symmetric crypto) are used to protect C2 and exfiltration streams (‘Encrypted Channel: Symmetric Cryptography’).
• [T1105 ] Ingress Tool Transfer – Tools are transferred into target environments to support operations (‘Ingress Tool Transfer’).
• [T1090.001 ] Proxy: Internal Proxy – Internal proxies are used to relay C2 traffic within compromised networks (‘Proxy: Internal Proxy’).
• [T1090.002 ] Proxy: External Proxy – External proxies or VPNs are used to obscure C2 origins (‘Proxy: External Proxy’).
• [T1090.003 ] Proxy: Multi‑hop Proxy – Multi‑hop proxying is used to complicate attribution and detection of C2 (‘Proxy: Multi-hop Proxy’).
• [T1102.002 ] Web Service: Bidirectional Communication – Web services that support bidirectional comms facilitate resilient C2 (‘Web Service: Bidirectional Communication’).
• [T1030 ] Data Transfer Size Limits – Techniques to limit data transfer size and avoid detection are used during exfiltration (‘Data Transfer Size Limits’).
• [T1048.002 ] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non‑C2 Protocol – Alternative encrypted channels are used to exfiltrate data without C2 detection (‘Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol’).
• [T1498 ] Network Denial of Service – Network denial techniques are listed as potential impact/denial capabilities in campaigns (‘Network Denial of Service’).