Threat actor · all actors
APT28G0007 state
🇷🇺 RU · GRU · Unit 26165
aka APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, T-APT-12, APT-C-20, UAC-0028, UAC-0001, BlueDelta
Last updated: 2026-07-03
About this actor
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1001T1001.001T1003T1003.001T1003.003T1005T1014T1021T1021.002T1025T1027T1027.013T1030T1036T1036.005T1037T1037.001T1039T1040T1048T1048.002T1056T1056.001T1057T1059T1059.001T1059.003T1068T1070T1070.004T1070.006T1071T1071.001T1071.003T1074T1074.001T1074.002T1078T1078.004T1083T1090T1090.002T1090.003T1091T1092T1098T1098.002T1102T1102.002T1105T1110T1110.001T1110.003T1113T1114T1114.002T1119T1120T1133T1134T1134.001T1137T1137.002T1140T1189T1190T1199T1203T1204T1204.001T1204.002T1210T1211T1213T1213.002T1218T1218.011T1221T1498T1505T1505.003T1528T1542T1542.003T1546T1546.015T1547T1547.001T1550T1550.001T1550.002T1557T1557.004T1559T1559.002T1560T1560.001T1564T1564.001T1564.003T1566T1566.001T1567T1573T1573.001T1583T1583.001T1583.003T1583.006T1584T1584.008T1586T1586.002T1588T1588.002T1588.007T1589T1589.001T1591T1595
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
CM-6 | 79 / 129 | 61% |
SI-4 | 76 / 129 | 59% |
CM-2 | 69 / 129 | 53% |
CA-7 | 55 / 129 | 43% |
SI-3 | 55 / 129 | 43% |
AC-3 | 53 / 129 | 41% |
AC-6 | 51 / 129 | 40% |
AC-4 | 47 / 129 | 36% |
CM-7 | 46 / 129 | 36% |
SC-7 | 46 / 129 | 36% |
AC-2 | 42 / 129 | 33% |
SI-7 | 39 / 129 | 30% |
IA-2 | 34 / 129 | 26% |
AC-5 | 32 / 129 | 25% |
CM-5 | 27 / 129 | 21% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- Magic Hound 0.36
- Kimsuky 0.32
- Lazarus Group 0.31
- Dragonfly 0.31
- APT29 0.31
Overlapping CVEs
- C0027 1.00
- APT12 1.00
- FIN7 1.00
- OilRig 1.00
- Tropic Trooper 1.00
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00