Forrest Blizzard Threat Actor Profile

Forrest Blizzard (also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored threat actor group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage operations against targeted entities for the purposes of intelligence gathering and hack and leak/Information Operations (IO).

Known high-profile campaigns conducted by Forrest Blizzard include, but are not limited to, an intrusion and defacement operation against French media outlet TV5Monde in 2015, the hack and leak campaigns against the Democratic National Committee (DNC) and the World Anti-Doping Agency (WADA) in 2016, and intrusions against German government institutions in 2015 and 2017.

On 13th July 2018, the US Department of Justice (DoJ) announced that a grand jury in the District of Columbia had indicted 12 GRU officials, nine of whom were directly identified as operating in support of Unit 26165, for their roles in the targeting of the DNC during the 2016 US presidential election. Forrest Blizzard conducts credential harvesting and spear phishing operations directly against targets of interest or, if those targets are well defended, will attempt to gain access to trusted partners as an initial access point from which they can launch further spear phishing attacks. The threat actor group has not only adopted a suite of custom tools, such as XAgent, XTunnel, Zebrocy, DealersChoice, DownDelph, CredoMap, Graphite, Drovorub, Seduploader, Komplex/Complex, Coreshell and SkinnyBoy, but they also often rely on open-source tools such as PowerShell Empire, Mimikatz and Responder.

In April 2023, Forrest Blizzard was detected to have actively exploited an older vulnerability in Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth’.