Get in Touch
Forrest Blizzard (also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored threat actor group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage operations against targeted entities for the purposes of intelligence gathering and hack and leak/Information Operations (IO).
Known high-profile campaigns conducted by Forrest Blizzard include, but are not limited to, an intrusion and defacement operation against French media outlet TV5Monde in 2015, the hack and leak campaigns against the Democratic National Committee (DNC) and the World Anti-Doping Agency (WADA) in 2016, and intrusions against German government institutions in 2015 and 2017.
On 13th July 2018, the US Department of Justice (DoJ) announced that a grand jury in the District of Columbia had indicted 12 GRU officials, nine of whom were directly identified as operating in support of Unit 26165, for their roles in the targeting of the DNC during the 2016 US presidential election. Forrest Blizzard conducts credential harvesting and spear phishing operations directly against targets of interest or, if those targets are well defended, will attempt to gain access to trusted partners as an initial access point from which they can launch further spear phishing attacks. The threat actor group has not only adopted a suite of custom tools, such as XAgent, XTunnel, Zebrocy, DealersChoice, DownDelph, CredoMap, Graphite, Drovorub, Seduploader, Komplex/Complex, Coreshell and SkinnyBoy, but they also often rely on open-source tools such as PowerShell Empire, Mimikatz and Responder.
In April 2023, Forrest Blizzard was detected to have actively exploited an older vulnerability in Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth’.
Forrest Blizzard frequently targets entities in the North Atlantic Treaty Organisation (NATO) and NATO-partner organisations and institutions, likely because of the military alliance’s interests and activities at Russia’s western border. Forrest Blizzard also supports Russian military intelligence goals and has also targeted organisations in the aerospace and defence, government, hospitality, international sports bodies, and media sectors.
Threat Actor Motivations
The motives of Forrest Blizzard can be evaluated by observing the strategies they apply within the context of their campaigns. The group is known for its interest in secret geopolitical data that would be advantageous to the Russian state. However, the group does not exfiltrate financial information or sell the information it has gathered from its targets. Instead, it employs tactics that allow for the monitoring of its victims whilst themselves remaining in a mode of stealth. This is an effective tactic, because by following the victim’s course of action, the threat actor group can gain valuable insights into the target’s habits, routines, and secrets. This tactic is the preeminent espionage method used by Forrest Blizzard for gathering strategic state information that could be used to influence political decisions, public opinion, or geographical issues.
Threat Actor Activity Timeline
June/September 2014: Forrest Blizzard employed ‘Sedkit’ in conjunction with strategic web compromises to deliver Sofacy malware on Polish government websites, and the websites of Polish energy company Power Exchange.
October 2014-September 2015: FireEye iSight Intelligence identified changes made to domain nameserver (DNS) records that suggest that Forrest Blizzard intercepted email traffic from the Kyrgyzstan Ministry of Foreign Affairs .
February 2015: Forrest Blizzard responsible for an intrusion and defacement operation against French media outlet TV5Monde.
June 2015: Germany’s Federal Office for Security in Information Technology (BSI) announced that Forrest Blizzard was likely responsible for the spear phishing emails sent to members of several German political parties. The head of Germany’s domestic intelligence agency, Bundesamt für Verfassungsschutz (BfV), also attributed the June 2015 compromise of the Bundestag’s networks to Forrest Blizzard.
July 2015: Forrest Blizzard used two domains (nato-news.com and bbc-news.org) to host an Adobe Flash zero-day exploit to target NATO, the Afghan Ministry of Foreign Affairs, and the Pakistani military.
September 2016: Forrest Blizzard launched hack and leak campaigns against the DNC and WADA.
2017: Forrest Blizzard responsible for intrusions against German government institutions.
2018: Forrest Blizzard targeted US and Romanian Foreign Ministries with a phishing campaign.
2019: Forrest Blizzard targeted defence organisations in the Middle East by discovering vulnerable systems by using target user account information already leaked to the internet in brute force attacks.
2020: Forrest Blizzard distributed Zebrocy malware in a campaign against NATO.
2021: Forrest Blizzard Exploited MSHTML Vulnerability in Espionage Against Government and Defense Targets in Western
April 2023: Forrest Blizzard were detected to have actively exploited an older vulnerability in Cisco IOS routers to deploy a custom malware named Jaguar Tooth.
April 2023: Ukrainian hacktivist group, Kiber Sprotyv (Cyber Resistance), breached the personal accounts of Sergey Alexandrovich Morgachev, believed by the FBI to have been a Lieutenant Colonel serving in the Russian Main Intelligence Directorate of the GRU.
May 2023: Forrest Blizzard flooded Ukrainian government agencies with email messages regarding illegitimate Windows updates with the intention of deploying malware that will exfiltrate system data.
Jaguar Tooth: Forrest Blizzard exploited an SNMP vulnerability in Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth’. The Jaguar Tooth malware is injected directly into the memory of vulnerable Cisco routers operating older firmware versions. Following installation, the malware exfiltrates data from the router and provides unauthenticated backdoor access to the target system. It has been observed as being deployed and executed via the exploitation of the patched SNMP vulnerability, tracked as CVE-2017-6742 (CVSSv3 Score: 8.8). To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings. This allows the threat actor to access existing local accounts.
Graphite: This malware variant is used to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer because it only connects to legitimate Microsoft domains.
XAgent: Forrest Blizzard uses the XAgent payload to target victims running Mac OS X to steal passwords, obtain screenshots and steal iPhone back-ups stored on macOS devices. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader.
XTunnel: This is a virtual private network (VPN) proxy tool that can relay traffic between a C2 server and a target. It was first observed in May 2013 and was reportedly implemented by Forrest Blizzard during the compromise of the DNC.
Indicators of Compromise
Forrest Blizzard Associated IP Addresses:
Forrest Blizzard Associated File Hashes (MD5):
Forrest Blizzard Associated File Hashes (SHA256):
Forrest Blizzard Associated Domains:
CVE-2020-0688 (CVSSv3 Score: 8.8 – High Severity): A remote code execution vulnerability in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.
CVE-2022-30190 (CVSSv3 Score: 7.8 – High Severity) (Follina): Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
CVE-2023-23397 (CVSSv3 Score: 9.8 – Critical Severity): Microsoft Outlook Elevation of Privilege Vulnerability.
CVE-2020-17144 (CVSSv3 Score: 8.4 – High Severity): Microsoft Exchange Remote Code Execution Vulnerability.
CVE-2017-6742 (CVSSv3 Score: 8.8 – High Severity): Successful exploitation of the flaw would allow a threat actor to bypass the sandbox protections to gain remote code execution capabilities on the host running the sandbox.
Continue reading, download the full report.