HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief providing information on the cyber organizations of the Russian Intelligence Services which pose a threat to organizations in the United States, including the healthcare and public health (HPH) sector.

The threat brief provides information on four key advanced persistent threat actors which conduct offensive cyber activities and espionage within the Russian Intelligence Services. These APT actors have been linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The FSB is equivalent to the Federal Bureau of Investigation in the U.S and is mostly concerned with domestic intelligence and foreign intelligence from Russia’s near abroad. The SVR is equivalent to the U.S. Central Intelligence Agency (CIA) and collects foreign intelligence from military, strategic, economic, scientific, and technological targets. The GRU is the equivalent of the Defense Intelligence Agency (DIA) and collects foreign intelligence related to military issues through espionage and is also responsible for conducting destructive cyberattacks.


Turla, aka Venomous Bear/Iron Hunter/KRYPTON/Waterbug, operates under the direction of the FSB and mostly targets industries such as academic, energy, government, military, telecommunications, research, pharmaceutical companies, and foreign embassies, and has been active since at least 2004. The group is known to use malware and sophisticated backdoors and is mostly focused on diplomatic espionage activities in former Eastern Bloc countries, although was responsible for the attack on U.S. Central Command in 2008, G20 attendees in 2017, and the government computer network in Germany in 2018.


APT29, aka Cozy Bear, YTTRIUM, Iron Hemlock, and The Dukes, operates under the direction of the SVR and mostly targets the academic, energy, financial, government, healthcare, media, pharmaceutical, and technology industries and think tanks. The APT actor has been active since at least 2008 and uses a range of malware variants and backdoors. The APR actor mostly targets European and NATO countries and is known to conduct spear phishing campaigns to gain stealthy, long-term access to targets networks, and is especially persistent and focused on specific targets. The APT actor steals information but does not leak that information. APT29 is known to be behind the attack on the Pentagon in 2015, the SolarWinds Orion attack in 2020, and targeted COVID-19 vaccine developers during the pandemic.


APT28, aka Fancy Bear, STRONTIUM, Sofacy, Iron Twilight, operates under the direction of the GRU and has been active since 2004. APT28 targets the aerospace, defense, energy, government, healthcare, military, and media industries and dissidents. The group uses a variety of malware, a downloader for next-stage infections, and collects system information and metadata to distinguish real environments from sandboxes.

APT28 primarily targets NATO countries and is known to use password spraying, unique malware, phishing and credential harvesting, and tends to conduct noisy rather than stealthy attacks. The group steals and leaks information to further Russia’s political interests. The group was behind the attack on the World Anti-Doping Agency in 2016, the cyberattack and leaking of data from the U.S. Democratic National Committee and the Clinton Campaign in 2016, and the German and French Elections in 2016 and 2017.


Sandworm, aka Voodoo Bear, ELECTRUM, IRIDIUM, Telebots, and Iron Viking, operates under the direction of the GRU and has been active since at least 2007. Sandworm mainly targets the energy and government sectors and is the most destructive of all ‘Bear’ threat groups. SAndworm targets ICS and computer systems for destructive purposes, such as conducting wiper malware attacks, especially in Ukraine. The group appears unconcerned with 2nd and 3rd order effects of attacks, such as those of NotPetya, and uses malware such as BadRabbit, BlackEnergy, GCat, GreyEnergy, KillDisk, NotPetya, and Industroyer.

Sandworm was behind the multiple attacks on the Ukrainian government and critical infrastructure in 2015-2016 and 2022, attacks on Georgian websites before the Russian Invasion in 2008, and the NotPetya attacks in 2017.


The tactics, techniques, procedures, and malware used by each of these groups are diverse, but some mitigations can be implemented to improve resilience and block the main attack vectors. These are detailed in the HC3 report and include updating software, patching promptly, enforcing MFA, segmenting networks, and reviewing CVEs for all public-facing systems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.