IRON TWILIGHT

Active since at least 2009, the IRON TWILIGHT threat group targets media, governments, military, and international non-governmental organizations (NGOs) that often have a security focus. It appears to focus on political and military espionage and has used obtained material in 'active measures' operations and to retaliate against actions that the Russian government perceives as hostile. CTU researchers assess with high confidence that IRON TWILIGHT is operated by the GRU, Russia's military intelligence service.

IRON TWILIGHT was responsible for the April 2015 compromise against French television network TV5 Monde which resulted in its broadcast being taken off the air. The group was responsible for the 2016 breaches of the Democratic National Committee (DNC) network and Hillary Clinton's campaign staff email accounts. In 2016, IRON TWILIGHT attacked the World Anti-Doping Agency (WADA) and publicly released medical files relating to international athletes under their alias 'Fancy Bears Hack Team'. The group was also responsible for the attempted cyber attacks on the Organization for the Prohibition of Chemical Weapons (OPCW).

IRON TWILIGHT has used spearphishing emails containing malicious attachments or links to a custom exploit kit to compromise systems. Victims are also redirected to the exploit kit via strategic web compromises. IRON TWILIGHT's toolset includes malware for Windows and Linux-based operating systems and iOS devices. The threat actors have used targeted phishing campaigns to steal credentials for webmail accounts.