Iron Twilight is the designation assigned by Secureworks' Counter Threat Unit (CTU) to a cyber-espionage group that other vendors and governments track under names including APT28, Fancy Bear, Sofacy, Sednit, STRONTIUM, Pawn Storm, and Forest Blizzard (Microsoft's current label). Western governments, including the United States and United Kingdom, have publicly attributed the group's activity to Unit 26165 of Russia's military intelligence service, the GRU.
The group has been active since at least the mid-2000s and focuses on intelligence collection aligned with Russian state interests. Typical targets include defense ministries, foreign affairs bodies, NATO-affiliated organizations, political parties, journalists, anti-doping agencies, and election infrastructure across North America, Europe, and the post-Soviet space.
Tradecraft commonly associated with Iron Twilight includes:
- Spearphishing with credential-harvesting pages mimicking webmail providers
- Password spraying and brute-force attacks against cloud and on-premises mail systems
- Custom malware families such as X-Agent, Sofacy/SOURFACE, Zebrocy, and the X-Tunnel network proxy
- Exploitation of router and edge-device vulnerabilities to enable long-term access
Notable incidents publicly linked to the group include the 2016 intrusion into the U.S. Democratic National Committee, the breach of the World Anti-Doping Agency, and operations against the German Bundestag. In 2018 the U.S. Department of Justice indicted seven GRU officers in connection with related activity, and in 2020 the EU imposed sanctions on individuals tied to the Bundestag hack.
For Model UN and policy research, the Iron Twilight label is most useful when reading Secureworks reporting; analysts should map it to the equivalent vendor names when cross-referencing CrowdStrike, Mandiant, Microsoft, or government advisories, since naming conventions differ even when the underlying actor is the same.
Example
In its 2017 threat reporting, Secureworks attributed credential-phishing operations targeting Hillary Clinton's presidential campaign staff to Iron Twilight.
Frequently asked questions
Each cybersecurity vendor maintains its own internal naming scheme, so the same actor is called APT28 by Mandiant, Fancy Bear by CrowdStrike, Forest Blizzard by Microsoft, and Iron Twilight by Secureworks.
Keep learning