The sub-techniques beta is now live! Read the release blog post for more info.
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
No groups
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. APT29

APT29

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

ID: G0016
Associated Groups: YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Version: 1.2
Created: 31 May 2017
Last Modified: 25 July 2019

Associated Group Descriptions

Name Description
YTTRIUM [10]
The Dukes [1]
Cozy Bear [3]
CozyDuke [3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1015 Accessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.[4][6]
Enterprise T1088 Bypass User Account Control

APT29 has bypassed UAC.[4]
Enterprise T1043 Commonly Used Port

APT29 has used Port Number 443 for C2.[7]
Enterprise T1172 Domain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[4]
Enterprise T1203 Exploitation for Client Execution

APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.[1]
Enterprise T1107 File Deletion

APT29 used SDelete to remove artifacts from victims.[4]
Enterprise T1070 Indicator Removal on Host

APT29 used SDelete to remove artifacts from victims.[4]
Enterprise T1188 Multi-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[4]
Enterprise T1027 Obfuscated Files or Information

APT29 uses PowerShell to use Base64 for obfuscation.[7]
Enterprise T1097 Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.[4]
Enterprise T1086 PowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[5][4][7]
Enterprise T1060 Registry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.[4]
Enterprise T1085 Rundll32

APT29 has used rundll32.exe for execution.[7]
Enterprise T1053 Scheduled Task

APT29 used named and hijacked scheduled tasks to establish persistence.[4]
Enterprise T1064 Scripting

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.[5][4]
Enterprise T1023 Shortcut Modification

APT29 drops a Windows shortcut file for execution.[7]
Enterprise T1045 Software Packing

APT29 used UPX to pack files.[4]
Enterprise T1193 Spearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[1][7]
Enterprise T1192 Spearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[4]
Enterprise T1095 Standard Non-Application Layer Protocol

APT29 uses TCP for C2 communications.[7]
Enterprise T1204 User Execution

APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files.[1][7]
Enterprise T1047 Windows Management Instrumentation

APT29 used WMI to steal credentials and execute backdoors at a future time.[4]
Enterprise T1084 Windows Management Instrumentation Event Subscription

APT29 has used WMI event filters to establish persistence.[4]

Software

ID Name References Techniques
S0054 CloudDuke [1] Remote File Copy, Standard Application Layer Protocol, Web Service
S0154 Cobalt Strike [7] Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Parent PID Spoofing, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0050 CosmicDuke [1] Automated Exfiltration, Clipboard Data, Credential Dumping, Custom Cryptographic Protocol, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection, Exfiltration Over Alternative Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture, New Service, Scheduled Task, Screen Capture, Standard Application Layer Protocol
S0046 CozyCar [1] Command-Line Interface, Credential Dumping, Masquerading, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Virtualization/Sandbox Evasion, Web Service
S0049 GeminiDuke [1] Account Discovery, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Network Configuration Discovery, System Service Discovery
S0037 HAMMERTOSS [1] Custom Cryptographic Protocol, Data Obfuscation, Exfiltration Over Alternative Protocol, Hidden Window, PowerShell, Standard Application Layer Protocol, Web Service
S0175 meek [4] Domain Fronting
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0051 MiniDuke [1] Fallback Channels, Remote File Copy, Standard Application Layer Protocol, Web Service
S0052 OnionDuke [1] Credential Dumping, Standard Application Layer Protocol, Web Service
S0048 PinchDuke [1] Credential Dumping, Data from Local System, File and Directory Discovery, Standard Application Layer Protocol, System Information Discovery
S0150 POSHSPY [9] Data Transfer Size Limits, Domain Generation Algorithms, Obfuscated Files or Information, PowerShell, Remote File Copy, Standard Cryptographic Protocol, Timestomp, Windows Management Instrumentation Event Subscription
S0139 PowerDuke [8] Application Window Discovery, Command-Line Interface, Commonly Used Port, Data Destruction, File and Directory Discovery, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0195 SDelete [4] Code Signing, Data Destruction, File Deletion
S0053 SeaDuke [1] Command-Line Interface, Data Compressed, Data Encoding, Email Collection, File Deletion, Pass the Ticket, PowerShell, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Shortcut Modification, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, Valid Accounts, Windows Management Instrumentation Event Subscription
S0183 Tor [4] Multi-hop Proxy, Multilayer Encryption

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  3. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  4. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  5. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  1. Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
  2. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  3. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  4. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  5. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.