APT29
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]
Associated Group Descriptions
Name | Description |
---|---|
YTTRIUM | |
The Dukes | |
Cozy Bear | |
CozyDuke |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
Enterprise | T1583 | .006 | Acquire Infrastructure: Web Services |
APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.[8] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
.009 | Boot or Logon Autostart Execution: Shortcut Modification | |||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[10][7][9] |
.006 | Command and Scripting Interpreter: Python | |||
Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
APT29 has used steganography to hide C2 communications in images.[5] |
Enterprise | T1587 | .003 | Develop Capabilities: Digital Certificates |
APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.[11][12] |
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
APT29 used sticky-keys to obtain unauthenticated, privileged console access.[7][13] |
.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | |||
Enterprise | T1190 | Exploit Public-Facing Application |
APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.[6] |
|
Enterprise | T1203 | Exploitation for Client Execution |
APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1027 | Obfuscated Files or Information | ||
.002 | Software Packing | |||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[1][9][5] |
.002 | Phishing: Spearphishing Link |
APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[7] |
||
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[7] |
.004 | Proxy: Domain Fronting |
APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[7] |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT29 used named and hijacked scheduled tasks to establish persistence.[7] |
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
Enterprise | T1550 | .003 | Use Alternate Authentication Material: Pass the Ticket | |
Enterprise | T1204 | .002 | User Execution: Malicious File |
APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [1] [9][5] |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.[5][6] |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT29 has used social media platforms to hide communications to C2 servers.[5] |
Enterprise | T1047 | Windows Management Instrumentation |
APT29 used WMI to steal credentials and execute backdoors at a future time.[7] |
Software
References
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
- PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
- Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
- CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.