APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.   This group reportedly compromised the Democratic National Committee starting in the summer of 2015. 
Associated Groups: YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Associated Group Descriptions
|Enterprise||T1015||Accessibility Features||APT29 used sticky-keys to obtain unauthenticated, privileged console access.|
|Enterprise||T1088||Bypass User Account Control||APT29 has bypassed UAC.|
|Enterprise||T1043||Commonly Used Port||APT29 has used Port Number 443 for C2.|
|Enterprise||T1172||Domain Fronting||APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.|
|Enterprise||T1203||Exploitation for Client Execution||APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.|
|Enterprise||T1107||File Deletion||APT29 used SDelete to remove artifacts from victims.|
|Enterprise||T1070||Indicator Removal on Host||APT29 used SDelete to remove artifacts from victims.|
|Enterprise||T1188||Multi-hop Proxy||A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.|
|Enterprise||T1027||Obfuscated Files or Information||APT29 uses PowerShell to use Base64 for obfuscation.|
|Enterprise||T1097||Pass the Ticket||APT29 used Kerberos ticket attacks for lateral movement.|
|Enterprise||T1086||PowerShell||APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||APT29 added Registry Run keys to establish persistence.|
|Enterprise||T1085||Rundll32||APT29 has used rundll32.exe for execution.|
|Enterprise||T1053||Scheduled Task||APT29 used named and hijacked scheduled tasks to establish persistence.|
|Enterprise||T1064||Scripting||APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.|
|Enterprise||T1023||Shortcut Modification||APT29 drops a Windows shortcut file for execution.|
|Enterprise||T1045||Software Packing||APT29 used UPX to pack files.|
|Enterprise||T1193||Spearphishing Attachment||APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.|
|Enterprise||T1192||Spearphishing Link||APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.|
|Enterprise||T1095||Standard Non-Application Layer Protocol||APT29 uses TCP for C2 communications.|
|Enterprise||T1204||User Execution||APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files.|
|Enterprise||T1047||Windows Management Instrumentation||APT29 used WMI to steal credentials and execute backdoors at a future time.|
|Enterprise||T1084||Windows Management Instrumentation Event Subscription||APT29 has used WMI event filters to establish persistence.|
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.