APT29

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. ^[1] ^[2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. ^[3]

ID: G0016

Aliases: APT29, The Dukes, Cozy Bear, CozyDuke

Version: 1.0

Alias Descriptions

Name	Description
APT29	^[1]
The Dukes	^[1]
Cozy Bear	^[3]
CozyDuke	^[3]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1015	Accessibility Features	APT29 used sticky-keys to obtain unauthenticated, privileged console access.^[4]^[5]
Enterprise	T1088	Bypass User Account Control	APT29 has bypassed UAC.^[4]
Enterprise	T1172	Domain Fronting	APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.^[4]
Enterprise	T1203	Exploitation for Client Execution	APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.^[1]
Enterprise	T1070	Indicator Removal on Host	APT29 used SDelete to remove artifacts from victims.^[4]
Enterprise	T1188	Multi-hop Proxy	A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.^[4]
Enterprise	T1075	Pass the Hash	APT29 used Kerberos ticket attacks for lateral movement.^[4]
Enterprise	T1086	PowerShell	APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.^[6]^[4]
Enterprise	T1060	Registry Run Keys / Startup Folder	APT29 added Registry Run keys to establish persistence.^[4]
Enterprise	T1053	Scheduled Task	APT29 used named and hijacked scheduled tasks to establish persistence.^[4]
Enterprise	T1064	Scripting	APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.^[6]^[4]
Enterprise	T1045	Software Packing	APT29 used UPX to pack files.^[4]
Enterprise	T1193	Spearphishing Attachment	APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims.^[1]
Enterprise	T1192	Spearphishing Link	APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.^[4]
Enterprise	T1204	User Execution	APT29 has used various forms of spearphishing attempting to get a user to open links or attachments.^[1]
Enterprise	T1047	Windows Management Instrumentation	APT29 used WMI to steal credentials and execute backdoors at a future time.^[4]
Enterprise	T1084	Windows Management Instrumentation Event Subscription	APT29 has used WMI event filters to establish persistence.^[4]

Software

ID	Name	Techniques
S0054	CloudDuke	Remote File Copy, Standard Application Layer Protocol, Web Service
S0050	CosmicDuke	Automated Exfiltration, Clipboard Data, Credential Dumping, Custom Cryptographic Protocol, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection, Exfiltration Over Alternative Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture, New Service, Scheduled Task, Screen Capture, Standard Application Layer Protocol
S0046	CozyCar	Command-Line Interface, Credential Dumping, Masquerading, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Web Service
S0049	GeminiDuke	Account Discovery, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Network Configuration Discovery, System Service Discovery
S0037	HAMMERTOSS	Custom Cryptographic Protocol, Data Obfuscation, Exfiltration Over Alternative Protocol, PowerShell, Standard Application Layer Protocol, Web Service
S0175	meek	Domain Fronting
S0002	Mimikatz	Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0051	MiniDuke	Fallback Channels, Remote File Copy, Standard Application Layer Protocol, Web Service
S0052	OnionDuke	Credential Dumping, Standard Application Layer Protocol, Web Service
S0048	PinchDuke	Credential Dumping, Data from Local System, File and Directory Discovery, Standard Application Layer Protocol, System Information Discovery
S0150	POSHSPY	Data Transfer Size Limits, Obfuscated Files or Information, PowerShell, Remote File Copy, Standard Cryptographic Protocol, Timestomp, Windows Management Instrumentation Event Subscription
S0139	PowerDuke	Application Window Discovery, Command-Line Interface, Commonly Used Port, File and Directory Discovery, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029	PsExec	Service Execution, Windows Admin Shares
S0195	SDelete	Code Signing, File Deletion
S0053	SeaDuke	Command-Line Interface, Data Compressed, Data Encoding, Email Collection, File Deletion, Pass the Ticket, PowerShell, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Shortcut Modification, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, Valid Accounts, Windows Management Instrumentation Event Subscription
S0183	Tor	Multi-hop Proxy, Multilayer Encryption

References

F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.