Group: APT29, The Dukes, Cozy Bear

From ATT&CK
Jump to: navigation, search
APT29, The Dukes, Cozy Bear
Group
ID G0016
Aliases APT29, The Dukes, Cozy Bear

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.12 This group reportedly compromised the Democratic National Committee starting in the summer of 2015.3

Techniques Used

  • PowerShell - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.4 APT29 also used PowerShell scripts to evade defenses.5
  • Scripting - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.45
  • Scheduled Task - APT29 used named and hijacked scheduled tasks to establish persistence.5
  • Indicator Removal on Host - APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.5
  • Pass the Hash - APT29 used Kerberos ticket attacks for lateral movement.5
  • Connection Proxy - A backdoor used by APT29 created a TOR hidden service to forward traffic from the TOR client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.5

Software