Group: APT29, The Dukes, ...

From enterprise
Jump to: navigation, search
APT29, The Dukes, ...
ID G0016
Aliases APT29, The Dukes, Cozy Bear, CozyDuke

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.12 This group reportedly compromised the Democratic National Committee starting in the summer of 2015.3

Alias Descriptions

  • APT29 - 1
  • The Dukes - 1
  • Cozy Bear - 3
  • CozyDuke - 3

Techniques Used

  • Scripting - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.45
  • Domain Fronting - APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.5
  • Multi-hop Proxy - A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.5
  • Spearphishing Link - APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files. 5
  • User Execution - APT29 has used various forms spearphishing attempting to get a user to open links or attachments. 1