Group: APT29, The Dukes, ...
|APT29, The Dukes, ...|
|Aliases||APT29, The Dukes, Cozy Bear, CozyDuke|
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.12 This group reportedly compromised the Democratic National Committee starting in the summer of 2015.3
- PowerShell - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.4 APT29 also used PowerShell scripts to evade defenses.5
- Scripting - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.45
- Windows Management Instrumentation Event Subscription - APT29 has used WMI event filters to establish persistence.5
- Indicator Removal on Host - APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.5
- Windows Management Instrumentation - APT29 used WMI to steal credentials and execute backdoors at a future time.5
- Accessibility Features - APT29 used sticky-keys to obtain unauthenticated, privileged console access.56
- Domain Fronting - APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.5
- Multi-hop Proxy - A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.5
- Spearphishing Attachment - APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims. 1
- Spearphishing Link - APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files. 5
- Exploitation for Client Execution - APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of Initial Access.1
- User Execution - APT29 has used various forms spearphishing attempting to get a user to open links or attachments. 1
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.