Group: APT29, The Dukes, ...

From enterprise
Jump to: navigation, search
APT29, The Dukes, ...
Group
ID G0016
Aliases APT29, The Dukes, Cozy Bear, CozyDuke

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.12 This group reportedly compromised the Democratic National Committee starting in the summer of 2015.3

Alias Descriptions

  • APT29 - 1
  • The Dukes - 1
  • Cozy Bear - 3
  • CozyDuke - 3

Techniques Used

  • PowerShell - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.4 APT29 also used PowerShell scripts to evade defenses.5
  • Scripting - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.45
  • Scheduled Task - APT29 used named and hijacked scheduled tasks to establish persistence.5
  • Indicator Removal on Host - APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.5
  • Pass the Hash - APT29 used Kerberos ticket attacks for lateral movement.5
  • Domain Fronting - APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.5
  • Multi-hop Proxy - A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.5
  • Spearphishing Attachment - APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims. 1
  • Spearphishing Link - APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files. 5
  • User Execution - APT29 has used various forms spearphishing attempting to get a user to open links or attachments. 1

Software