Group: APT29, The Dukes, Cozy Bear
|APT29, The Dukes, Cozy Bear|
|Aliases||APT29, The Dukes, Cozy Bear|
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.12 This group reportedly compromised the Democratic National Committee starting in the summer of 2015.3
- PowerShell - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.4 APT29 also used PowerShell scripts to evade defenses.5
- Scripting - APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.45
- Windows Management Instrumentation Event Subscription - APT29 has used WMI event filters to establish persistence.5
- Indicator Removal on Host - APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.5
- Windows Management Instrumentation - APT29 used WMI to steal credentials and execute backdoors at a future time.5
- Accessibility Features - APT29 used sticky-keys to obtain unauthenticated, privileged console access.56
- Connection Proxy - A backdoor used by APT29 created a TOR hidden service to forward traffic from the TOR client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.5
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.