Introduction
APT29 is threat group that has been attributed to Russiaβs Foreign Intelligence Service (SVR). White House Imposing Costs RU Gov April 2021 UK Gov Malign RIS Activity April 2021 They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. F-Secure The Dukes GRIZZLY STEPPE JAR Crowdstrike DNC June 2016 UK Gov UK Exposes Russia SolarWinds April 2021 In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. NSA Joint Advisory SVR SolarWinds April 2021 UK NSCS Russia SolarWinds April 2021 Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm. FireEye SUNBURST Backdoor December 2020 MSTIC NOBELIUM Mar 2021 CrowdStrike SUNSPOT Implant January 2021 Volexity SolarWinds Cybersecurity Advisory SVR TTP May 2021 Unit 42 SolarStorm December 2020
Activities and Tactics
Targeted Sectors: Government, Healthcare, Energy, Think Tanks, Government, Administration, Private sector
Country of Origin: π·πΊ Russia
Risk Level: High
First Seen: 2008
Last Activity: 2024
Incident Type: Espionage
Suspected Victims: United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstanβ¦
Notable Campaigns
- Microsoft (January 2024; CozyBear (RU APT))
- Microsoft (February 2021; CozyBear (RU APT))
- FireEye (December 2020; CozyBear (RU APT))
- SolarWinds (December 2020; CozyBear (RU APT))
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 5 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CosmicDuke
- PinchDuke
- CloudDuke
- HAMMERTOSS
- GeminiDuke
- MiniDuke
- SeaDuke
- RTM
- OnionDuke
- CyberGate
- Hammertoss:
- OnionDuke:
- CosmicDuke:
- MiniDuke:
- CozyDuke:
- SeaDuke:
- SeaDaddy implant developed in Python and compiled with py2exe:
- AdobeARM:
- ATI-Agent:
- MiniDionis:
- Grizzly Steppe:
- Vernaldrop:
- Tadpole:
- Spikerush:
- POSHSPY:
- PolyglotDuke:
- RegDuke:
- FatDuke:
Russian APT Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | CookieEditor, Mimikatz, SharpChormium, SharpChromium |
| Defense Evasion | EDRSandBlast, VMware Tools (DLL side-loading) |
| Discovery | AADInternals, AdFind, Bloodhound, DSInternals, RoadTools |
| Exfiltration | Dropbox, Firebase, Google Drive, Notion, OneDrive, Trello |
| LOLBAS | PowerPoint.exe (DLL side-loading), PsExec, WMIC, sqlwriter.exe (DLL side-loading) |
| Networking | Dropbear, ReGeorg, Rosockstun, Rsockstun |
| OffSec | Brute Ratel C4, Cobalt Strike, Impacket, PowerSploit, Rubeus, Sliver, WinPEAS |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] White House Imposing Costs RU Gov April 2021 [3] UK Gov Malign RIS Activity April 2021 [4] F-Secure The Dukes [5] GRIZZLY STEPPE JAR [6] Crowdstrike DNC June 2016 [7] UK Gov UK Exposes Russia SolarWinds April 2021 [8] NSA Joint Advisory SVR SolarWinds April 2021 [9] UK NSCS Russia SolarWinds April 2021 [10] FireEye SUNBURST Backdoor December 2020 [11] MSTIC NOBELIUM Mar 2021 [12] CrowdStrike SUNSPOT Implant January 2021 [13] Volexity SolarWinds [14] Cybersecurity Advisory SVR TTP May 2021 [15] Unit 42 SolarStorm December 2020