# APT29 Intelligence Summary

In 

# ATT&CK Group ID: G0016

# Associated Groups: YTTRIUM, The Dukes, Cozy Bear, CozyDuke

Objectives: APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives align with the interests of the Russian Federation.1,14 The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020. APT29's objective over time and across a diverse target set appears to have been the exfiltration of information that could be used to inform strategic decision making.1

Target Industries: APT29 operations have been directed against government agencies, embassies, political parties, defense contractors, non-governmental organizations, law enforcement, media, pharmaceutical companies, and think tanks. Geographically, APT29 has aggressed targets in the United States, Germany, Uzbekistan, South Korea, Turkey, Uganda, Poland, Chechnya, Georgia, Kazakhstan, Kyrgyzstan, Azerbaijan, Uzbekistan, Czech Republic, Belgium, Portugal, Romania, Ireland, and Hungary.1,8,11,12,15,16

Operations: In terms of operational tradecraft, APT29 is distinguished by their commitment to stealth and use of sophisticated techniques. APT29 is reported to have exploited zero-day vulnerabilities and has pursued actions on the objective using suites of custom malware, coupled with alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the target's perceived intelligence value.1

APT29 is reported to have attained initial access by exploiting public-facing applications (T1190), phishing (T1566.001,T1566.002), and supply chain compromise (T1195). The group is reported to have implemented at least two operational cadences, smash-and-grab and slow-and-deliberate. Different suites of tools and TTPs were employed for each one of these cadences. If a target was determined to be of value, the attackers are reported to have modified TTPs, and deployed a stealthier toolset with the intent or establishing long-term persistent access.1

The objective of smash-and-grab operations appears to have been rapid collection and exfiltration.1 As such, soon after achieving an initial foothold, APT29 actors are reported to have performed host-based situational awareness checks, and immediately sought to collect and exfiltrate data. If the host was determined to be of value, a stealth toolkit was deployed and persisted. The attackers are reported to have moved through the network, exfiltrating data and persisting on hosts deemed to be valuable.1

In their smaller more targeted campaigns, APT29 has utilized a different toolset incrementally modified to attempt to evade published intelligence about their operations.1

# APT29 ATT&CK Navigator

# The following behaviors are in scope for an emulation of actions attributed to APT29 as referenced by MITRE ATT&CK

/Attack_Layers/APT29_Scenario1.png
/Attack_Layers/APT29_Scenario1.png

# Scenario 1

# The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 1, in the referenced reporting

/Attack_Layers/APT29_Scenario1.png
/Attack_Layers/APT29_Scenario1.png

# Scenario 2

# The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 2, in the referenced reporting

/Attack_Layers/APT29_Scenario2.png
/Attack_Layers/APT29_Scenario2.png

# CosmicDuke

# The following behaviors are in scope for an emulation of actions performed by APT29 using CosmicDuke, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/CosmicDuke_S0050.png
/Attack_Layers/CosmicDuke_S0050.png

# MiniDuke

# The following behaviors are in scope for an emulation of actions performed by APT29 using MiniDuke, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/MiniDuke_S0051.png
/Attack_Layers/MiniDuke_S0051.png

# SeaDuke

# The following behaviors are in scope for an emulation of actions performed by APT29 using SeaDuke, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/SeaDuke_S0053.png
/Attack_Layers/SeaDuke_S0053.png

# CozyCar

# The following behaviors are in scope for an emulation of actions performed by APT29 using CozyCar, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/CozyCar_S0046.png
/Attack_Layers/CozyCar_S0046.png

# HammerToss

# The following behaviors are in scope for an emulation of actions performed by APT29 using HammerToss, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HAMMERTOSS_S0037.png
/Attack_Layers/HAMMERTOSS_S0037.png

# PowerDuke

# The following behaviors are in scope for an emulation of actions performed by APT29 using PowerDuke, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HAMMERTOSS_S0037.png
/Attack_Layers/HAMMERTOSS_S0037.png

# POSHSPY

# The following behaviors are in scope for an emulation of actions performed by APT29 using POSHSPY, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HAMMERTOSS_S0037.png
/Attack_Layers/HAMMERTOSS_S0037.png

# CloudDuke

# The following behaviors are in scope for an emulation of actions performed by APT29 using CloudDuke, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HAMMERTOSS_S0037.png
/Attack_Layers/HAMMERTOSS_S0037.png

# Software

Name Associated Names Software Type Availability Emulation Notes
CloudDuke (S0054) MiniDionis, CloudLook Downloader, Loader, Backdoor APT29 has used CloudDuke as a backdoor to execute remote commands.1
Cobalt Strike (S0154) Threat Emulation Software Commercial A Cobalt Strike beacon was used in a suspected APT29 phishing campaign.8
CosmicDuke (S0050) TinyBaron, BotgenStudios, NemesisGemina Information Stealer APT29 has used CosmicDuke to perform information gathering and data exfiltration.1
CozyCar (S0046) CozyDuke, CozyBear, Cozer, EuroAPT Modular Malware Platform APT29 has used spear-phishing to infect victims with CozyCar and has used it to gather initial information on victims to determine which ones to continue pursuing further with a different tool.1
GeminiDuke (S0049) Information Stealer APT29 has used GeminiDuke to collect victim computer configuration information.1
HAMMERTOSS (S0037) HammerDuke, NetDuke Backdoor APT29 has used HammerDuke to leave persistent backdoors on compromised networks. C2 communication has occurred over HTTP(S) as well as through Twitter.1
meek (S0175) Tor Plugin Openly Available APT29 has used the Meek plugin for Tor to hide traffic.5
Mimikatz (S0002) Windows Credential Dumper Openly Available APT29 has used CozyDuke to download Mimikatz, along with script files to execute Mimikatz.1
MiniDuke (S0051) Backdoor, Downloader APT29 has used MiniDuke as a backdoor to remotely execute commands on compromised systems.1
OnionDuke (S0052) Malware Toolset APT29 has used OnionDuke to steal credentials, gather information, and perform denial of service attacks.1
PinchDuke (S0048) Information Stealear APT29 has used PinchDuke to steal information such as system configuration information, user credentials, and user files.1
POSHSPY (S0150) Backdoor APT29 has used POSHSPY as a secondary backdoor that uses PowerShell and Windows Management Instrumentation.
PowerDuke (S0139) Backdoor APT29 has delivered PowerDuke through malicious document macros.
PsExec (S0029) Remote Execution Openly Available APT29 has used CozyDuke to download PsExec, along with script files to execute PsExec.1
SDelete (S0195) Secure Delete Application Openly Available APT29 has used SDelete to attempt to cover their tracks.5
SeaDuke (S0053) SeaDaddy, SeaDesk Backdoor APT29 appears to have used SeaDuke as a secondary backdoor and to target both Windows and Linux systems.1
Tor (S0183) Proxy Tool Openly Available APT29 has used TOR to hide their remote access.5

# References

This Intelligence Summary summarizes 16 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:

  • Kaspersky
  • Microsoft
  • SentinelOne
ID Source Publisher Date
1 The Dukes: 7 Years of Russian Cyberespionage F-Secure September 2017
2 COSMICDUKE: Cosmu with a twist of MiniDuke F-Secure July 2014
3 The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor Kaspersky February 2013
4 Unit 42 Technical Analysis: Seaduke Palo Alto July 2015
5 DerbyCon: No Easy Breach FireEye September 2016
6 HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group FireEye July 2015
7 State of the Hack S2E01: #NoEasyBreach REVISITED FireEye January 2019
8 Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign FireEye November 2018
9 VirusTotal Submission 2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36 VirusTotal January 2015
10 Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) FireEye April 2017
11 PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs Volexity November 2016
12 Crowdstrike's work with the Democratic National Committee: Setting the record straight CrowdStrike June 2016
13 "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory Symantec July 2015
14 GRIZZLY STEPPE - Russian Malicious Cyber Activity CISA / FBI December 2016
15 The CozyDuke APT Kaspersky April 2015
16 Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers Microsoft December 2018