#
APT29 Intelligence Summary
#
ATT&CK Group ID: G0016
#
Associated Groups: YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Objectives: APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives align with the interests of the Russian Federation.1,14 The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020. APT29's objective over time and across a diverse target set appears to have been the exfiltration of information that could be used to inform strategic decision making.1
Target Industries: APT29 operations have been directed against government agencies, embassies, political parties, defense contractors, non-governmental organizations, law enforcement, media, pharmaceutical companies, and think tanks. Geographically, APT29 has aggressed targets in the United States, Germany, Uzbekistan, South Korea, Turkey, Uganda, Poland, Chechnya, Georgia, Kazakhstan, Kyrgyzstan, Azerbaijan, Uzbekistan, Czech Republic, Belgium, Portugal, Romania, Ireland, and Hungary.1,8,11,12,15,16
Operations: In terms of operational tradecraft, APT29 is distinguished by their commitment to stealth and use of sophisticated techniques. APT29 is reported to have exploited zero-day vulnerabilities and has pursued actions on the objective using suites of custom malware, coupled with alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the target's perceived intelligence value.1
APT29 is reported to have attained initial access by exploiting public-facing applications (T1190), phishing (T1566.001,T1566.002), and supply chain compromise (T1195). The group is reported to have implemented at least two operational cadences, smash-and-grab and slow-and-deliberate. Different suites of tools and TTPs were employed for each one of these cadences. If a target was determined to be of value, the attackers are reported to have modified TTPs, and deployed a stealthier toolset with the intent or establishing long-term persistent access.1
The objective of smash-and-grab operations appears to have been rapid collection and exfiltration.1 As such, soon after achieving an initial foothold, APT29 actors are reported to have performed host-based situational awareness checks, and immediately sought to collect and exfiltrate data. If the host was determined to be of value, a stealth toolkit was deployed and persisted. The attackers are reported to have moved through the network, exfiltrating data and persisting on hosts deemed to be valuable.1
In their smaller more targeted campaigns, APT29 has utilized a different toolset incrementally modified to attempt to evade published intelligence about their operations.1
#
APT29 ATT&CK Navigator
#
The following behaviors are in scope for an emulation of actions attributed to APT29 as referenced by MITRE ATT&CK
#
Scenario 1
#
The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 1, in the referenced reporting
#
Scenario 2
#
The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 2, in the referenced reporting
#
CosmicDuke
#
The following behaviors are in scope for an emulation of actions performed by APT29 using CosmicDuke, exclusively based on current intelligence within ATT&CK for the given software
#
MiniDuke
#
The following behaviors are in scope for an emulation of actions performed by APT29 using MiniDuke, exclusively based on current intelligence within ATT&CK for the given software
#
SeaDuke
#
The following behaviors are in scope for an emulation of actions performed by APT29 using SeaDuke, exclusively based on current intelligence within ATT&CK for the given software
#
CozyCar
#
The following behaviors are in scope for an emulation of actions performed by APT29 using CozyCar, exclusively based on current intelligence within ATT&CK for the given software
#
HammerToss
#
The following behaviors are in scope for an emulation of actions performed by APT29 using HammerToss, exclusively based on current intelligence within ATT&CK for the given software
#
PowerDuke
#
The following behaviors are in scope for an emulation of actions performed by APT29 using PowerDuke, exclusively based on current intelligence within ATT&CK for the given software
#
POSHSPY
#
The following behaviors are in scope for an emulation of actions performed by APT29 using POSHSPY, exclusively based on current intelligence within ATT&CK for the given software
#
CloudDuke
#
The following behaviors are in scope for an emulation of actions performed by APT29 using CloudDuke, exclusively based on current intelligence within ATT&CK for the given software
#
Software
#
References
This Intelligence Summary summarizes 16 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:
- Kaspersky
- Microsoft
- SentinelOne