ATT&CK Group ID: G0016
Objectives: APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives align with the interests of the Russian Federation.1,14 The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020. APT29's objective over time and across a diverse target set appears to have been the exfiltration of information that could be used to inform strategic decision making.1
Target Industries: APT29 operations have been directed against government agencies, embassies, political parties, defense contractors, non-governmental organizations, law enforcement, media, pharmaceutical companies, and think tanks. Geographically, APT29 has aggressed targets in the United States, Germany, Uzbekistan, South Korea, Turkey, Uganda, Poland, Chechnya, Georgia, Kazakhstan, Kyrgyzstan, Azerbaijan, Uzbekistan, Czech Republic, Belgium, Portugal, Romania, Ireland, and Hungary.1,8,11,12,15,16
Operations: In terms of operational tradecraft, APT29 is distinguished by their commitment to stealth and use of sophisticated techniques. APT29 is reported to have exploited zero-day vulnerabilities and has pursued actions on the objective using suites of custom malware, coupled with alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the target's perceived intelligence value.1
APT29 is reported to have attained initial access by exploiting public-facing applications (T1190), phishing (T1566.001,T1566.002), and supply chain compromise (T1195). The group is reported to have implemented at least two operational cadences, smash-and-grab and slow-and-deliberate. Different suites of tools and TTPs were employed for each one of these cadences. If a target was determined to be of value, the attackers are reported to have modified TTPs, and deployed a stealthier toolset with the intent or establishing long-term persistent access.1
The objective of smash-and-grab operations appears to have been rapid collection and exfiltration.1 As such, soon after achieving an initial foothold, APT29 actors are reported to have performed host-based situational awareness checks, and immediately sought to collect and exfiltrate data. If the host was determined to be of value, a stealth toolkit was deployed and persisted. The attackers are reported to have moved through the network, exfiltrating data and persisting on hosts deemed to be valuable.1
In their smaller more targeted campaigns, APT29 has utilized a different toolset incrementally modified to attempt to evade published intelligence about their operations.1
The following behaviors are in scope for an emulation of actions attributed to APT29 as referenced by MITRE ATT&CK.
The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 1, in the referenced reporting.
The following behaviors are in scope for an emulation of actions attributed to APT29, as implemented in Scenario 2, in the referenced reporting.
The following behaviors are in scope for an emulation of actions performed by APT29 using CosmicDuke, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using MiniDuke, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using SeaDuke, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using CozyCar, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using HammerToss, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using PowerDuke, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using POSHSPY, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by APT29 using CloudDuke, exclusively based on current intelligence within ATT&CK for the given software.
| Name | Associated Names | Software Type | Availability | Emulation Notes |
|---|---|---|---|---|
| CloudDuke (S0054) | MiniDionis, CloudLook | Downloader, Loader, Backdoor | APT29 has used CloudDuke as a backdoor to execute remote commands.1 | |
| Cobalt Strike (S0154) | Threat Emulation Software | Commercial | A Cobalt Strike beacon was used in a suspected APT29 phishing campaign.8 | |
| CosmicDuke (S0050) | TinyBaron, BotgenStudios, NemesisGemina | Information Stealer | APT29 has used CosmicDuke to perform information gathering and data exfiltration.1 | |
| CozyCar (S0046) | CozyDuke, CozyBear, Cozer, EuroAPT | Modular Malware Platform | APT29 has used spear-phishing to infect victims with CozyCar and has used it to gather initial information on victims to determine which ones to continue pursuing further with a different tool.1 | |
| GeminiDuke (S0049) | Information Stealer | APT29 has used GeminiDuke to collect victim computer configuration information.1 | ||
| HAMMERTOSS (S0037) | HammerDuke, NetDuke | Backdoor | APT29 has used HammerDuke to leave persistent backdoors on compromised networks. C2 communication has occurred over HTTP(S) as well as through Twitter.1 | |
| meek (S0175) | Tor Plugin | Openly Available | APT29 has used the Meek plugin for Tor to hide traffic.5 | |
| Mimikatz (S0002) | Windows Credential Dumper | Openly Available | APT29 has used CozyDuke to download Mimikatz, along with script files to execute Mimikatz.1 | |
| MiniDuke (S0051) | Backdoor, Downloader | APT29 has used MiniDuke as a backdoor to remotely execute commands on compromised systems.1 | ||
| OnionDuke (S0052) | Malware Toolset | APT29 has used OnionDuke to steal credentials, gather information, and perform denial of service attacks.1 | ||
| PinchDuke (S0048) | Information Stealear | APT29 has used PinchDuke to steal information such as system configuration information, user credentials, and user files.1 | ||
| POSHSPY (S0150) | Backdoor | APT29 has used POSHSPY as a secondary backdoor that uses PowerShell and Windows Management Instrumentation. | ||
| PowerDuke (S0139) | Backdoor | APT29 has delivered PowerDuke through malicious document macros. | ||
| PsExec (S0029) | Remote Execution | Openly Available | APT29 has used CozyDuke to download PsExec, along with script files to execute PsExec.1 | |
| SDelete (S0195) | Secure Delete Application | Openly Available | APT29 has used SDelete to attempt to cover their tracks.5 | |
| SeaDuke (S0053) | SeaDaddy, SeaDesk | Backdoor | APT29 appears to have used SeaDuke as a secondary backdoor and to target both Windows and Linux systems.1 | |
| Tor (S0183) | Proxy Tool | Openly Available | APT29 has used TOR to hide their remote access.5 |
This Intelligence Summary summarizes 16 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:
- Kaspersky
- Microsoft
- SentinelOne