APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.[9][10][11][12][13]

ID: G0016
Associated Groups: NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Katie Nickels, Red Canary
Version: 2.1
Created: 31 May 2017
Last Modified: 16 October 2021

Associated Group Descriptions

Name Description
NobleBaron

[14]

Dark Halo

[12]

StellarParticle

[11]

NOBELIUM

[10][15][16][17]

UNC2452

[9]

YTTRIUM

[18]

The Dukes

[3][19][20][13]

Cozy Bear

[5][19][20][13]

CozyDuke

[5]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT29 has bypassed UAC.[21]

Enterprise T1087 Account Discovery

APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.[12]

Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

APT29 has added credentials to OAuth Applications and Service Principals.[22]

.002 Account Manipulation: Exchange Email Delegate Permissions

APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[12][22]

Enterprise T1583 .001 Acquire Infrastructure: Domains

APT29 has acquired C2 domains, sometimes through resellers.[10][23][15]

.006 Acquire Infrastructure: Web Services

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.[24][15]

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.[13]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT29 has used HTTP for C2 and data exfiltration.[12]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.[12][25]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.[21]

.009 Boot or Logon Autostart Execution: Shortcut Modification

APT29 drops a Windows shortcut file for execution.[26]

Enterprise T1110 .003 Brute Force: Password Spraying

APT29 has conducted brute force password spray attacks.[17]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.[12][27][28][21][26]

.003 Command and Scripting Interpreter: Windows Command Shell

APT29 used cmd.exe to execute commands on remote machines.[12][27]

.005 Command and Scripting Interpreter: Visual Basic

APT29 has written malware variants in Visual Basic.[13]

.006 Command and Scripting Interpreter: Python

APT29 has developed malware variants written in Python.[19]

Enterprise T1584 .001 Compromise Infrastructure: Domains

APT29 has compromised domains to use for C2.[10]

Enterprise T1555 Credentials from Password Stores

APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[25]

Enterprise T1213 .003 Data from Information Repositories: Code Repositories

APT29 has downloaded source code from code repositories.[29]

Enterprise T1005 Data from Local System

APT29 has extracted files from compromised networks.[12]

Enterprise T1001 .002 Data Obfuscation: Steganography

APT29 has used steganography to hide C2 communications in images.[19]

Enterprise T1074 .002 Data Staged: Remote Data Staging

APT29 staged data and files in password-protected archives on a victim's OWA server.[12]

Enterprise T1140 Deobfuscate/Decode Files or Information

APT29 used 7-Zip to decode its Raindrop malware.[30]

Enterprise T1587 .001 Develop Capabilities: Malware

APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group.[9][11][25]

.003 Develop Capabilities: Digital Certificates

APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.[31][32]

Enterprise T1484 .002 Domain Policy Modification: Domain Trust Modification

APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[33]

Enterprise T1482 Domain Trust Discovery

APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[12] They also used AdFind to enumerate domains and to discover trust between federated domains.[25]

Enterprise T1568 Dynamic Resolution

APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[12]

Enterprise T1114 .002 Email Collection: Remote Email Collection

APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[12][13]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

APT29 has used WMI event subscriptions for persistence.[21][19][33][25]

.008 Event Triggered Execution: Accessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.[21][34]

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[12]

Enterprise T1190 Exploit Public-Facing Application

APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[20][12][13]

Enterprise T1203 Exploitation for Client Execution

APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.[3][13][15]

Enterprise T1133 External Remote Services

APT29 has used compromised identities to access VPNs and remote access tools.[10][20]

Enterprise T1083 File and Directory Discovery

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[12]

Enterprise T1606 .001 Forge Web Credentials: Web Cookies

APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[12]

.002 Forge Web Credentials: SAML Tokens

APT29 created tokens using compromised SAML signing certificates.[22]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[25]

.002 Impair Defenses: Disable Windows Event Logging

APT29 used AUDITPOL to prevent the collection of audit logs.[25]

.004 Impair Defenses: Disable or Modify System Firewall

APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.[25]

Enterprise T1070 Indicator Removal on Host

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[12] They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[9]

.004 File Deletion

APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.[9][21]

.006 Timestomp

APT29 modified timestamps of backdoors to match legitimate Windows files.[25]

Enterprise T1105 Ingress Tool Transfer

APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.[9]

Enterprise T1036 Masquerading

APT29 has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.[9]

.004 Masquerade Task or Service

APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[12]

.005 Match Legitimate Name or Location

APT29 renamed software and DLL's with legitimate names to appear benign.[12][27][14]

Enterprise T1095 Non-Application Layer Protocol

APT29 has used TCP for C2 communications.[26]

Enterprise T1027 Obfuscated Files or Information

APT29 has used encoded PowerShell commands.[26]

.001 Binary Padding

APT29 has used large file sizes to avoid detection.[14]

.002 Software Packing

APT29 used UPX to pack files.[21]

Enterprise T1588 .002 Obtain Capabilities: Tool

APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.[21][3][26]

Enterprise T1003 .006 OS Credential Dumping: DCSync

APT29 leveraged privileged accounts to replicate directory service data with domain controllers.[33][25]

Enterprise T1069 Permission Groups Discovery

APT29 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.[12]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[3][26][19][15]

.002 Phishing: Spearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[21][15]

.003 Phishing: Spearphishing via Service

APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.[13]

Enterprise T1057 Process Discovery

APT29 has used multiple command-line utilities to enumerate running processes.[12][25]

Enterprise T1090 .001 Proxy: Internal Proxy

APT29 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.[30]

.003 Proxy: Multi-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[21]

.004 Proxy: Domain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[21]

Enterprise T1021 .006 Remote Services: Windows Remote Management

APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.[30]

Enterprise T1018 Remote System Discovery

APT29 has used AdFind to enumerate remote systems.[25]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT29 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.[12] They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.[9] APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted during the 2020 SolarWinds intrusion.[11] They previously used named and hijacked scheduled tasks to also establish persistence.[21]

Enterprise T1505 .003 Server Software Component: Web Shell

APT29 has installed web shells on exploited Microsoft Exchange servers.[13]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

APT29 has used Rundll32.exe to execute payloads.[22][25][26]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[25]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[9]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.[9][13]

Enterprise T1082 System Information Discovery

APT29 used fsutil to check available free space before executing actions that might create large files on disk.[25]

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[10]

Enterprise T1199 Trusted Relationship

APT29 has used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.[13]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[33][13]

Enterprise T1550 Use Alternate Authentication Material

APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.[33]

.003 Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.[21]

.004 Web Session Cookie

APT29 used a forged duo-sid cookie to bypass MFA set on an email account.[12]

Enterprise T1204 .001 User Execution: Malicious Link

APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.[26][19][15]

.002 User Execution: Malicious File

APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [3] [26][19]

Enterprise T1078 Valid Accounts

APT29 used different compromised credentials for remote access and to move laterally.[9][10][13]

.002 Domain Accounts

APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.[19][20]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT29 has used social media platforms to hide communications to C2 servers.[19]

Enterprise T1047 Windows Management Instrumentation

APT29 used WMI to steal credentials and execute backdoors at a future time.[21] They have also used WMI for the remote execution of files for lateral movement.[33][25]

Software

ID Name References Techniques
S0552 AdFind [27] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0635 BoomBox [16] Account Discovery: Email Account, Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Execution Guardrails, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Ingress Tool Transfer, Masquerading, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File, Web Service
S0054 CloudDuke [3] Application Layer Protocol: Web Protocols, Ingress Tool Transfer, Web Service: Bidirectional Communication
S0154 Cobalt Strike [26][9][13][15][16][14] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0050 CosmicDuke [3] Application Layer Protocol: Web Protocols, Automated Exfiltration, Clipboard Data, Create or Modify System Process: Windows Service, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture: Keylogging, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Scheduled Task/Job: Scheduled Task, Screen Capture
S0046 CozyCar [3] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Masquerading: Rename System Utilities, Obfuscated Files or Information, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion, Web Service: Bidirectional Communication
S0634 EnvyScout [16] Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Execution Guardrails, Forced Authentication, Hide Artifacts: Hidden Files and Directories, Masquerading, Obfuscated Files or Information, Obfuscated Files or Information: HTML Smuggling, Phishing: Spearphishing Attachment, Signed Binary Proxy Execution: Rundll32, System Information Discovery, User Execution: Malicious File
S0512 FatDuke [19] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Masquerading, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding, Process Discovery, Proxy: Internal Proxy, Query Registry, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0049 GeminiDuke [3] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, File and Directory Discovery, Process Discovery, System Network Configuration Discovery, System Service Discovery
S0597 GoldFinder [10][13][16] Application Layer Protocol: Web Protocols, Automated Collection, System Network Configuration Discovery: Internet Connection Discovery
S0588 GoldMax [10][13][15][16] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Obfuscation: Junk Data, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery, System Time Discovery, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion
S0037 HAMMERTOSS [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Data Obfuscation: Steganography, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Hide Artifacts: Hidden Window, Web Service: One-Way Communication
S0100 ipconfig [35] System Network Configuration Discovery
S0513 LiteDuke [19] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Steganography, Obfuscated Files or Information: Software Packing, Query Registry, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0175 meek [21] Proxy: Domain Fronting
S0002 Mimikatz [3][33] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0051 MiniDuke [3][19] Application Layer Protocol: Web Protocols, Dynamic Resolution: Domain Generation Algorithms, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Proxy: Internal Proxy, System Information Discovery, Web Service: Dead Drop Resolver
S0637 NativeZone [14] Deobfuscate/Decode Files or Information, Execution Guardrails, Masquerading, Signed Binary Proxy Execution: Rundll32, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks
S0039 Net [35] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0052 OnionDuke [3][19] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Endpoint Denial of Service, OS Credential Dumping, Web Service: One-Way Communication
S0048 PinchDuke [3] Application Layer Protocol: Web Protocols, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data from Local System, File and Directory Discovery, OS Credential Dumping, System Information Discovery
S0518 PolyglotDuke [19] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32, Web Service: Dead Drop Resolver
S0150 POSHSPY [36] Command and Scripting Interpreter: PowerShell, Data Transfer Size Limits, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Obfuscated Files or Information
S0139 PowerDuke [37] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Destruction, File and Directory Discovery, Hide Artifacts: NTFS File Attributes, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Steganography, Process Discovery, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029 PsExec [3][19] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0565 Raindrop [30][16] Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location, Masquerading, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Virtualization/Sandbox Evasion: Time Based Evasion
S0511 RegDuke [19] Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Web Service: Bidirectional Communication
S0195 SDelete [21] Data Destruction, Indicator Removal on Host: File Deletion
S0053 SeaDuke [3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Email Collection: Remote Email Collection, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Use Alternate Authentication Material: Pass the Ticket, Valid Accounts
S0589 Sibot [10][13][16] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Query Registry, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Mshta, Signed Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, Web Service, Windows Management Instrumentation
S0633 Sliver [13] Access Token Manipulation, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Data Obfuscation: Steganography, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Process Injection, Screen Capture, System Network Configuration Discovery, System Network Connections Discovery
S0516 SoreFang [20][35] Account Discovery: Local Account, Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Exploit Public-Facing Application, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Process Discovery, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery
S0559 SUNBURST [9][15] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Obfuscation: Steganography, Data Obfuscation: Junk Data, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Image File Execution Options Injection, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Query Registry, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion: System Checks, Windows Management Instrumentation
S0562 SUNSPOT [11][16] Access Token Manipulation, Data Manipulation: Stored Data Manipulation, Deobfuscate/Decode Files or Information, Execution Guardrails, File and Directory Discovery, Indicator Removal on Host: File Deletion, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Process Discovery, Supply Chain Compromise: Compromise Software Supply Chain
S0096 Systeminfo [35] System Information Discovery
S0057 Tasklist [35] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0560 TEARDROP [9][15][16] Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Query Registry
S0183 Tor [21] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0636 VaporRage [16] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Execution Guardrails, Ingress Tool Transfer
S0515 WellMail [38][20][13] Archive Collected Data, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Non-Application Layer Protocol, Non-Standard Port, System Network Configuration Discovery, System Owner/User Discovery
S0514 WellMess [31][32][39][20][13] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Permission Groups Discovery: Domain Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery

References

  1. White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.
  2. UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.
  3. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  4. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  5. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  6. UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.
  7. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  8. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  9. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  10. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  11. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  12. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  13. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  14. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  15. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  16. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  17. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
  18. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  19. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  20. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  1. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  2. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  3. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  4. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  5. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  6. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  7. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  8. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  9. MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021.
  10. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  11. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  12. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  13. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  14. Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
  15. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  16. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  17. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  18. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  19. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.