← threatfilter.dev / all groups / APT29
APT29
Also known as: IRON RITUAL · IRON HEMLOCK · NobleBaron · Dark Halo · NOBELIUM · UNC2452 · YTTRIUM · The Dukes · Cozy Bear · CozyDuke · SolarStorm · Blue Kitsune · UNC3524 · Midnight Blizzard
Overview
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.
Targets
Government · Private sector · Think Tanks
Regions
Belgium · Brazil · China · Georgia · Germany · India · Japan · Kazakhstan · Mexico · New Zealand · Portugal · Romania · South Korea · Turkey · Ukraine · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 34 attributed custom malware families
TTPs — 66 techniques across 13 tactics
Reconnaissance
-
T1595.002Vulnerability Scanning
Resource Development
-
T1583.006Web Services -
T1586.002Email Accounts -
T1586.003Cloud Accounts -
T1587.001Malware -
T1587.003Digital Certificates -
T1588.002Tool
Initial Access
-
T1190Exploit Public-Facing Application -
T1199Trusted Relationship -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link -
T1566.003Spearphishing via Service
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.006Python -
T1059.009Cloud API -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1651Cloud Administration Command
Persistence
-
T1037Boot or Logon Initialization Scripts -
T1037.004RC Scripts -
T1098.002Additional Email Delegate Permissions -
T1098.005Device Registration -
T1133External Remote Services -
T1136.003Cloud Account -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1068Exploitation for Privilege Escalation -
T1546.003Windows Management Instrumentation Event Subscription -
T1546.008Accessibility Features -
T1548.002Bypass User Account Control
Stealth
-
T1027.001Binary Padding -
T1027.002Software Packing -
T1027.006HTML Smuggling -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1070.006Timestomp -
T1078Valid Accounts -
T1078.003Local Accounts -
T1078.004Cloud Accounts -
T1218.005Mshta
Defense Impairment
-
T1553.005Mark-of-the-Web Bypass -
T1556.007Hybrid Identity -
T1685.002Disable or Modify Cloud Log
Credential Access
-
T1003.002Security Account Manager -
T1003.004LSA Secrets -
T1110.001Password Guessing -
T1110.003Password Spraying -
T1528Steal Application Access Token -
T1621Multi-Factor Authentication Request Generation -
T1649Steal or Forge Authentication Certificates
Discovery
-
T1016.001Internet Connection Discovery -
T1087.004Cloud Account
Lateral Movement
-
T1021.007Cloud Services -
T1550.003Pass the Ticket
Collection
-
T1005Data from Local System -
T1114.002Remote Email Collection
Command and Control
-
T1090.002External Proxy -
T1090.003Multi-hop Proxy -
T1090.004Domain Fronting -
T1105Ingress Tool Transfer -
T1568Dynamic Resolution -
T1573Encrypted Channel -
T1665Hide Infrastructure
Tools & malware (49)
PinchDuke · ROADTools · WellMail · CozyCar · Mimikatz · meek · TrailBlazer · Tasklist · OnionDuke · FatDuke · POSHSPY · EnvyScout · SoreFang · GeminiDuke · reGeorg · BloodHound · GoldMax · FoggyWeb · SDelete · PolyglotDuke · AADInternals · MiniDuke · TEARDROP · SeaDuke · Sibot · Raindrop · RegDuke · CloudDuke · GoldFinder · AdFind · PsExec · Tor · NativeZone · Systeminfo · ipconfig · SUNSPOT · Impacket · Cobalt Strike · PowerDuke · Net · QUIETEXIT · HAMMERTOSS · BoomBox · Sliver · CosmicDuke · SUNBURST · WellMess · VaporRage · LiteDuke
Reporting (3)
- How Microsoft names threat actors — Microsoft
- UNC3524: Eye Spy on Your Email — Mandiant
- Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign — CrowdStrike