NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / APT29

APT29

G0016 Russia Espionage MITRE ATT&CK →

Also known as: IRON RITUAL · IRON HEMLOCK · NobleBaron · Dark Halo · NOBELIUM · UNC2452 · YTTRIUM · The Dukes · Cozy Bear · CozyDuke · SolarStorm · Blue Kitsune · UNC3524 · Midnight Blizzard

Overview

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.

Targets

Government · Private sector · Think Tanks

Regions

Belgium · Brazil · China · Georgia · Germany · India · Japan · Kazakhstan · Mexico · New Zealand · Portugal · Romania · South Korea · Turkey · Ukraine · United States

Capabilities

  • Exploitation of public-facing / client applications — ATT&CK T1190, T1203
  • Custom malware/implant development — ATT&CK: 34 attributed custom malware families

TTPs — 66 techniques across 13 tactics

Reconnaissance

Resource Development

Stealth

Defense Impairment

Discovery

Lateral Movement

Collection

Command and Control

Tools & malware (49)

PinchDuke · ROADTools · WellMail · CozyCar · Mimikatz · meek · TrailBlazer · Tasklist · OnionDuke · FatDuke · POSHSPY · EnvyScout · SoreFang · GeminiDuke · reGeorg · BloodHound · GoldMax · FoggyWeb · SDelete · PolyglotDuke · AADInternals · MiniDuke · TEARDROP · SeaDuke · Sibot · Raindrop · RegDuke · CloudDuke · GoldFinder · AdFind · PsExec · Tor · NativeZone · Systeminfo · ipconfig · SUNSPOT · Impacket · Cobalt Strike · PowerDuke · Net · QUIETEXIT · HAMMERTOSS · BoomBox · Sliver · CosmicDuke · SUNBURST · WellMess · VaporRage · LiteDuke

Reporting (3)