APT29, also known as Cozy Bear, is a Russian hacker group believed to be affiliated with one or more Russian intelligence agencies. The group has been operating for the Russian Federation since at least 2008 and is known for its advanced capabilities to launch highly targeted attacks like the SolarWinds supply-chain attacks. The group is also known by other names such as CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Tactics, Techniques, and Procedures (TTPs)
APT29 is known for its ability to adapt and operate without being detected. They use spear-phishing emails and infected websites to collect information from diplomatic entities and foreign ministries. They have also been known to use the EnvyScout dropper using HTML smuggling, which installs the SNOWYAMBER and QUARTERRIG downloaders and the HALFRIG CobaltStrike Beacon stager.
The group has also been observed using social media platforms (Twitter, Reddit, etc.) or various internet services (Trello, Firebase, etc.) as C2 (Command & Control) communication during its activities. In one of their latest campaigns, they used the API of Notion, a note-taking application.
According to MITRE ATT&CK, APT29 has used a variety of techniques, including:
- Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
- Account Discovery: Domain Account (T1087.002)
- Account Discovery: Cloud Account (T1087.004)
- Account Manipulation: Additional Cloud Credentials (T1098.001)
- Account Manipulation: Additional Email Delegate Permissions (T1098.002)
- Account Manipulation: Additional Cloud Roles (T1098.003)
- Account Manipulation: Device Registration (T1098.005)
- Acquire Infrastructure: Domains (T1583.001)
- Acquire Infrastructure: Web Services (T1583.006)
- Active Scanning: Vulnerability Scanning (T1595.002)
- Application Layer Protocol: Web Protocols (T1071.001)
- Archive Collected Data: Archive via Utility (T1560.001)
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
- Brute Force: Password Guessing (T1110.001)
- Brute Force: Password Spraying (T1110.003)
- Cloud Administration Command (T1651)
Known Exploits
APT29 has been known to exploit a variety of vulnerabilities, including:
- CVE-2018-13379 in Fortinet FortiOS. NVD
- CVE-2019-9670 in Zimbra Collaboration Suite. NVD
- CVE-2019-11510 in Pulse Secure VPN Appliance. NVD
- CVE-2019-19781 in Citrix ADC Network Gateway. NVD
- CVE-2020-4006 in VMware Workspace ONE Access. NVD
- CVE-2022-30170 in Windows Credential Roaming Service Elevation of Privilege Vulnerability. NVD
Target Geography
APT29 has targeted entities across the globe, with a particular focus on North America, Europe, and Asia. They have targeted a wide range of sectors, including government, defense, think tanks, healthcare, energy, and higher education.
Motivation
APT29’s activities are deemed to be closely associated with the Russian Civilian and Military Intelligence Service. Their primary motivation appears to be espionage, with a focus on gathering intelligence that could provide a strategic advantage to the Russian government. They have been known to target specific types of geopolitical data, and their campaigns often align with Russian national interests.
Their sophisticated and effective spear-phishing campaigns have targeted government, defense, and private sector organizations, demonstrating a broad and diverse range of interests. This group’s activities underscore the evolving nature of cyber warfare and the need for robust cyber defense strategies.
Summary
APT29 represents a significant threat to organizations worldwide. Their advanced capabilities, coupled with their strategic focus on espionage, make them a formidable adversary. Understanding their TTPs, known exploits, target geography, and motivations can help organizations develop effective defense strategies to mitigate the risk posed by this threat actor.
Further Reading
- APT29 – The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government – MITRE ATT&CK
- APT29, The Dukes, Cozy Bear: What we know about the Russian cyber spies – ZDNet
- APT29 : A Deep Dive into the Cozy Bear Threat Group – SOCRadar
- APT29: “The Dukes” are back in town – WeLiveSecurity
- APT29: How Russia’s top hackers changed their style – BBC News
- APT29: A Timeline of Malicious Activity – Anomali Forum
- APT29: Russian Espionage Group Updated ComRAT Malware – Trend Micro
- APT29: Russian cyber-espionage group breached US government – Al Jazeera
- APT29: Russian hackers target COVID-19 vaccine research – Deutsche Welle
- APT29: Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect – The New York Times
- APT29: Russian hacking group’s tools exposed by FBI – BBC News
- APT29: Russian cyber spies are trying to steal our coronavirus vaccine research, intelligence agencies say – The Independent
- APT29: Russian cyber espionage group is likely behind a series of hacks – Reuters
- APT29: Russian hackers target critical infrastructure and three-letter agencies – Ars Technica
- APT29: Russian hackers have targeted coronavirus vaccine research – The Washington Post
- APT29: Russian hackers are exploiting critical flaws to target U.S. agencies, FBI says – CyberScoop
- APT29: Russian hackers are targeting coronavirus vaccine research, UK agency warns – CNBC
- APT29: Russian hackers are exploiting bug that gives control of US servers – Ars Technica
- APT29: Russian hackers are exploiting critical Draytek router bug, UK warns – ZDNet
- APT29: Russian hackers are exploiting VMware vulnerability to access protected data, NSA says – CyberScoop
- APT29: Russian hackers are exploiting Windows flaw, Microsoft warns