APT29
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | Russia |
| Directly Linked Intrusion Sets | Cozy Bear , Midnight Blizzard , The Dukes , NOBELIUM |
| Associated Threat Actor | SVR - Russian Foreign Intelligence Service |
| Associated MITRE ATT&CK Group | APT29 (G0016) |
APT29 is a Russian cyber intrusion set. They have been linked to attacks including the SolarWinds compromise and an attack against the US Democratic National Committee in 2015.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
APT29 Threat Reports
Report
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Report
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
Report
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Report
Midnight Blizzard: Guidance for responders on nation-state attack
Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...
References
blog.f-secure.com
https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdfattack.mitre.org
https://attack.mitre.org/groups/G0016/www.microsoft.com
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110awww.ncsc.gov.uk
https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-accesswww.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347awww.mandiant.com
https://www.mandiant.com/sites/default/files/2021-09/rpt-apt29-hammertoss-1-1.pdflearn.microsoft.com
https://learn.microsoft.com/en-gb/microsoft-365/security/intelligence/microsoft-threat-actor-namingwww.mandiant.com
https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-partiesMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1082 | System Information Discovery | Discovery |
| T1012 | Query Registry | Discovery |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1083 | File and Directory Discovery | Discovery |
| T1057 | Process Discovery | Discovery |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1007 | System Service Discovery | Discovery |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1070.004 | File Deletion | Defense Evasion |
| T1590.004 | Network Topology | Reconnaissance |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1036 | Masquerading | Defense Evasion |
| T1564 | Hide Artifacts | Defense Evasion |
| T1033 | System Owner/User Discovery | Discovery |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1059.003 | Windows Command Shell | Execution |
| T1020 | Automated Exfiltration | Exfiltration |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1203 | Exploitation for Client Execution | Execution |
| T1027.001 | Binary Padding | Defense Evasion |
| T1568 | Dynamic Resolution | Command and Control |
| T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1047 | Windows Management Instrumentation | Execution |
| T1558.001 | Golden Ticket | Credential Access |
| T1046 | Network Service Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1592.002 | Software | Reconnaissance |
| T1572 | Protocol Tunneling | Command and Control |
| T1114.002 | Remote Email Collection | Collection |
| T1110.003 | Password Spraying | Credential Access |