<\/p>\n
Who is APT 29?<\/h2>\n
The APT29 threat group has been attributed to the Russian government and is operating since 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.<\/p>\n
Popular by the acronyms Nobelium, Cozy Bear or APT29, the group was also called out to be the Russian Foreign Intelligence Service (SVR) in a recent joint advisory<\/a> released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).\u00a0 The advisory came in at the time of the Russia-Ukraine cyber war<\/a>, with economic sanctions imposed against the Russian government, tech firms, and nationals.<\/p>\n <\/p>\n APT 29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. It typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and Windows Management Instrumentation (WMI). APT 29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and\/or infection method of victims. <\/p>\n Operational Flow<\/strong><\/p>\n Pupy<\/a>, Meterpreter<\/a>, and other custom\/modified scripts and payloads were tested and developed to execute the attack. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary’s malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.<\/p>\n Initial Compromise:<\/strong> Malware is executed on the victim; establishes C2 connection<\/p>\n<\/li>\n Collection and Exfiltration:<\/strong> Adversary performs smash-and-grab data theft<\/p>\n<\/li>\n Deploy Stealth Toolkit:<\/strong> Adversary drops secondary malware, elevated privileges, and establishes new C2 connection<\/p>\n<\/li>\n Clean Up and Reconnaissance:<\/strong> Adversary drops new tools, cleans up artefacts of breach, and surveys the victim environment.<\/p>\n<\/li>\n Establish Persistence: <\/strong>Adversary establishes two separate means of persistent access to the victim.<\/p>\n<\/li>\n Credential Access:<\/strong> Adversary gathers various forms of credential materials<\/p>\n<\/li>\n Collection and Exfiltration: <\/strong>Adversary collects data from victim user, exfiltrates data to attacker-controller infrastructure.<\/p>\n<\/li>\n Expand Access:<\/strong> Adversary enumerates then executes payload on a remote workstation.<\/p>\n<\/li>\n Clean Up, Collection, and Exfiltration:<\/strong> Adversary drops new tools, performs smash-and-grab data theft, then cleans up artefacts of breach on a remote workstation<\/p>\n<\/li>\n Persistence Execution: <\/strong>Adversary persistence mechanisms are executed when the initial victim machine is rebooted<\/p>\n<\/li>\n<\/ul>\n The Operations Flow chains techniques together into a logical order that commonly occurs across APT29 operations. In the case of APT29, we break their operations into two distinct scenarios:<\/p>\n Adversary Emulation Plan Library Format and YAML<\/a><\/p>\n<\/li>\n APT29 emulation scripts<\/a><\/p>\n<\/li>\n<\/ul>\n <\/p>\n WinRM enabled for all Windows hosts<\/p>\n<\/li>\n Powershell execution policy set to Bypass<\/p>\n<\/li>\n Registry modified to allow storage of wdigest credentials<\/p>\n<\/li>\n Registry modified to disable Windows Defender<\/p>\n<\/li>\n Group Policy modified to disable Windows Defender<\/p>\n<\/li>\n Configured firewall to allow SMB<\/p>\n<\/li>\n Created an SMB share<\/p>\n<\/li>\n Set UAC to never notify<\/p>\n<\/li>\n RDP enabled for all Windows hosts<\/p>\n<\/li>\n<\/ul>\n 213.74.101.65<\/p>\n<\/li>\n 213.74.139.196<\/p>\n<\/li>\n 212.252.30.170<\/p>\n<\/li>\n 5.196.167.184<\/p>\n<\/li>\n 37.139.7.16<\/p>\n<\/li>\n 149.56.20.55<\/p>\n<\/li>\n 91.227.68.97<\/p>\n<\/li>\n 138.201.186.43<\/p>\n<\/li>\n 5.45.119.124<\/p>\n<\/li>\n 193.37.212.43<\/p>\n<\/li>\n 146.0.77.60<\/p>\n<\/li>\n 51.159.28.101<\/p>\n<\/li>\n<\/ul>\n <\/p>\n CISA, FBI, and NSA revealed five bugs exploited by Russia\u2019s APT29 group. The exposure drew attention to five vulnerabilities in popular enterprise equipment that have and are still being abused by Russian state hackers to breach corporate and government networks.<\/p>\nAPT 29 \u2013 Tricks and Techniques<\/h2>\n
![\"\"](\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/apt29\/all-about-apt29-ver3.png\")
<\/p>\nDeepest Secrets of Russian APT 29<\/h2>\n
\n
![\"\"](\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/apt29\/apt29-cadence.png\")
<\/p>\nATT&CK Description<\/strong><\/h3>\n
\n
\n
Environment<\/h2>\n
\n
Indicators of Compromise<\/h2>\n
\n
Five Vulnerabilities Exploited by APT 29<\/h2>\n