Who Is APT29?

APT29 (AKA CozyBear, The Dukes, Group 100, CozyDuke, EuroAPT, CozyCar, Cozer, Office Monkey, YTTRIUM, Iron Hemlock, Iron Ritual, Cloaked Ursa, Nobelium, Group G0016, UNC2452, Dark Halo, NobleBarron) is an advanced persistent threat actor (APT) active since 2008 and considered to be a product of the Russian government’s Foreign Intelligence Service (SVR). Few threat actors show the technical discipline and sophistication of APT29, especially in its ability to adapt to defensive IT security tactics, penetrate well-defended networks, and deploy malware with anti-forensic capabilities.

APT29’s primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe. APT29 primarily intends to disrupt national security, impact critical infrastructure, and cause political interference.

A Timeline of High-Profile Apt29 Activity

2015: APT29 gains initial access to the Pentagon’s network via phishing and introduced the “Hammertoss” technique to use dummy Twitter accounts for C2 communication

2016: In a campaign known as “GRIZZLY STEPPE,” APT29 breached the Democratic National Committee servers close to the US election via a phishing campaign directing victims to change their passwords using a spoofed website

2019: Compromises three EU National Affairs ministries and a Washington D.C.-based embassy of an EU nation state

2020: Conducts vulnerability scanning of public-facing IP addresses to compromise COVID-19 vaccine developers in Canada, the US, and the United Kingdom

2020: Distributes SUNBURST malware attacking SolarWinds Orion software to drop a remote access trojan (RAT) that impacted many global organizations

APT29 employs sophisticated and continuously evolving techniques for stealth that demonstrate advanced operational capabilities. For example, APT29’s malware pioneered collecting first-stage command and control (C2) instructions from well-known public websites such as Twitter, Dropbox, and GitHub, allowing it to circumvent basic firewall defenses. The malware smartly employed dynamic username algorithms to avoid hard-coding C2 domains or IP addresses. In another example, APT29’s malware used steganography to encrypt C2 locations in images, allowing it to circumvent firewalls, URL filters, and security products—even those armed with the most recent threat intelligence.  

On the C2 back end, APT29 constantly updates a list of newly compromised pawn assets to avoid dependence on static cloud infrastructure from a legitimate provider.

APT29's First- and Second-Stage Malware

tDiscoverer/Hammertoss: Uses social media platforms like Twitter and GitHub to hide C2 communications and avoid detection

CosmicDuke: An information stealer capable of harvesting login details from a wide range of applications and forwarding them to an attacker-controlled C2 server

CozyCar: A modular RAT capable of importing components with different functionality to extend an attack

LiteDuke: A third-stage information stealer that uses multiple layers of encryption for obfuscation and multiple techniques for persistence, including Windows Registry keys, PowerShell, and Windows Management Instrumentation

RegDuke: A first-stage malware written in .NET that can download secondary malware using DropBox as its C2 server and maintain persistence by injecting itself into the winword.exe binary

MiniDuke: A second-stage downloader developed in x86 assembly rather than a compiled programming language that uses a domain-generating algorithm to dynamically locate C2 servers

PolyglotDuke: A second-stage downloader malware capable of using steganography and Twitter, Reddit, and Imgur websites to fetch C2 server locations

SeaDuke: A second-stage information-stealing RAT written in Python and compiled to execute on Microsoft Windows, Linux, macOS, and Solaris-based platforms

Signs of an APT29 Attack

Signs of an APT29 attack may be hard to spot due to the group’s diverse offensive tactics. APT29 has traditionally used phishing and highly targeted spear-phishing attacks in combination with sophisticated custom malware to exploit newly disclosed vulnerabilities and even zero-day vulnerabilities in popular software applications. As an asset of the Russian Intelligence Services, APT29 is well-funded with deep political connections that may provide valuable information for orchestrating highly targeted attacks.

How to Prevent an APT29 Attack

APT29’s consistent record of compromising US government entities and infiltrating large corporate IT companies such as SolarWinds demonstrates its dedication and competency. Defending an organization targeted by APT29 requires nothing less than a full-fledged enterprise cybersecurity program utilizing the most advanced security solutions, including email and web-content filtering, advanced antivirus to detect malware and prevent it from ingressing an organization’s network, and Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) to effectively and efficiently identify malware infections and take swift action to reduce its dwell time and prevent it from impacting critical assets.

An effective cybersecurity program capable of defending against APT29 should also be designed with the principle of least privilege, defense in depth, Zero Trust architecture, and multi-factor authentication in mind to segment and secure critical assets and reduce the potential damage attackers can cause if they do gain an initial foothold.

Zero Trust Network Access (ZTNA) can prevent social engineering attacks. CylanceGATEWAY secures your network before a threat actor can gain access and begin moving laterally across it.