Who Is APT29?
APT29 (AKA CozyBear, The Dukes, Group 100, CozyDuke, EuroAPT, CozyCar, Cozer, Office Monkey, YTTRIUM, Iron Hemlock, Iron Ritual, Cloaked Ursa, Nobelium, Group G0016, UNC2452, Dark Halo, NobleBarron) is an advanced persistent threat actor (APT) active since 2008 and considered to be a product of the Russian government’s Foreign Intelligence Service (SVR). Few threat actors show the technical discipline and sophistication of APT29, especially in its ability to adapt to defensive IT security tactics, penetrate well-defended networks, and deploy malware with anti-forensic capabilities.
APT29’s primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe. APT29 primarily intends to disrupt national security, impact critical infrastructure, and cause political interference.
A Timeline of High-Profile Apt29 Activity
2015: APT29 gains initial access to the Pentagon’s network via phishing and introduced the “Hammertoss” technique to use dummy Twitter accounts for C2 communication
2016: In a campaign known as “GRIZZLY STEPPE,” APT29 breached the Democratic National Committee servers close to the US election via a phishing campaign directing victims to change their passwords using a spoofed website
2019: Compromises three EU National Affairs ministries and a Washington D.C.-based embassy of an EU nation state
2020: Conducts vulnerability scanning of public-facing IP addresses to compromise COVID-19 vaccine developers in Canada, the US, and the United Kingdom
2020: Distributes SUNBURST malware attacking SolarWinds Orion software to drop a remote access trojan (RAT) that impacted many global organizations
Latest APT29 News
- Cozy Bear Lures Victims with Used BMW 5 Series (Computer Weekly)
- APT29 Used the Zulip Chat App in Attacks Aimed at Ministries of Foreign Affairs of NATO-Aligned Countries (Security Affairs)
- Russian Hackers Linked to Widespread Attacks Targeting NATO and EU (BleepingComputer)
- NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry Blog)
APT29 employs sophisticated and continuously evolving techniques for stealth that demonstrate advanced operational capabilities. For example, APT29’s malware pioneered collecting first-stage command and control (C2) instructions from well-known public websites such as Twitter, Dropbox, and GitHub, allowing it to circumvent basic firewall defenses. The malware smartly employed dynamic username algorithms to avoid hard-coding C2 domains or IP addresses. In another example, APT29’s malware used steganography to encrypt C2 locations in images, allowing it to circumvent firewalls, URL filters, and security products—even those armed with the most recent threat intelligence.
On the C2 back end, APT29 constantly updates a list of newly compromised pawn assets to avoid dependence on static cloud infrastructure from a legitimate provider.
APT29's First- and Second-Stage Malware
tDiscoverer/Hammertoss: Uses social media platforms like Twitter and GitHub to hide C2 communications and avoid detection
CosmicDuke: An information stealer capable of harvesting login details from a wide range of applications and forwarding them to an attacker-controlled C2 server
CozyCar: A modular RAT capable of importing components with different functionality to extend an attack
LiteDuke: A third-stage information stealer that uses multiple layers of encryption for obfuscation and multiple techniques for persistence, including Windows Registry keys, PowerShell, and Windows Management Instrumentation
RegDuke: A first-stage malware written in .NET that can download secondary malware using DropBox as its C2 server and maintain persistence by injecting itself into the winword.exe binary
MiniDuke: A second-stage downloader developed in x86 assembly rather than a compiled programming language that uses a domain-generating algorithm to dynamically locate C2 servers
PolyglotDuke: A second-stage downloader malware capable of using steganography and Twitter, Reddit, and Imgur websites to fetch C2 server locations
SeaDuke: A second-stage information-stealing RAT written in Python and compiled to execute on Microsoft Windows, Linux, macOS, and Solaris-based platforms
Signs of an APT29 Attack
How to Prevent an APT29 Attack
APT29’s consistent record of compromising US government entities and infiltrating large corporate IT companies such as SolarWinds demonstrates its dedication and competency. Defending an organization targeted by APT29 requires nothing less than a full-fledged enterprise cybersecurity program utilizing the most advanced security solutions, including email and web-content filtering, advanced antivirus to detect malware and prevent it from ingressing an organization’s network, and Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) to effectively and efficiently identify malware infections and take swift action to reduce its dwell time and prevent it from impacting critical assets.
An effective cybersecurity program capable of defending against APT29 should also be designed with the principle of least privilege, defense in depth, Zero Trust architecture, and multi-factor authentication in mind to segment and secure critical assets and reduce the potential damage attackers can cause if they do gain an initial foothold.