Who is APT29? Uncovering the Notorious Cyber Espionage Group

APT29 is a threat actor (APT) active since 2008 and considered to be a product of the Russian government’s Foreign Intelligence Service (SVR).

By
Peter Bassill
June 29, 2024
5
min read
Who is APT29? Uncovering the Notorious Cyber Espionage Group

Who Is APT29?

APT29 is an advanced persistent threat actor (APT) that has been active since 2008 and is considered a product of the Russian government's Foreign Intelligence Service (SVR). Few threat actors show the technical discipline and sophistication of APT29, especially in its ability to adapt to defensive IT security tactics, penetrate well-defended networks, and deploy malware with anti-forensic capabilities.

APT29's primary targets are governments and government subcontractors, political organizations, research firms, and critical industries such as energy, healthcare, education, finance, and technology in the US and Europe. APT29 primarily intends to disrupt national security, impact critical infrastructure, and cause political interference.

APT29 is a well-resourced, highly dedicated, and structured cyberespionage operation that we believe has been operating for the  Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making,' according to a  2015 assessment from F-Secure. Cozy Bear has an unusual amount of faith in its ability to keep effectively compromising its targets, as well as in its ability to operate without being detected.

Alternative identities

APT29 is also known as CozyBear, The Dukes, Group 100, CozyDuke, EuroAPT,  CozyCar, Cozer, Office Monkey, YTTRIUM, Iron Hemlock, Iron Ritual,  Cloaked Ursa, Nobelium, Group G0016, UNC2452, Dark Halo, NobleBarron.

A Timeline of High-Profile Apt29 Activity

2015: APT29 gains initial access to the Pentagon's network via phishing and introduced the "Hammertoss" technique to use dummy Twitter accounts for C2 communication

2016: In a campaign known as "GRIZZLY STEPPE," APT29 breached  the Democratic National Committee servers close to the US election via a phishing campaign directing victims to change their passwords using a  spoofed website

2019: Compromises three EU National Affairs ministries and a Washington D.C.-based embassy of an EU nation-state

2020: Conducts vulnerability scanning of public-facing IP  addresses to compromise COVID-19 vaccine developers in Canada, the US,  and the United Kingdom

2020: Distributes SUNBURST malware attacking SolarWinds Orion software to drop a remote access trojan (RAT) that impacted many global organizations

2021: In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and  SolarStorm.

2024: In June of 2024, TeamViewer was compromised.

Critical Vulnerabilities Exploited by APT29 to Gain Initial Foothold

APT29 and its activities are closely monitored by The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of  Investigation (FBI), and the National Security Agency (NSA). In April  2021, CISA released a vital advisory on the critical vulnerabilities exploited by APT29.

The vulnerabilities exploited by the APT29 are listed below:

Defending Against APT Groups

Patch management and other strategies can assist in the defence against APT29 and other similar threats:

  • Increase your efforts to identify digital shadow assets, including the cloud hosts, using an Attack Surface Management solution.
  • Keep the internet-facing technologies and appliances patched at all times, as threat actors continuously scan for and detect these blind spots.
  • Be wary of external remote services like RDP, which is known to be vulnerable. If not necessary, close it down.
  • Quickly take action when your Threat Intelligence or Digital Risk Protection platform alerts you to compromised employee credentials.
  • Continuously check for potential weaknesses in your internet infrastructure, like expired domains, SSL certificates, or subdomains.
  • Keep password hygiene within the organization at peak condition at all times.
  • Ensure EDR and logging functions are in place to detect suspicious actions within the network. It is only one component of the protection plan.

Joint Advisory on APT29's Recent Initial Cloud Access Tactics

CISA, the UK National Cyber Security Centre (NCSC), and other international partners released a joint advisory titled "SVR Cyber Actors Adapt Tactics for Initial Cloud Access." This advisory outlines recent TTPs utilized by APT29 to gain initial access to cloud environments and recommends mitigations for network defenders and organizations.

As organizations shift to cloud-based infrastructure, the SVR has adjusted its tactics, targeting cloud services rather than exploiting on-premises network vulnerabilities for initial access. Also, the NCSC has observed the expansion of APT29's targets, including government, healthcare, energy, aviation, education, law enforcement, and military organizations.

According to the advisory, threat actors have been employing the following TTPs over the last 12 months:

Access via Service and Dormant Accounts:

  • SVR campaigns utilize brute forcing and password spraying to access service accounts, which are often highly privileged and lack multi-factor authentication (MFA) [T1110].
  • Former employees' dormant accounts are also targeted for unauthorized access [T1078.004]. During an incident in which all users were required to reset their passwords, APT29 actors were observed logging into inactive accounts and following instructions to reset the passwords.

Cloud-Based Token Authentication:

  • SVR actors use tokens to access accounts, eliminating the need for passwords [T1528]. To enhance security against this tactic, administrators should adjust the validity time of tokens on cloud platforms.

Enrolling New Devices to the Cloud:

  • SVR bypasses password authentication and MFA using techniques like password spraying and MFA fatigue [T1621].
  • After bypassing these systems to gain access to the cloud environment, if device validation rules are not enforced, the threat actors register their devices on cloud tenants for access [T1098.005].

Residential Proxies:

  • SVR actors utilize residential proxies to obscure malicious connections, making traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers. This practice makes it challenging to distinguish them from typical users [T1090.002]. To mitigate this, detection of suspicious activity should rely on various sources beyond IP addresses, such as application and host-based logging.

According to CISA, TTPs such as using residential proxies and exploiting system accounts align with those reported by Microsoft as recently as January 2024.

The advisory also warns that once APT29 actors gain initial access, they can deploy advanced post-compromise capabilities like MagicWeb.

Preventing initial access to the cloud environment can effectively combat SVR's attempts, unlike on-premises systems, where more of the network is typically exposed to threat actors. By mitigating the mentioned initial cloud access vectors outlined in the joint advisory, organizations can significantly bolster their defences against this sophisticated threat.

With SOC365, ongoing vigilance ensures that potential security gaps are promptly identified and addressed, strengthening the organization's environment against threats.

Share this post