Description
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
Techniques Used (TTPs)
- T1621 — Multi-Factor Authentication Request Generation (credential-access)
- T1003.002 — Security Account Manager (credential-access)
- T1588.002 — Tool (resource-development)
- T1090.004 — Domain Fronting (command-and-control)
- T1528 — Steal Application Access Token (credential-access)
- T1568 — Dynamic Resolution (command-and-control)
- T1068 — Exploitation for Privilege Escalation (privilege-escalation)
- T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1136.003 — Cloud Account (persistence)
- T1098.005 — Device Registration (persistence, privilege-escalation)
- T1587.003 — Digital Certificates (resource-development)
- T1005 — Data from Local System (collection)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1651 — Cloud Administration Command (execution)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1016.001 — Internet Connection Discovery (discovery)
- T1587.001 — Malware (resource-development)
- T1583.006 — Web Services (resource-development)
- T1090.003 — Multi-hop Proxy (command-and-control)
- T1037 — Boot or Logon Initialization Scripts (persistence, privilege-escalation)
- T1027.006 — HTML Smuggling (defense-evasion)
- T1070.004 — File Deletion (defense-evasion)
- T1203 — Exploitation for Client Execution (execution)
- T1550.003 — Pass the Ticket (defense-evasion, lateral-movement)
- T1204.001 — Malicious Link (execution)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1110.003 — Password Spraying (credential-access)
- T1114.002 — Remote Email Collection (collection)
- T1027.001 — Binary Padding (defense-evasion)
- T1556.007 — Hybrid Identity (credential-access, defense-evasion, persistence)
- T1059.001 — PowerShell (execution)
- T1133 — External Remote Services (persistence, initial-access)
- T1037.004 — RC Scripts (persistence, privilege-escalation)
- T1021.007 — Cloud Services (lateral-movement)
- T1595.002 — Vulnerability Scanning (reconnaissance)
- T1566.002 — Spearphishing Link (initial-access)
- T1070.006 — Timestomp (defense-evasion)
- T1586.003 — Cloud Accounts (resource-development)
- T1090.002 — External Proxy (command-and-control)
- T1573 — Encrypted Channel (command-and-control)
- T1047 — Windows Management Instrumentation (execution)
- T1110.001 — Password Guessing (credential-access)
- T1199 — Trusted Relationship (initial-access)
- T1566.003 — Spearphishing via Service (initial-access)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1505.003 — Web Shell (persistence)
- T1059.006 — Python (execution)
- T1665 — Hide Infrastructure (command-and-control)
- T1218.005 — Mshta (defense-evasion)
- T1003.004 — LSA Secrets (credential-access)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1553.005 — Mark-of-the-Web Bypass (defense-evasion)
- T1649 — Steal or Forge Authentication Certificates (credential-access)
- T1087.004 — Cloud Account (discovery)
- T1098.002 — Additional Email Delegate Permissions (persistence, privilege-escalation)
- T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1546.008 — Accessibility Features (privilege-escalation, persistence)
- T1059.009 — Cloud API (execution)
- T1586.002 — Email Accounts (resource-development)
- T1562.008 — Disable or Modify Cloud Logs (defense-evasion)
- T1204.002 — Malicious File (execution)
- T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
- T1027.002 — Software Packing (defense-evasion)
Total TTPs: 66
Malware & Tools
Malware: BoomBox, CloudDuke, Cobalt Strike, CosmicDuke, CozyCar, EnvyScout, FatDuke, FoggyWeb, GeminiDuke, GoldFinder, GoldMax, HAMMERTOSS, LiteDuke, MiniDuke, NativeZone, OnionDuke, POSHSPY, PinchDuke, PolyglotDuke, PowerDuke, QUIETEXIT, Raindrop, RegDuke, SUNBURST, SUNSPOT, SeaDuke, Sibot, SoreFang, TEARDROP, TrailBlazer, VaporRage, WellMail, WellMess, reGeorg
Tools: AADInternals, AdFind, BloodHound, Impacket, Mimikatz, Net, PsExec, ROADTools, SDelete, Sliver, Systeminfo, Tasklist, Tor, ipconfig, meek