APT29
G00164 reportsAnalyst assessment — key judgments
- Signature techniques: T1556.006 (Multi-Factor Authentication), T1589.001 (Credentials), T1090.004 (Domain Fronting).
- Primary targeting: RU, US, UA, CN.
- Resurgent after a quiet period: 3 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 5 new technique(s), 9 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 50% of 12 observed techniques (6 gap(s)).
- Assessment confidence: medium (61).
Activity & trend
Movement — last 30 days
Overview
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
ATT&CK technique matrix
- T1556.006 · Multi-Factor Authenticationconf 652
- T1589.001 · Credentialsconf 652
- T1090.004 · Domain Frontingconf 601evidence: Finding SOCKS with Proxywatch
- T1090.001 · Internal Proxyconf 601evidence: Finding SOCKS with Proxywatch
- T1557 · Adversary-in-the-Middleconf 601
- T1590.005 · IP Addressesconf 601
- T1584.003 · Virtual Private Serverconf 601
- T1583.003 · Virtual Private Serverconf 601
- T1556.009 · Conditional Access Policiesconf 601
- T1606.002 · SAML Tokensconf 601
- T1552.004 · Private Keysconf 601
- T1003.001 · LSASS Memoryconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|