Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021) In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
ID: G0016
Associated Groups: CozyDuke, Cozy Bear, The Dukes, UNC2452, UNC3524, Midnight Blizzard, YTTRIUM, NOBELIUM, Blue Kitsune, IRON HEMLOCK, IRON RITUAL, NobleBaron, SolarStorm, Dark Halo
Version: 6.1
Created: 31 May 2017
Last Modified: 03 Sep 2024

Associated Group Descriptions

Name Description
CozyDuke (Citation: Crowdstrike DNC June 2016)
Cozy Bear (Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)
The Dukes (Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)
UNC2452 (Citation: FireEye SUNBURST Backdoor December 2020)
UNC3524 (Citation: Mandiant APT29 Eye Spy Email Nov 22)
Midnight Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
YTTRIUM (Citation: Microsoft Unidentified Dec 2018)
NOBELIUM (Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)
Blue Kitsune (Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)
IRON HEMLOCK (Citation: Secureworks IRON HEMLOCK Profile)
IRON RITUAL (Citation: Secureworks IRON RITUAL Profile)
NobleBaron (Citation: SentinelOne NobleBaron June 2021)
SolarStorm (Citation: Unit 42 SolarStorm December 2020)
Dark Halo (Citation: Volexity SolarWinds)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT29 has bypassed UAC.(Citation: Mandiant No Easy Breach)

Enterprise T1087 .002 Account Discovery: Domain Account

APT29 has used PowerShell to discover domain accounts by executing Get-ADUser and Get-ADGroupMember.(Citation: CrowdStrike StellarParticle January 2022)(Citation: Secureworks IRON RITUAL Profile)

.004 Account Discovery: Cloud Account

APT29 has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021)

Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

APT29 has added credentials to OAuth Applications and Service Principals.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: CrowdStrike StellarParticle January 2022)

.002 Account Manipulation: Additional Email Delegate Permissions

APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with `ApplicationImpersonation` rights to start collecting emails from targeted mailboxes; APT29 has also used compromised accounts holding `ApplicationImpersonation` rights in Exchange to collect emails.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.002 Account Manipulation: Additional Email Delegate Permissions

APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.(Citation: Volexity SolarWinds)(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: MSTIC Nobelium Oct 2021)

.003 Account Manipulation: Additional Cloud Roles

APT29 has granted `company administrator` privileges to a newly created service principal.(Citation: CrowdStrike StellarParticle January 2022)

.005 Account Manipulation: Device Registration

APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: NCSC et al APT29 2024)

.005 Account Manipulation: Device Registration

APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.(Citation: Volexity SolarWinds)

Enterprise T1583 .001 Acquire Infrastructure: Domains

APT29 has acquired C2 domains, sometimes through resellers.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: MSTIC NOBELIUM May 2021)

.006 Acquire Infrastructure: Web Services

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.(Citation: FireEye APT29)(Citation: MSTIC NOBELIUM May 2021)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.(Citation: Cybersecurity Advisory SVR TTP May 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT29 has used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration; APT29 has also compressed text files into zipped archives.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach)

.009 Boot or Logon Autostart Execution: Shortcut Modification

APT29 drops a Windows shortcut file for execution.(Citation: FireEye APT29 Nov 2018)

Enterprise T1037 .004 Boot or Logon Initialization Scripts: RC Scripts

APT29 has installed a run command on a compromised system to enable malware execution on system startup.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Enterprise T1110 .001 Brute Force: Password Guessing

APT29 has successfully conducted password guessing attacks against a list of mailboxes.(Citation: Mandiant APT29 Microsoft 365 2022)

.003 Brute Force: Password Spraying

APT29 has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC Nobelium Oct 2021)(Citation: NCSC et al APT29 2024)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)

.003 Command and Scripting Interpreter: Windows Command Shell

APT29 used cmd.exe to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)

.005 Command and Scripting Interpreter: Visual Basic

APT29 has written malware variants in Visual Basic.(Citation: Cybersecurity Advisory SVR TTP May 2021)

.006 Command and Scripting Interpreter: Python

APT29 has developed malware variants written in Python.(Citation: Symantec Seaduke 2015)

.009 Command and Scripting Interpreter: Cloud API

APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API (Citation: MSTIC Nobelium Toolset May 2021)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

APT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.(Citation: ANSSI Nobelium Phishing December 2021)(Citation: Mandiant APT29 Microsoft 365 2022)

.003 Compromise Accounts: Cloud Accounts

APT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.(Citation: Mandiant APT29 Microsoft 365 2022)

Enterprise T1584 .001 Compromise Infrastructure: Domains

APT29 has compromised domains to use for C2.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1136 .003 Create Account: Cloud Account

APT29 can create new users through Azure AD.(Citation: MSTIC Nobelium Oct 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT29 has stolen user's saved passwords from Chrome.(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1001 .002 Data Obfuscation: Steganography

APT29 has used steganography to hide C2 communications in images.(Citation: ESET Dukes October 2019)

Enterprise T1074 .002 Data Staged: Remote Data Staging

APT29 staged data and files in password-protected archives on a victim's OWA server.(Citation: Volexity SolarWinds)

Enterprise T1213 .003 Data from Information Repositories: Code Repositories

APT29 has downloaded source code from code repositories.(Citation: Microsoft Internal Solorigate Investigation Blog)

Enterprise T1587 .001 Develop Capabilities: Malware

APT29 has used unique malware in many of their operations.(Citation: F-Secure The Dukes)(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.003 Develop Capabilities: Digital Certificates

APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)

Enterprise T1484 .002 Domain or Tenant Policy Modification: Trust Modification

APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.(Citation: Microsoft 365 Defender Solorigate)(Citation: Secureworks IRON RITUAL Profile)

Enterprise T1114 .002 Email Collection: Remote Email Collection

APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)

.002 Email Collection: Remote Email Collection

APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

APT29 has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach)

.008 Event Triggered Execution: Accessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting)

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.(Citation: Volexity SolarWinds)

Enterprise T1606 .001 Forge Web Credentials: Web Cookies

APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds)

.002 Forge Web Credentials: SAML Tokens

APT29 created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Secureworks IRON RITUAL Profile)

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

APT29 has conducted credential theft operations to obtain credentials to be used for access to victim environments.(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

APT29 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)

.002 Impair Defenses: Disable Windows Event Logging

APT29 used AUDITPOL to prevent the collection of audit logs.(Citation: Microsoft Deep Dive Solorigate January 2021)

.004 Impair Defenses: Disable or Modify System Firewall

APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.(Citation: Microsoft Deep Dive Solorigate January 2021)

.008 Impair Defenses: Disable or Modify Cloud Logs

APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.(Citation: Mandiant APT29 Microsoft 365 2022)

Enterprise T1070 .004 Indicator Removal: File Deletion

APT29 has used SDelete to remove artifacts from victim networks.(Citation: Mandiant No Easy Breach)

.006 Indicator Removal: Timestomp

APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.006 Indicator Removal: Timestomp

APT29 modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021)

.008 Indicator Removal: Clear Mailbox Data

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.(Citation: Volexity SolarWinds)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.(Citation: Volexity SolarWinds)

.005 Masquerading: Match Legitimate Name or Location

APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.(Citation: SentinelOne NobleBaron June 2021)(Citation: Mandiant APT29 Microsoft 365 2022)

Enterprise T1556 .007 Modify Authentication Process: Hybrid Identity

APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.(Citation: MagicWeb)

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

APT29 has used the `reg save` command to save registry hives.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.004 OS Credential Dumping: LSA Secrets

APT29 has used the `reg save` command to extract LSA secrets offline.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.006 OS Credential Dumping: DCSync

APT29 leveraged privileged accounts to replicate directory service data with domain controllers.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

APT29 used large size files to avoid detection by security solutions with hardcoded size limits.(Citation: SentinelOne NobleBaron June 2021)

.002 Obfuscated Files or Information: Software Packing

APT29 used UPX to pack files.(Citation: Mandiant No Easy Breach)

.006 Obfuscated Files or Information: HTML Smuggling

APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.(Citation: ESET T3 Threat Report 2021)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.(Citation: Mandiant No Easy Breach)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

APT29 has used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: MSTIC NOBELIUM May 2021)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)

.002 Phishing: Spearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)

.003 Phishing: Spearphishing via Service

APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.(Citation: MSTIC NOBELIUM May 2021)

Enterprise T1090 .001 Proxy: Internal Proxy

APT29 has used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)(Citation: CrowdStrike StellarParticle January 2022)

.002 Proxy: External Proxy

APT29 uses compromised residential endpoints as proxies for defense evasion and network access.(Citation: NCSC et al APT29 2024)

.003 Proxy: Multi-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021)

.004 Proxy: Domain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT29 has used RDP sessions from public-facing systems to internal servers.(Citation: CrowdStrike StellarParticle January 2022)

.002 Remote Services: SMB/Windows Admin Shares

APT29 has used administrative accounts to connect over SMB to targeted users.(Citation: CrowdStrike StellarParticle January 2022)

.006 Remote Services: Windows Remote Management

APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021)

.007 Remote Services: Cloud Services

APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.(Citation: Mandiant Remediation and Hardening Strategies for Microsoft 365)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT29 has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach)

Enterprise T1505 .003 Server Software Component: Web Shell

APT29 has installed web shells on exploited Microsoft Exchange servers.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020)

.005 Subvert Trust Controls: Mark-of-the-Web Bypass

APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Secureworks IRON RITUAL Profile)(Citation: MSTIC Nobelium Oct 2021)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

APT29 has use `mshta` to execute malicious scripts on a compromised host.(Citation: ESET T3 Threat Report 2021)

.011 System Binary Proxy Execution: Rundll32

APT29 has used Rundll32.exe to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: FireEye APT29 Nov 2018)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)

.001 System Network Configuration Discovery: Internet Connection Discovery

APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Enterprise T1552 .004 Unsecured Credentials: Private Keys

APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)(Citation: Cybersecurity Advisory SVR TTP May 2021)

Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

APT29 has used compromised service principals to make changes to the Office 365 environment.(Citation: CrowdStrike StellarParticle January 2022)

.003 Use Alternate Authentication Material: Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)

.004 Use Alternate Authentication Material: Web Session Cookie

APT29 used stolen cookies to access cloud resources, and a forged duo-sid cookie to bypass MFA set on an email account.(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1204 .001 User Execution: Malicious Link

APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)

.002 User Execution: Malicious File

APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: CrowdStrike StellarParticle January 2022)

.003 Valid Accounts: Local Accounts

APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.(Citation: NCSC et al APT29 2024)

.003 Valid Accounts: Local Accounts

APT29 has used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022)

.004 Valid Accounts: Cloud Accounts

APT29 has gained access to a global administrator account in Azure AD and has used `Service Principal` credentials in Exchange.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

.004 Valid Accounts: Cloud Accounts

APT29 has used a compromised O365 administrator account to create a new Service Principal.(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT29 has used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019)

Software

ID Name References Techniques
S0139 PowerDuke (Citation: Volexity PowerDuke November 2016) System Network Configuration Discovery, Steganography, Rundll32, System Information Discovery, File and Directory Discovery, Application Window Discovery, Data Destruction, System Owner/User Discovery, Process Discovery, System Time Discovery, File Deletion, Ingress Tool Transfer, NTFS File Attributes, Commonly Used Port, Windows Command Shell, Registry Run Keys / Startup Folder
S0039 Net (Citation: CISA SoreFang July 2016) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: ESET T3 Threat Report 2021) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0633 Sliver (Citation: Bishop Fox Sliver Framework August 2019) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: Secureworks IRON HEMLOCK Profile) Process Injection, File and Directory Discovery, Steganography, Access Token Manipulation, DNS, Encrypted/Encoded File, Asymmetric Cryptography, System Network Configuration Discovery, Screen Capture, Web Protocols, Ingress Tool Transfer, Symmetric Cryptography, Exfiltration Over C2 Channel, Standard Encoding, System Network Connections Discovery
S0049 GeminiDuke (Citation: F-Secure The Dukes) File and Directory Discovery, Local Account, Process Discovery, System Network Configuration Discovery, System Service Discovery, Web Protocols
S0357 Impacket (Citation: Impacket Tools) (Citation: Mandiant APT29 Eye Spy Email Nov 22) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0100 ipconfig (Citation: CISA SoreFang July 2016) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0677 AADInternals (Citation: AADInternals Documentation) (Citation: AADInternals Github) (Citation: AADInternals) (Citation: MSTIC Nobelium Oct 2021) Cloud Service Discovery, Steal or Forge Authentication Certificates, Hybrid Identity, Device Registration, Spearphishing Link, Credentials In Files, Trust Modification, Spearphishing Link, Cloud Groups, Cloud Account, SAML Tokens, Domain Properties, Email Addresses, Silver Ticket, Private Keys, Steal Application Access Token, Cloud Account, LSA Secrets, Multi-Factor Authentication, Cloud Administration Command, Data from Cloud Storage, PowerShell, Modify Registry, Exfiltration Over Alternative Protocol
S0037 HAMMERTOSS (Citation: F-Secure The Dukes) (Citation: FireEye APT29) (Citation: Secureworks IRON HEMLOCK Profile) Exfiltration to Cloud Storage, Steganography, Hidden Window, Symmetric Cryptography, Web Protocols, PowerShell, One-Way Communication
S0057 Tasklist (Citation: CISA SoreFang July 2016) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0050 CosmicDuke (Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) Windows Service, LSA Secrets, Exfiltration Over Unencrypted Non-C2 Protocol, Data from Network Shared Drive, Credentials from Password Stores, File and Directory Discovery, Credentials from Web Browsers, Exploitation for Privilege Escalation, Clipboard Data, Keylogging, Screen Capture, Web Protocols, Local Email Collection, Security Account Manager, Automated Exfiltration, Data from Local System, Scheduled Task, Symmetric Cryptography, Data from Removable Media
S0634 EnvyScout (Citation: MSTIC Nobelium Toolset May 2021) System Information Discovery, Execution Guardrails, Malicious File, Rundll32, Data from Local System, Spearphishing Attachment, Deobfuscate/Decode Files or Information, Encrypted/Encoded File, JavaScript, Hidden Files and Directories, Windows Command Shell, HTML Smuggling, Forced Authentication, Masquerading
S0560 TEARDROP (Citation: FireEye SUNBURST Backdoor December 2020) (Citation: Microsoft Deep Dive Solorigate January 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) Query Registry, Obfuscated Files or Information, Modify Registry, Windows Service, Match Legitimate Name or Location, Deobfuscate/Decode Files or Information
S0514 WellMess (Citation: CISA WellMess July 2020) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: NCSC APT29 July 2020) (Citation: PWC WellMess C2 August 2020) (Citation: PWC WellMess July 2020) System Owner/User Discovery, PowerShell, Data from Local System, DNS, System Information Discovery, Ingress Tool Transfer, Asymmetric Cryptography, Standard Encoding, Symmetric Cryptography, Windows Command Shell, Domain Groups, System Network Configuration Discovery, Deobfuscate/Decode Files or Information, Web Protocols, Junk Data
S0518 PolyglotDuke (Citation: ESET Dukes October 2019) (Citation: Secureworks IRON HEMLOCK Profile) Modify Registry, Obfuscated Files or Information, Fileless Storage, Ingress Tool Transfer, Rundll32, Native API, Dead Drop Resolver, Web Protocols, Steganography, Deobfuscate/Decode Files or Information
S0511 RegDuke (Citation: ESET Dukes October 2019) (Citation: Secureworks IRON HEMLOCK Profile) Ingress Tool Transfer, Steganography, Windows Management Instrumentation Event Subscription, PowerShell, Modify Registry, Deobfuscate/Decode Files or Information, Fileless Storage, Bidirectional Communication, Obfuscated Files or Information
S1084 QUIETEXIT (Citation: Mandiant APT29 Eye Spy Email Nov 22) External Proxy, Fallback Channels, Non-Application Layer Protocol, Application Layer Protocol, Match Legitimate Name or Location
S0565 Raindrop (Citation: Microsoft Deep Dive Solorigate January 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) (Citation: Symantec RAINDROP January 2021) Time Based Evasion, Encrypted/Encoded File, Software Packing, Masquerading, Match Legitimate Name or Location, Steganography, Deobfuscate/Decode Files or Information
S0512 FatDuke (Citation: ESET Dukes October 2019) (Citation: Secureworks IRON HEMLOCK Profile) Query Registry, Masquerading, Web Protocols, Time Based Evasion, System Network Configuration Discovery, Fallback Channels, System Information Discovery, Registry Run Keys / Startup Folder, Native API, Software Packing, Internal Proxy, Process Discovery, Obfuscated Files or Information, File Deletion, Data from Local System, Rundll32, PowerShell, Symmetric Cryptography, Create or Modify System Process, File and Directory Discovery, Binary Padding, Deobfuscate/Decode Files or Information
S0588 GoldMax (Citation: CrowdStrike StellarParticle January 2022) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: FireEye SUNSHUTTLE Mar 2021) (Citation: MSTIC NOBELIUM Mar 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) (Citation: SUNSHUTTLE) Scheduled Task, Software Packing, Ignore Process Interrupts, System Time Discovery, System Network Configuration Discovery, Cron, Asymmetric Cryptography, Windows Command Shell, Deobfuscate/Decode Files or Information, Junk Data, Encrypted/Encoded File, Web Protocols, Ingress Tool Transfer, Match Legitimate Name or Location, Time Based Evasion, System Checks, Exfiltration Over C2 Channel, Masquerade Task or Service
S0150 POSHSPY (Citation: FireEye POSHSPY April 2017) Data Transfer Size Limits, Domain Generation Algorithms, Obfuscated Files or Information, PowerShell, Asymmetric Cryptography, Ingress Tool Transfer, Timestomp, Windows Management Instrumentation Event Subscription
S0051 MiniDuke (Citation: ESET Dukes October 2019) (Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) Dead Drop Resolver, System Information Discovery, Domain Generation Algorithms, Obfuscated Files or Information, Fallback Channels, Ingress Tool Transfer, Internal Proxy, File and Directory Discovery, Web Protocols, Create or Modify System Process
S0175 meek (Citation: Mandiant No Easy Breach) Domain Fronting
S0053 SeaDuke (Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) (Citation: Symantec Seaduke 2015) Windows Command Shell, Pass the Ticket, Standard Encoding, Valid Accounts, Archive via Library, Ingress Tool Transfer, File Deletion, Remote Email Collection, Software Packing, Web Protocols, Registry Run Keys / Startup Folder, Symmetric Cryptography, Shortcut Modification, PowerShell, Windows Management Instrumentation Event Subscription
S0684 ROADTools (Citation: MSTIC Nobelium Oct 2021) (Citation: ROADtools Github) Remote System Discovery, Automated Collection, Cloud Service Discovery, Cloud Account, Cloud Groups, Cloud Accounts
S0661 FoggyWeb (Citation: MSTIC FoggyWeb September 2021) Deobfuscate/Decode Files or Information, Archive via Custom Method, Exfiltration Over C2 Channel, Compile After Delivery, Data from Local System, Encrypted/Encoded File, Web Protocols, Private Keys, Masquerading, Process Discovery, Use Alternate Authentication Material, Native API, Shared Modules, Network Sniffing, Archive via Library, Ingress Tool Transfer, DLL Search Order Hijacking, Match Legitimate Name or Location, File and Directory Discovery, Reflective Code Loading, Symmetric Cryptography
S0096 Systeminfo (Citation: CISA SoreFang July 2016) (Citation: TechNet Systeminfo) System Information Discovery
S0515 WellMail (Citation: CISA WellMail July 2020) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: NCSC APT29 July 2020) Ingress Tool Transfer, Non-Standard Port, Archive Collected Data, Non-Application Layer Protocol, System Owner/User Discovery, System Network Configuration Discovery, Deobfuscate/Decode Files or Information, Asymmetric Cryptography, Data from Local System
S0513 LiteDuke (Citation: ESET Dukes October 2019) (Citation: Secureworks IRON HEMLOCK Profile) Deobfuscate/Decode Files or Information, System Information Discovery, Steganography, System Network Configuration Discovery, Web Protocols, Query Registry, Registry Run Keys / Startup Folder, File Deletion, Software Packing, Ingress Tool Transfer, Time Based Evasion, Security Software Discovery, System Owner/User Discovery
S0636 VaporRage (Citation: MSTIC Nobelium Toolset May 2021) Deobfuscate/Decode Files or Information, Execution Guardrails, Ingress Tool Transfer, Web Protocols
S0589 Sibot (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC NOBELIUM Mar 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) Query Registry, Scheduled Task, Match Legitimate Name or Location, System Network Configuration Discovery, Command Obfuscation, Windows Management Instrumentation, Indicator Removal, Ingress Tool Transfer, File Deletion, Web Service, Visual Basic, Deobfuscate/Decode Files or Information, Mshta, Rundll32, System Network Connections Discovery, Indicator Removal, Fileless Storage, Modify Registry, Web Protocols
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: ESET T3 Threat Report 2021) (Citation: FireEye APT29 Nov 2018) (Citation: FireEye SUNBURST Backdoor December 2020) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) (Citation: Secureworks IRON RITUAL USAID Phish May 2021) (Citation: SentinelOne NobleBaron June 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0559 SUNBURST (Citation: FireEye SUNBURST Backdoor December 2020) (Citation: Microsoft Deep Dive Solorigate January 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: Secureworks IRON RITUAL Profile) (Citation: SolarWinds Sunburst Sunspot Update January 2021) (Citation: Solorigate) Time Based Evasion, Disable or Modify Tools, Windows Management Instrumentation, System Information Discovery, Modify Registry, Symmetric Cryptography, Standard Encoding, Clear Persistence, Data from Local System, System Time Discovery, File and Directory Discovery, System Network Configuration Discovery, Obfuscated Files or Information, Image File Execution Options Injection, Rundll32, System Service Discovery, Match Legitimate Name or Location, Code Signing, Process Discovery, Protocol or Service Impersonation, Junk Data, Visual Basic, DNS, File Deletion, Clear Network Connection History and Configurations, System Checks, Query Registry, Security Software Discovery, System Owner/User Discovery, Ingress Tool Transfer, Indicator Removal from Tools, Web Protocols, Steganography, Dynamic Resolution, Indicator Removal
S0048 PinchDuke (Citation: F-Secure The Dukes) File and Directory Discovery, OS Credential Dumping, Web Protocols, System Information Discovery, Credentials from Password Stores, Credentials from Web Browsers, Data from Local System
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: CrowdStrike StellarParticle January 2022) (Citation: Deply Mimikatz) (Citation: F-Secure The Dukes) (Citation: Microsoft 365 Defender Solorigate) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0052 OnionDuke (Citation: ESET Dukes October 2019) (Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) OS Credential Dumping, Endpoint Denial of Service, One-Way Communication, Web Protocols, Deobfuscate/Decode Files or Information
S0637 NativeZone (Citation: MSTIC Nobelium Toolset May 2021) (Citation: SentinelOne NobleBaron June 2021) Malicious File, System Checks, Rundll32, Deobfuscate/Decode Files or Information, Execution Guardrails, Masquerading
S0597 GoldFinder (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC NOBELIUM Mar 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) Internet Connection Discovery, Automated Collection, Web Protocols
S0682 TrailBlazer (Citation: CrowdStrike StellarParticle January 2022) Junk Data, Data Obfuscation, Web Protocols, Masquerading, Windows Management Instrumentation Event Subscription
S0562 SUNSPOT (Citation: CrowdStrike SUNSPOT Implant January 2021) (Citation: MSTIC Nobelium Toolset May 2021) Process Discovery, Access Token Manipulation, File Deletion, Obfuscated Files or Information, Stored Data Manipulation, File and Directory Discovery, Execution Guardrails, Compromise Software Supply Chain, Native API, Mutual Exclusion, Deobfuscate/Decode Files or Information, Match Legitimate Name or Location
S0635 BoomBox (Citation: MSTIC Nobelium Toolset May 2021) Rundll32, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Web Service, Domain Account, Web Protocols, Malicious File, System Information Discovery, File and Directory Discovery, Masquerading, Execution Guardrails, Registry Run Keys / Startup Folder, System Owner/User Discovery, Exfiltration to Cloud Storage, Email Account, Obfuscated Files or Information
S0054 CloudDuke (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015) Web Protocols, Bidirectional Communication, Ingress Tool Transfer
S0195 SDelete (Citation: Mandiant No Easy Breach) (Citation: Microsoft SDelete July 2016) File Deletion, Data Destruction
S0516 SoreFang (Citation: CISA SoreFang July 2016) (Citation: NCSC APT29 July 2020) Ingress Tool Transfer, Domain Account, Process Discovery, File and Directory Discovery, Web Protocols, Exploit Public-Facing Application, Scheduled Task, System Information Discovery, Local Account, Domain Groups, System Network Configuration Discovery, Obfuscated Files or Information, Deobfuscate/Decode Files or Information
S0046 CozyCar (Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) Windows Command Shell, System Information Discovery, Web Protocols, Bidirectional Communication, Registry Run Keys / Startup Folder, Security Software Discovery, Rundll32, LSASS Memory, Virtualization/Sandbox Evasion, Encrypted/Encoded File, Security Account Manager, Rename System Utilities, Scheduled Task, Windows Service
S0183 Tor (Citation: Dingledine Tor The Second-Generation Onion Router) (Citation: Mandiant No Easy Breach) Asymmetric Cryptography, Multi-hop Proxy
S0552 AdFind (Citation: CrowdStrike StellarParticle January 2022) (Citation: ESET T3 Threat Report 2021) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Microsoft Analyzing Solorigate Dec 2020) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: ESET Dukes October 2019) (Citation: F-Secure The Dukes) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  2. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  3. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  4. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  5. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  6. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  7. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  8. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  9. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  10. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  11. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  12. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  13. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  14. Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.
  15. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  16. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  17. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  18. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  19. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  20. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  21. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  22. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  23. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  24. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  25. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  26. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  27. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  28. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  29. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  30. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  31. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  32. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  33. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  34. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  35. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  36. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
  37. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  38. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  39. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  40. UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.
  41. UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.
  42. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  43. Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
  44. White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.