APT29
Associated Group Descriptions |
|
Name | Description |
---|---|
CozyDuke | (Citation: Crowdstrike DNC June 2016) |
Cozy Bear | (Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022) |
The Dukes | (Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
UNC2452 | (Citation: FireEye SUNBURST Backdoor December 2020) |
UNC3524 | (Citation: Mandiant APT29 Eye Spy Email Nov 22) |
Midnight Blizzard | (Citation: Microsoft Threat Actor Naming July 2023) |
YTTRIUM | (Citation: Microsoft Unidentified Dec 2018) |
NOBELIUM | (Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021) |
Blue Kitsune | (Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020) |
IRON HEMLOCK | (Citation: Secureworks IRON HEMLOCK Profile) |
IRON RITUAL | (Citation: Secureworks IRON RITUAL Profile) |
NobleBaron | (Citation: SentinelOne NobleBaron June 2021) |
SolarStorm | (Citation: Unit 42 SolarStorm December 2020) |
Dark Halo | (Citation: Volexity SolarWinds) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
APT29 has bypassed UAC.(Citation: Mandiant No Easy Breach) |
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
APT29 has used PowerShell to discover domain accounts by executing |
.004 | Account Discovery: Cloud Account |
APT29 has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021) |
||
Enterprise | T1098 | .001 | Account Manipulation: Additional Cloud Credentials |
APT29 has added credentials to OAuth Applications and Service Principals.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: CrowdStrike StellarParticle January 2022) |
.002 | Account Manipulation: Additional Email Delegate Permissions |
APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with `ApplicationImpersonation` rights to start collecting emails from targeted mailboxes; APT29 has also used compromised accounts holding `ApplicationImpersonation` rights in Exchange to collect emails.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
.002 | Account Manipulation: Additional Email Delegate Permissions |
APT29 added their own devices as allowed IDs for active sync using |
||
.003 | Account Manipulation: Additional Cloud Roles |
APT29 has granted `company administrator` privileges to a newly created service principal.(Citation: CrowdStrike StellarParticle January 2022) |
||
.005 | Account Manipulation: Device Registration |
APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: NCSC et al APT29 2024) |
||
.005 | Account Manipulation: Device Registration |
APT29 registered devices in order to enable mailbox syncing via the |
||
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT29 has acquired C2 domains, sometimes through resellers.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: MSTIC NOBELIUM May 2021) |
.006 | Acquire Infrastructure: Web Services |
APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.(Citation: FireEye APT29)(Citation: MSTIC NOBELIUM May 2021) |
||
Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.(Citation: Cybersecurity Advisory SVR TTP May 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT29 has used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration; APT29 has also compressed text files into zipped archives.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT29 added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
APT29 drops a Windows shortcut file for execution.(Citation: FireEye APT29 Nov 2018) |
||
Enterprise | T1037 | .004 | Boot or Logon Initialization Scripts: RC Scripts |
APT29 has installed a run command on a compromised system to enable malware execution on system startup.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
APT29 has successfully conducted password guessing attacks against a list of mailboxes.(Citation: Mandiant APT29 Microsoft 365 2022) |
.003 | Brute Force: Password Spraying |
APT29 has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC Nobelium Oct 2021)(Citation: NCSC et al APT29 2024) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
APT29 used |
||
.005 | Command and Scripting Interpreter: Visual Basic |
APT29 has written malware variants in Visual Basic.(Citation: Cybersecurity Advisory SVR TTP May 2021) |
||
.006 | Command and Scripting Interpreter: Python |
APT29 has developed malware variants written in Python.(Citation: Symantec Seaduke 2015) |
||
.009 | Command and Scripting Interpreter: Cloud API |
APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API (Citation: MSTIC Nobelium Toolset May 2021) |
||
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
APT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.(Citation: ANSSI Nobelium Phishing December 2021)(Citation: Mandiant APT29 Microsoft 365 2022) |
.003 | Compromise Accounts: Cloud Accounts |
APT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.(Citation: Mandiant APT29 Microsoft 365 2022) |
||
Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
APT29 has compromised domains to use for C2.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1136 | .003 | Create Account: Cloud Account |
APT29 can create new users through Azure AD.(Citation: MSTIC Nobelium Oct 2021) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
APT29 has stolen user's saved passwords from Chrome.(Citation: CrowdStrike StellarParticle January 2022) |
Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
APT29 has used steganography to hide C2 communications in images.(Citation: ESET Dukes October 2019) |
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
APT29 staged data and files in password-protected archives on a victim's OWA server.(Citation: Volexity SolarWinds) |
Enterprise | T1213 | .003 | Data from Information Repositories: Code Repositories |
APT29 has downloaded source code from code repositories.(Citation: Microsoft Internal Solorigate Investigation Blog) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
APT29 has used unique malware in many of their operations.(Citation: F-Secure The Dukes)(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
.003 | Develop Capabilities: Digital Certificates |
APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020) |
||
Enterprise | T1484 | .002 | Domain or Tenant Policy Modification: Trust Modification |
APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.(Citation: Microsoft 365 Defender Solorigate)(Citation: Secureworks IRON RITUAL Profile) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
APT29 collected emails from specific individuals, such as executives and IT staff, using |
.002 | Email Collection: Remote Email Collection |
APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
APT29 has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach) |
.008 | Event Triggered Execution: Accessibility Features |
APT29 used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting) |
||
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.(Citation: Volexity SolarWinds) |
Enterprise | T1606 | .001 | Forge Web Credentials: Web Cookies |
APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds) |
.002 | Forge Web Credentials: SAML Tokens |
APT29 created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Secureworks IRON RITUAL Profile) |
||
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
APT29 has conducted credential theft operations to obtain credentials to be used for access to victim environments.(Citation: CrowdStrike StellarParticle January 2022) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
APT29 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021) |
.002 | Impair Defenses: Disable Windows Event Logging |
APT29 used |
||
.004 | Impair Defenses: Disable or Modify System Firewall |
APT29 used |
||
.008 | Impair Defenses: Disable or Modify Cloud Logs |
APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.(Citation: Mandiant APT29 Microsoft 365 2022) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT29 has used SDelete to remove artifacts from victim networks.(Citation: Mandiant No Easy Breach) |
.006 | Indicator Removal: Timestomp |
APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
.006 | Indicator Removal: Timestomp |
APT29 modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021) |
||
.008 | Indicator Removal: Clear Mailbox Data |
APT29 removed evidence of email export requests using |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
APT29 named tasks |
.005 | Masquerading: Match Legitimate Name or Location |
APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.(Citation: SentinelOne NobleBaron June 2021)(Citation: Mandiant APT29 Microsoft 365 2022) |
||
Enterprise | T1556 | .007 | Modify Authentication Process: Hybrid Identity |
APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.(Citation: MagicWeb) |
Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
APT29 has used the `reg save` command to save registry hives.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
.004 | OS Credential Dumping: LSA Secrets |
APT29 has used the `reg save` command to extract LSA secrets offline.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
.006 | OS Credential Dumping: DCSync |
APT29 leveraged privileged accounts to replicate directory service data with domain controllers.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022) |
||
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
APT29 used large size files to avoid detection by security solutions with hardcoded size limits.(Citation: SentinelOne NobleBaron June 2021) |
.002 | Obfuscated Files or Information: Software Packing |
APT29 used UPX to pack files.(Citation: Mandiant No Easy Breach) |
||
.006 | Obfuscated Files or Information: HTML Smuggling |
APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.(Citation: ESET T3 Threat Report 2021) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.(Citation: Mandiant No Easy Breach)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
APT29 has used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: MSTIC NOBELIUM May 2021)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile) |
.002 | Phishing: Spearphishing Link |
APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021) |
||
.003 | Phishing: Spearphishing via Service |
APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.(Citation: MSTIC NOBELIUM May 2021) |
||
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
APT29 has used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)(Citation: CrowdStrike StellarParticle January 2022) |
.002 | Proxy: External Proxy |
APT29 uses compromised residential endpoints as proxies for defense evasion and network access.(Citation: NCSC et al APT29 2024) |
||
.003 | Proxy: Multi-hop Proxy |
A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021) |
||
.004 | Proxy: Domain Fronting |
APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT29 has used RDP sessions from public-facing systems to internal servers.(Citation: CrowdStrike StellarParticle January 2022) |
.002 | Remote Services: SMB/Windows Admin Shares |
APT29 has used administrative accounts to connect over SMB to targeted users.(Citation: CrowdStrike StellarParticle January 2022) |
||
.006 | Remote Services: Windows Remote Management |
APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021) |
||
.007 | Remote Services: Cloud Services |
APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.(Citation: Mandiant Remediation and Hardening Strategies for Microsoft 365) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT29 has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT29 has installed web shells on exploited Microsoft Exchange servers.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020) |
.005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021) |
||
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Secureworks IRON RITUAL Profile)(Citation: MSTIC Nobelium Oct 2021) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
APT29 has use `mshta` to execute malicious scripts on a compromised host.(Citation: ESET T3 Threat Report 2021) |
.011 | System Binary Proxy Execution: Rundll32 |
APT29 has used |
||
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
.001 | System Network Configuration Discovery: Internet Connection Discovery |
APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
Enterprise | T1550 | .001 | Use Alternate Authentication Material: Application Access Token |
APT29 has used compromised service principals to make changes to the Office 365 environment.(Citation: CrowdStrike StellarParticle January 2022) |
.003 | Use Alternate Authentication Material: Pass the Ticket |
APT29 used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach) |
||
.004 | Use Alternate Authentication Material: Web Session Cookie |
APT29 used stolen cookies to access cloud resources, and a forged |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021) |
.002 | User Execution: Malicious File |
APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile) |
||
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: CrowdStrike StellarParticle January 2022) |
.003 | Valid Accounts: Local Accounts |
APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.(Citation: NCSC et al APT29 2024) |
||
.003 | Valid Accounts: Local Accounts |
APT29 has used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022) |
||
.004 | Valid Accounts: Cloud Accounts |
APT29 has gained access to a global administrator account in Azure AD and has used `Service Principal` credentials in Exchange.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
||
.004 | Valid Accounts: Cloud Accounts |
APT29 has used a compromised O365 administrator account to create a new Service Principal.(Citation: CrowdStrike StellarParticle January 2022) |
||
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT29 has used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019) |
References
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
- National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.
- UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
- ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
- MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
- NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
- PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
- PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
- UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.
- UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.
- UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
- Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
- White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.