1. Home
  2. Groups
  3. APT29

APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

ID: G0016
Associated Groups: IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Katie Nickels, Red Canary; Joe Gumke, U.S. Bank; Liran Ravich, CardinalOps
Version: 6.1
Created: 31 May 2017
Last Modified: 03 September 2024

Associated Group Descriptions

Name Description
IRON RITUAL

[15]
IRON HEMLOCK

[16]
NobleBaron

[17]
Dark Halo

[12]
NOBELIUM

[10][18][19][20]
UNC2452

[9]
YTTRIUM

[21]
The Dukes

[3][22][23][13]
Cozy Bear

[5][22][23][13][24]
CozyDuke

[5]
SolarStorm

[14]
Blue Kitsune

[25][26]
UNC3524

[27]
Midnight Blizzard

[28]

Campaigns

ID Name First Seen Last Seen References Techniques
C0023 Operation Ghost September 2013 [22] October 2019 [22]

[22]

 事件触发执行: Windows Management Instrumentation Event Subscription, 建立账户: Social Media Accounts, 开发能力: Malware, 数据混淆: Steganography, 有效账户: Domain Accounts, 混淆文件或信息: Steganography, 网络服务: Bidirectional Communication, 获取基础设施: Domains
C0024 SolarWinds Compromise August 2019 [14] January 2021 [18]

[7][8][29]

 Windows管理规范, 事件触发执行: Windows Management Instrumentation Event Subscription, 从信息存储库获取数据, 从信息存储库获取数据: Code Repositories, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理: Internal Proxy, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 伪造Web凭证: SAML Tokens, 伪造Web凭证: Web Cookies, 使用备用认证材料, 使用备用认证材料: Application Access Token, 使用备用认证材料: Web Session Cookie, 供应链破坏: Compromise Software Supply Chain, 信任关系, 利用公开应用程序漏洞, 动态解析, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 域信任发现, 域或租户策略修改: Trust Modification, 基础设施妥协: Domains, 外部远程服务, 妨碍防御: Disable or Modify Tools, 妨碍防御: Disable Windows Event Logging, 妨碍防御: Disable or Modify System Firewall, 应用层协议: Web Protocols, 开发能力: Malware, 归档收集数据: Archive via Utility, 操作系统凭证转储: DCSync, 收集受害者身份信息: Credentials, 数据分段: Remote Data Staging, 文件和目录发现, 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, 有效账户: Cloud Accounts, 有效账户: Domain Accounts, 有效账户: Local Accounts, 有效账户, 未加密凭证: Private Keys, 权限组发现: Domain Groups, 权限组发现, 电子邮件收集: Remote Email Collection, 移除指标: File Deletion, 移除指标: Timestomp, 移除指标, 移除指标: Clear Mailbox Data, 窃取Web会话Cookie, 窃取或伪造Kerberos票据: Kerberoasting, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现: Internet Connection Discovery, 获取基础设施: Domains, 账号发现: Domain Account, 账号发现, 账号操控: Additional Email Delegate Permissions, 账号操控: Additional Cloud Roles, 账号操控: Device Registration, 账号操控: Additional Cloud Credentials, 输入工具传输, 进程发现, 远程服务: Remote Desktop Protocol, 远程服务: SMB/Windows Admin Shares, 远程服务: Windows Remote Management, 远程系统发现, 隐藏基础设施, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

APT29 used WMI to steal credentials and execute backdoors at a future time.[30]

During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.[31][32]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.[13]
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

APT29 has used WMI event subscriptions for persistence.[30]

During the SolarWinds Compromise, APT29 used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with rundll32.exe.[32][31]

During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.[22]
.008 事件触发执行: Accessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.[30][33]
Enterprise T1651 云管理命令

APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.[34]
Enterprise T1213 从信息存储库获取数据

During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[24]
.003 Code Repositories

During the SolarWinds Compromise, APT29 downloaded source code from code repositories.[35]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.[24]
Enterprise T1005 从本地系统获取数据

APT29 has stolen data from compromised hosts.[27]

During the SolarWinds Compromise, APT29 extracted files from compromised networks.[12]
Enterprise T1090 .001 代理: Internal Proxy

During the SolarWinds Compromise, APT29 used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB.[24][36]
.002 代理: External Proxy

APT29 uses compromised residential endpoints as proxies for defense evasion and network access.[37]
.003 代理: Multi-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.[30][34]
.004 代理: Domain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[30]
Enterprise T1036 .004 伪装: Masquerade Task or Service

During the SolarWinds Compromise, APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[12]
.005 伪装: Match Legitimate Name or Location

APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[17][38]

During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.[12][39]
Enterprise T1606 .001 伪造Web凭证: Web Cookies

During the SolarWinds Compromise, APT29 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[12]
.002 伪造Web凭证: SAML Tokens

During the SolarWinds Compromise, APT29 created tokens using compromised SAML signing certificates.[40][15]
Enterprise T1550 .001 使用备用认证材料: Application Access Token

During the SolarWinds Compromise, APT29 used compromised service principals to make changes to the Office 365 environment.[24]
.003 使用备用认证材料: Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.[30]
.004 使用备用认证材料: Web Session Cookie

During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged duo-sid cookie to bypass MFA set on an email account.[12][24]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

During the SolarWinds Compromise, APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.[41][9][13][32]
Enterprise T1199 信任关系

APT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.[34]

During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.[13][24]
Enterprise T1556 .007 修改身份验证过程: Hybrid Identity

APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.[42]
Enterprise T1136 .003 创建账户: Cloud Account

APT29 can create new users through Azure AD.[34]
Enterprise T1190 利用公开应用程序漏洞

APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.[13][23]

During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[12][13]
Enterprise T1573 加密通道

APT29 has used multiple layers of encryption within malware to protect C2 communication.[16]
Enterprise T1568 动态解析

APT29 has used Dynamic DNS providers for their malware C2 infrastructure.[27]

During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[12]

Enterprise T1140 反混淆/解码文件或信息

During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.[36]
Enterprise T1037 启动或登录初始化脚本

APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup.[27]
.004 RC Scripts

APT29 has installed a run command on a compromised system to enable malware execution on system startup.[27]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.[30]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.[43][30][44][16]

During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.[12][39][24]
.003 命令与脚本解释器: Windows Command Shell

During the SolarWinds Compromise, APT29 used cmd.exe to execute commands on remote machines.[12][39]
.005 命令与脚本解释器: Visual Basic

For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.[13]
.006 命令与脚本解释器: Python

APT29 has developed malware variants written in Python.[43]
.009 命令与脚本解释器: Cloud API

APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API [19]
Enterprise T1482 域信任发现

During the SolarWinds Compromise, APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[12] They also used AdFind to enumerate domains and to discover trust between federated domains.[24][32]
Enterprise T1484 .002 域或租户策略修改: Trust Modification

During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[15][31]
Enterprise T1584 .001 基础设施妥协: Domains

For the SolarWinds Compromise, APT29 compromised domains to use for C2.[10]
Enterprise T1133 外部远程服务

APT29 has used compromised identities to access networks via VPNs and Citrix.[23][38]

For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.[10][24]
Enterprise T1621 多因素身份验证请求生成

APT29 has used repeated MFA requests to gain access to victim accounts.[45][37]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[32]
.002 妨碍防御: Disable Windows Event Logging

During the SolarWinds Compromise, APT29, used AUDITPOL to prevent the collection of audit logs.[32]
.004 妨碍防御: Disable or Modify System Firewall

During the SolarWinds Compromise, APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.[32]
.008 妨碍防御: Disable or Modify Cloud Logs

APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.[38]
Enterprise T1203 客户端执行漏洞利用

APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.[3][13][18]
Enterprise T1071 .001 应用层协议: Web Protocols

During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.[12]
Enterprise T1585 .001 建立账户: Social Media Accounts

For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.[22]
Enterprise T1587 .001 开发能力: Malware

APT29 has used unique malware in many of their operations.[3][30][19][27]

For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.[9][11][32]

For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[22]
.003 开发能力: Digital Certificates

APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.[25][26]
Enterprise T1560 .001 归档收集数据: Archive via Utility

During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.[12][32][24]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

APT29 has used the reg save command to save registry hives.[27]
.004 操作系统凭证转储: LSA Secrets

APT29 has used the reg save command to extract LSA secrets offline.[27]
.006 操作系统凭证转储: DCSync

During the SolarWinds Compromise, APT29 used privileged accounts to replicate directory service data with domain controllers.[31][32][24]
Enterprise T1589 .001 收集受害者身份信息: Credentials

For the SolarWinds Compromise, APT29 conducted credential theft operations to obtain credentials to be used for access to victim environments.[24]
Enterprise T1074 .002 数据分段: Remote Data Staging

During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim's OWA server.[12]
Enterprise T1001 .002 数据混淆: Steganography

During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[22]
Enterprise T1083 文件和目录发现

During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[12]
Enterprise T1110 .001 暴力破解: Password Guessing

APT29 has successfully conducted password guessing attacks against a list of mailboxes.[38]
.003 暴力破解: Password Spraying

APT29 has conducted brute force password spray attacks.[20][34][37]
Enterprise T1048 .002 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

During the SolarWinds Compromise, APT29 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[12]
Enterprise T1078 有效账户

APT29 has used a compromised account to access an organization's VPN infrastructure.[38]

During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally.[9][10][13]
.002 Domain Accounts

During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.[24]

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[22]
.003 Local Accounts

APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.[37]

During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.[24]
.004 Cloud Accounts

APT29 has gained access to a global administrator account in Azure AD and has used Service Principal credentials in Exchange.[38][27]

During the SolarWinds Compromise, APT29 used a compromised O365 administrator account to create a new Service Principal.[24]
Enterprise T1505 .003 服务器软件组件: Web Shell

APT29 has installed web shells on exploited Microsoft Exchange servers.[13][27]
Enterprise T1552 .004 未加密凭证: Private Keys

During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[31][13]
Enterprise T1068 权限提升漏洞利用

APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.[44]
Enterprise T1069 .002 权限组发现: Domain Groups

During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.[24]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

APT29 used large size files to avoid detection by security solutions with hardcoded size limits.[17]
.002 混淆文件或信息: Software Packing

APT29 used UPX to pack files.[30]
.003 混淆文件或信息: Steganography

During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[22]
.006 混淆文件或信息: HTML Smuggling

APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.[44]

Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

APT29 has bypassed UAC.[30]
Enterprise T1204 .001 用户执行: Malicious Link

APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.[18][46]
.002 用户执行: Malicious File

APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [3][44][16]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.[38][27]

During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[12][13]
Enterprise T1070 .004 移除指标: File Deletion

APT29 has used SDelete to remove artifacts from victim networks.[30]

During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.[9]
.006 移除指标: Timestomp

APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.[27]

During the SolarWinds Compromise, APT29 modified timestamps of backdoors to match legitimate Windows files.[32]
.008 移除指标: Clear Mailbox Data

During the SolarWinds Compromise, APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[12]
Enterprise T1539 窃取Web会话Cookie

During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.[24]
Enterprise T1528 窃取应用访问令牌

APT29 uses stolen tokens to access victim accounts, without needing a password.[37]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

During the SolarWinds Compromise, APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[32]
Enterprise T1649 窃取或伪造身份认证证书

APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.[47]
Enterprise T1218 .005 系统二进制代理执行: Mshta

APT29 has use mshta to execute malicious scripts on a compromised host.[44]
.011 系统二进制代理执行: Rundll32

During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.[40][32]
Enterprise T1082 系统信息发现

During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.[32]
Enterprise T1016 .001 系统网络配置发现: Internet Connection Discovery

APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.[27]

During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[10]
Enterprise T1102 .002 网络服务: Bidirectional Communication

For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.[22]
Enterprise T1583 .001 获取基础设施: Domains

For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.[10][48]

For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[22]
.006 获取基础设施: Web Services

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.[49][18]
Enterprise T1588 .002 获取能力: Tool

APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.[30][3][27]
Enterprise T1087 .002 账号发现: Domain Account

During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing Get-ADUser and Get-ADGroupMember.[24][15]
.004 账号发现: Cloud Account

APT29 has conducted enumeration of Azure AD accounts.[34]
Enterprise T1586 .002 账号妥协: Email Accounts

APT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.[50][38]
.003 账号妥协: Cloud Accounts

APT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.[38]
Enterprise T1098 .001 账号操控: Additional Cloud Credentials

During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.[40][24]
.002 账号操控: Additional Email Delegate Permissions

APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxes; APT29 has also used compromised accounts holding ApplicationImpersonation rights in Exchange to collect emails.[38][27]

During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[12][40][34]
.003 账号操控: Additional Cloud Roles

During the SolarWinds Compromise, APT29 granted company administrator privileges to a newly created service principle.[24]
.005 账号操控: Device Registration

APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.[38][37]

During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.[12]
Enterprise T1105 输入工具传输

APT29 has downloaded additional tools and malware onto compromised networks.[30][25][3][27]

During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.[9]
Enterprise T1057 进程发现

During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.[12][32][24]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers.[24]
.002 远程服务: SMB/Windows Admin Shares

During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.[24]
.006 远程服务: Windows Remote Management

During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.[36]
.007 远程服务: Cloud Services

APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.[51]
Enterprise T1018 远程系统发现

During the SolarWinds Compromise, APT29 used AdFind to enumerate remote systems.[32]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[3][18][44][16]
.002 钓鱼: Spearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[30][18][46]
.003 钓鱼: Spearphishing via Service

APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.[18]
Enterprise T1665 隐藏基础设施

APT29 uses compromised residential endpoints, typically within the same ISP IP address range, as proxies to hide the true source of C2 traffic.[37]

During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.[9]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

APT29 has used named and hijacked scheduled tasks to establish persistence.[30]

During the SolarWinds Compromise, APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted.[12][9][11]
Enterprise T1553 .002 颠覆信任控制: Code Signing

During the SolarWinds Compromise, APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[9]
.005 颠覆信任控制: Mark-of-the-Web Bypass

APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.[44]

Software

ID Name References Techniques
S0677 AADInternals [34] 云服务发现, 云管理命令, 从云存储获取数据, 伪造Web凭证: SAML Tokens, 信息钓鱼: Spearphishing Link, 修改注册表, 修改身份验证过程: Hybrid Identity, 修改身份验证过程: Multi-Factor Authentication, 创建账户: Cloud Account, 命令与脚本解释器: PowerShell, 域或租户策略修改: Trust Modification, 操作系统凭证转储: LSA Secrets, 收集受害者网络信息: Domain Properties, 收集受害者身份信息: Email Addresses, 替代协议渗出, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 权限组发现: Cloud Groups, 窃取应用访问令牌, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 账号发现: Cloud Account, 账号操控: Device Registration, 钓鱼: Spearphishing Link
S0552 AdFind [39][24][44] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S0521 BloodHound [44] 命令与脚本解释器: PowerShell, 域信任发现, 密码策略发现, 归档收集数据, 本机API, 权限组发现: Domain Groups, 权限组发现: Local Groups, 系统所有者/用户发现, 组策略发现, 账号发现: Domain Account, 账号发现: Local Account, 远程系统发现
S0635 BoomBox [19] 伪装, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 执行保护, 文件和目录发现, 混淆文件或信息, 用户执行: Malicious File, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 网络服务, 账号发现: Domain Account, 账号发现: Email Account, 输入工具传输, 通过网络服务渗出: Exfiltration to Cloud Storage
S0054 CloudDuke [3] 应用层协议: Web Protocols, 网络服务: Bidirectional Communication, 输入工具传输
S0154 Cobalt Strike [9][13][18][19][17][44][15][46] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0050 CosmicDuke [3][16] 从可移动介质获取数据, 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 从网络共享驱动器获取数据, 创建或修改系统进程: Windows Service, 剪贴板数据, 加密通道: Symmetric Cryptography, 屏幕捕获, 应用层协议: Web Protocols, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: Security Account Manager, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 权限提升漏洞利用, 电子邮件收集: Local Email Collection, 自动化渗出, 输入捕获: Keylogging, 预定任务/作业: Scheduled Task
S0046 CozyCar [3][16] 伪装: Rename System Utilities, 创建或修改系统进程: Windows Service, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 混淆文件或信息: Encrypted/Encoded File, 系统二进制代理执行: Rundll32, 系统信息发现, 网络服务: Bidirectional Communication, 虚拟化/沙盒规避, 软件发现: Security Software Discovery, 预定任务/作业: Scheduled Task
S0634 EnvyScout [19] 从本地系统获取数据, 伪装, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Windows Command Shell, 强制身份验证, 执行保护, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: HTML Smuggling, 用户执行: Malicious File, 系统二进制代理执行: Rundll32, 系统信息发现, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories
S0512 FatDuke [22][16] 从本地系统获取数据, 代理: Internal Proxy, 伪装, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 回退信道, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Binary Padding, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 进程发现
S0661 FoggyWeb [52] 从本地系统获取数据, 伪装, 伪装: Match Legitimate Name or Location, 使用备用认证材料, 共享模块, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Search Order Hijacking, 反射性代码加载, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 归档收集数据: Archive via Library, 文件和目录发现, 未加密凭证: Private Keys, 本机API, 混淆文件或信息: Compile After Delivery, 混淆文件或信息: Encrypted/Encoded File, 网络嗅探, 输入工具传输, 进程发现, 通过C2信道渗出
S0049 GeminiDuke [3] 应用层协议: Web Protocols, 文件和目录发现, 系统服务发现, 系统网络配置发现, 账号发现: Local Account, 进程发现
S0597 GoldFinder [10][13][19][15] 应用层协议: Web Protocols, 系统网络配置发现: Internet Connection Discovery, 自动化收集
S0588 GoldMax [10][13][18][19][15] 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据混淆: Junk Data, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 系统时间发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避: System Checks, 输入工具传输, 通过C2信道渗出, 隐藏伪装: Ignore Process Interrupts, 预定任务/作业: Scheduled Task, 预定任务/作业: Cron
S0037 HAMMERTOSS [3][16] 加密通道: Symmetric Cryptography, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 数据混淆: Steganography, 网络服务: One-Way Communication, 通过网络服务渗出: Exfiltration to Cloud Storage, 隐藏伪装: Hidden Window
S0357 Impacket [27] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [53] 系统网络配置发现
S0513 LiteDuke [22][16] 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 查询注册表, 混淆文件或信息: Steganography, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 软件发现: Security Software Discovery, 输入工具传输
S0175 meek [30] 代理: Domain Fronting
S0002 Mimikatz [3][31][24] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0051 MiniDuke [3][22][16] 代理: Internal Proxy, 动态解析: Domain Generation Algorithms, 回退信道, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息, 系统信息发现, 网络服务: Dead Drop Resolver, 输入工具传输
S0637 NativeZone [17] 伪装, 反混淆/解码文件或信息, 执行保护, 用户执行: Malicious File, 系统二进制代理执行: Rundll32, 虚拟化/沙盒规避: System Checks
S0039 Net [53] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0052 OnionDuke [3][22][16] 反混淆/解码文件或信息, 应用层协议: Web Protocols, 操作系统凭证转储, 终端拒绝服务, 网络服务: One-Way Communication
S0048 PinchDuke [3] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 应用层协议: Web Protocols, 操作系统凭证转储, 文件和目录发现, 系统信息发现
S0518 PolyglotDuke [22][16] 修改注册表, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 本机API, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Steganography, 系统二进制代理执行: Rundll32, 网络服务: Dead Drop Resolver, 输入工具传输
S0150 POSHSPY [54] 事件触发执行: Windows Management Instrumentation Event Subscription, 加密通道: Asymmetric Cryptography, 动态解析: Domain Generation Algorithms, 命令与脚本解释器: PowerShell, 数据传输大小限制, 混淆文件或信息, 移除指标: Timestomp, 输入工具传输
S0139 PowerDuke [55] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 数据销毁, 文件和目录发现, 混淆文件或信息: Steganography, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 隐藏伪装: NTFS File Attributes
S0029 PsExec [3][22] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S1084 QUIETEXIT [27] 代理: External Proxy, 伪装: Match Legitimate Name or Location, 回退信道, 应用层协议, 非应用层协议
S0565 Raindrop [36][19][15] 伪装, 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 混淆文件或信息: Steganography, 虚拟化/沙盒规避: Time Based Evasion
S0511 RegDuke [22][16] 事件触发执行: Windows Management Instrumentation Event Subscription, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 混淆文件或信息: Steganography, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 网络服务: Bidirectional Communication, 输入工具传输
S0684 ROADTools [34] 云服务发现, 有效账户: Cloud Accounts, 权限组发现: Cloud Groups, 自动化收集, 账号发现: Cloud Account, 远程系统发现
S0195 SDelete [30] 数据销毁, 移除指标: File Deletion
S0053 SeaDuke [3][16][43] 事件触发执行: Windows Management Instrumentation Event Subscription, 使用备用认证材料: Pass the Ticket, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 归档收集数据: Archive via Library, 数据编码: Standard Encoding, 有效账户, 混淆文件或信息: Software Packing, 电子邮件收集: Remote Email Collection, 移除指标: File Deletion, 输入工具传输
S0589 Sibot [10][13][19][15] Windows管理规范, 伪装: Match Legitimate Name or Location, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 应用层协议: Web Protocols, 查询注册表, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Fileless Storage, 移除指标: File Deletion, 移除指标, 系统二进制代理执行: Mshta, 系统二进制代理执行: Rundll32, 系统网络连接发现, 系统网络配置发现, 网络服务, 输入工具传输, 预定任务/作业: Scheduled Task
S0633 Sliver [13][16] 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 数据混淆: Steganography, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 系统网络连接发现, 系统网络配置发现, 访问令牌操控, 输入工具传输, 进程注入, 通过C2信道渗出
S0516 SoreFang [23][53] 利用公开应用程序漏洞, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 文件和目录发现, 权限组发现: Domain Groups, 混淆文件或信息, 系统信息发现, 系统网络配置发现, 账号发现: Domain Account, 账号发现: Local Account, 输入工具传输, 进程发现, 预定任务/作业: Scheduled Task
S0559 SUNBURST [9][18][15] Windows管理规范, 事件触发执行: Image File Execution Options Injection, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 修改注册表, 加密通道: Symmetric Cryptography, 动态解析, 命令与脚本解释器: Visual Basic, 妨碍防御: Disable or Modify Tools, 应用层协议: DNS, 应用层协议: Web Protocols, 数据混淆: Protocol or Service Impersonation, 数据混淆: Junk Data, 数据混淆: Steganography, 数据编码: Standard Encoding, 文件和目录发现, 查询注册表, 混淆文件或信息, 混淆文件或信息: Indicator Removal from Tools, 移除指标: Clear Persistence, 移除指标: File Deletion, 移除指标: Clear Network Connection History and Configurations, 移除指标, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统服务发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避: System Checks, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 颠覆信任控制: Code Signing
S0562 SUNSPOT [11][19] 伪装: Match Legitimate Name or Location, 供应链破坏: Compromise Software Supply Chain, 反混淆/解码文件或信息, 执行保护, 执行保护: Mutual Exclusion, 数据操控: Stored Data Manipulation, 文件和目录发现, 本机API, 混淆文件或信息, 移除指标: File Deletion, 访问令牌操控, 进程发现
S0096 Systeminfo [53] 系统信息发现
S0057 Tasklist [53] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S0560 TEARDROP [9][18][19][15] 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 查询注册表, 混淆文件或信息
S0183 Tor [30] 代理: Multi-hop Proxy, 加密通道: Asymmetric Cryptography
S0682 TrailBlazer [24] 事件触发执行: Windows Management Instrumentation Event Subscription, 伪装, 应用层协议: Web Protocols, 数据混淆: Junk Data, 数据混淆
S0636 VaporRage [19] 反混淆/解码文件或信息, 应用层协议: Web Protocols, 执行保护, 输入工具传输
S0515 WellMail [56][23][13] 从本地系统获取数据, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 归档收集数据, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 非应用层协议, 非标准端口
S0514 WellMess [25][26][57][23][13] 从本地系统获取数据, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 数据混淆: Junk Data, 数据编码: Standard Encoding, 权限组发现: Domain Groups, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输

References

  1. White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.
  2. UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.
  3. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  4. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
  5. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  6. UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.
  7. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  8. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  9. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  10. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  11. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  12. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  13. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  14. Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
  15. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  16. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  17. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  18. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  19. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  20. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
  21. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  22. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  23. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  24. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  25. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  26. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  27. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  28. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  29. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
  1. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  2. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  3. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  4. Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
  5. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  6. MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021.
  7. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  8. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  9. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  10. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  11. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  12. Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.
  13. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
  14. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  15. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  16. Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.
  17. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.
  18. Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022.
  19. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  20. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  21. ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.
  22. Mandiant. (2022, August). Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29. Retrieved February 21, 2023.
  23. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  24. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  25. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  26. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  27. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  28. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.