Who is APT29?

As the best minds in the world work to develop a COVID-19 vaccine, they face a major cybersecurity threat. APT29, a threat group that is said to be backed by the Russian state, is allegedly attempting to steal data from academic and pharmaceutical institutions. According to cybersecurity researchers, attempted breaches have been detected at facilities in the U.S. and Asia.

Who is this group APT29, and why are they interested in COVID-19 data? We’ll break it down.

A long history

APT29 is also known as Cozy Bear, YTTRIUM, The Dukes and CozyDuke. APT29 has been linked to numerous attacks over the past 12 years. One of its most widely reported hacks disrupted the Democratic National Committee (DNC) during the last election.

So who’s behind this threat group? It has been linked to both Russia’s Federal Security Service (FSB) and the Foreign Intelligence Service of the Russian Federation (SVR). Their targets tend to be political in nature, going after think tanks, political groups and activists.

APT29’s profile on MITRE ATT&CK

As with all other threat actors, APT29’s behavior is carefully monitored through the MITRE Corporation, which is a not-for-profit organization that works across federal, state and local governments, as well as industry and academia. It manages federally funded research and development centers (FFRDCs) including the National Institute of Standards and Technology (NIST) and supports several U.S. government agencies. Researchers profile Tactics, Techniques, and Procedures leveraged throughout various attacks and place the techniques into the MITRE ATT&CK framework. APT29 is known to be very aggressive in its techniques, dropping executables and infiltrating systems to gather information.

“APT29 typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI,” MITRE says in its emulation notes. “APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.” The challenge with detecting binaries using the hash value is that attackers recompile the binaries which change the hash value — MITRE ATT&CK provides security teams with guidance on detecting anomalous behavior. It’s crucial to have detection capabilities that are IOC agnostic and focus on detecting the Tactics, Techniques, and Procedures (TTPs) within the MITRE ATT&CK framework.

According to the MITRE APT29 evaluation, 58 techniques are linked to APT29, including 12 techniques for privilege escalation, 13 techniques for credential access and nine techniques for lateral movement. 

APT29’s “spray and pray” attacks

By looking at APT29’s past known breaches, cybersecurity experts may be able to better watch for anomalies. In one tracked approach, APT29 sent an executable out to a wide range of sources. It uses its own custom tools, as well as malware like Meterpreter, for its spearphishing campaigns.

Once APT29’s tool has hit a vulnerable target, it proceeds to collect and search for certain file types, then it sends back information to the cyberattackers. This allows hackers to determine whether there’s anything of value at an endpoint. If there’s something of value there, a second, more malicious toolkit is dropped which can then compromise the network.

The methods used are in line with the cyber kill chain (CKC) model, a classic cybersecurity model developed by the computer security incident response team (CSIRT) at Lockheed Martin. The model describes an attack by an external attacker attempting to gain access to data or assets inside the security perimeter and lists the stages an attacker must go through to conduct an attack. Security teams can use the CKC to stop an attack at each stage.

Targeted breaches

With the second type of breach, APT29 once again uses custom tools, combined with a tried-and-true piece of malware, to infiltrate an endpoint. In this case, that known solution is PoshC2. PoshC2 is an open-source remote administration and post-exploitation framework that is publicly available on GitHub. 

APT29 focuses on a specific target, executing a payload that explores the environment in the first stage while establishing persistence. Once APT29 scopes out the situation, a low and slow infiltration begins, with a gradual takeover of the network through privilege escalation.

Privilege escalation occurs when an attacker gains access to an account and finds a way to increase the level of privileges associated with that account and leverage their access to gain access to other user accounts, or both. Privilege escalation attacks are used to gain access to networks to exfiltrate data, disrupt business activity, or install backdoors to allow continued access to internal systems.

“Both scenarios include executing previously established persistence mechanisms after a simulated time lapse to further the scope of the breach,” MITRE says.  

Protecting against APT29

It’s not just COVID-19 labs that are targets of an APT29 attack. Even non-political sources are vulnerable, especially in light of the current global political climate. Since APT29 takes a multi-stage approach to its attack, if you can catch the initial infiltration and stop it, you should be able to prevent its progression by following the cyber kill chain model. APT29’s tools are designed, after all, to first explore an environment, then take action.

But it’s important to note that APT29 attacks can occur in just a few hours time. Even if your team is diligently watching your network 24 hours a day, 365 days a year, you may not catch the attack until it’s too late. Organizations need to implement a security-in-depth strategy with detection capabilities geared towards detecting TTPs from the MITRE ATT&CK framework.

Mapping APT29 techniques to the cyber kill chain

As mentioned earlier, the cyber kill chain model outlines the stages of an attack. By following the model, each stage presents an opportunity to detect and respond to the attack. For APT29 the following stages were detected on the attack against the DNC during the 2016 elections and may give guidance on how to look for and build security defenses in the election process against them. 

Reconnaissance

In the first stage APT29 collects information on the target. In the DNC breach, two main reconnaissance techniques were used: network scanning and credential harvesting.

The network scanning looked for websites that were vulnerable to cross-site scripting (XSS) and structured query language (SQL) injections. 

Credential harvesting involved building pages to harvest legitimate user credentials. These were deployed through a spearphishing email to get users to click a link where they had to enter their details.

MITRE ATT&CK techniques: Input Capture (T1056), Network Service Scanning (T1046), System Network Configuration Discovery (T1016) 

Weaponization

In this stage APT29 embeds malicious macros into files such as PDFs and Microsoft Word sent through spearphishing emails. Microsoft Office documents were weaponized to create a macro that would launch a backdoor PowerShell code called POSHSPY/PowerDuke in the case of the DNC breach. 

MITRE ATT&CK techniques: Command and Scripting Interpreter (T1059), Command and Scripting Interpreter: PowerShell (T1059.001)

Delivery

APT29 used spearphishing emails to deliver and infect their targets with malicious attachments or URLs with malicious payloads.

MITRE ATT&CK techniques: Phishing (T1566), Phishing: Spearphishing Attachment (T1566.001), Phishing: Spearphishing Link (T1566.002)

Exploitation

This stage refers to the group using social engineering in this case spearphishing to gain entry into the network. APT29 is associated with some malware that exploit common vulnerabilities and exposures (CVEs) within a system. 

MITRE ATT&CK technique: Exploitation for Client Execution (T1203)

Installation

This stage covers the installation of the malicious code in the victim’s system which allows APT29 to permanently remain there until detected. In the DNC breach, users were sent a spear-phishing email that had a zip file attachment. The zip file had a document with a dropper to install the backdoor to the APT29 Command & Control Server.

MITRE ATT&CK techniques: User Execution (T1204), User Execution: Malicious File T1204.002)

Command and Control

Command and Control refers to the communication between APT29 and the infected system. In the DNC hack, the infected system was the DNC servers. 

MITRE ATT&CK techniques: Non Application Layer Protocol (T1095), Proxy (T1090), Proxy: Multi-hop Proxy (T1090.003), Proxy: Domain Fronting (T1090.004)

To learn more watch this video about how Exabeam leverages the MITRE ATT&CK framework to make it simple for analysts to identify TTPs that attackers use.

Exabeam uses the MITRE ATT&CK knowledge base to make it easy for analysts to keep up with common vulnerabilities. The alerts and notifications built into Exabeam will quickly identify anomalies in your network and let your cybersecurity team know so they can take action. With the right tools in place, you’ll be able to stay ahead of the latest threats, taking some of the pressure off your analysts.