ATK7

Presumed Origin: Russia < Back

Alias: APT 29, APT29, Cozer, Cozy Bear, CozyBear, CozyCar, Cozy Duke, CozyDuke, Dukes, EuroAPT, Grizzly Steppe, Group 100, Hammer Toss, Iron Hemlock, Minidionis, NOBELIUM, Office Monkeys, OfficeMonkeys, SeaDuke, The Dukes, UNC2452, YTTRIUM

ATK7 (aka: APT29, NOBELIUM, UNC2452) is an attacker group that exists since at least 2008 and that is believed to act for the Russian government. The group is composed of highy competent members that are well organized, allowing for complex and long-running campaigns. The group's main goal is espionage and intelligence collection. The group therefore targets Western organizations, with a special focus on governmental bodies, think tanks... It as also occasionally expanded its reach to governments in the Middle East, Asia, Africa, etc. In order to reach its goal, the group has used multiple families of malware.

 

The group aims to act fast, albeit in a noisy way: Their campaigns are not designed in order to be discrete, but to be distributed to a large number of victims, followed by deployment of a malware that will quickly grab and exfiltrate every potentially interesting information. When a victim of interest has been unmasked, the group will then often switch to a different, stealthier malware, designed for long-term persistence, in order to gather intelligence.

 

In recent years, the group has been leading these campaigns bi-annually.

 

The group is suspected to be responsible for the 2015 hack of multiple governmental institutions in the USA, including the White House, the Pentagon and the DoS.

 

The threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components.

 

They ran an election fraud themed phishing campaign in mid-2021 which delivered a Cobalt Strike beacon.

 

In the same year, they've also been observed targeting an Israeli and an Irianian embassy, the Indian gouvernment with maldoc delivering multiple versions of the same Cobalt Strike beacon.

 

In 2022, the European government and several diplomatic institutions were targeted in the same way.

 

Target sector

  • Defense
  • Government and administration agencies
  • Healthcare
  • Information Technology
  • International Organizations
  • Media
  • Military

Target countries

  • Azerbaijan
  • Belgium
  • Czechia
  • Georgia
  • Russian Federation
  • Romania
  • Portugal
  • Poland
  • Kazakhstan
  • Ireland
  • Hungary
  • Luxembourg
  • Kyrgyzstan
  • Spain
  • Turkey
  • Uganda
  • Ukraine
  • United States Of America
  • Uzbekistan

Attack pattern

  • T1001 - Data Obfuscation
  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1007 - System Service Discovery
  • T1008 - Fallback Channels
  • T1010 - Application Window Discovery
  • T1015 - Accessibility Features
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1020 - Automated Exfiltration
  • T1021 - Remote Services
  • T1023 - Shortcut Modification
  • T1024 - Custom Cryptographic Protocol
  • T1025 - Data from Removable Media
  • T1026 - Multiband Communication
  • T1027 - Obfuscated Files or Information
  • T1028 - Windows Remote Management
  • T1029 - Scheduled Transfer
  • T1030 - Data Transfer Size Limits
  • T1032 - Standard Cryptographic Protocol
  • T1033 - System Owner/User Discovery
  • T1035 - Service Execution
  • T1036 - Masquerading
  • T1039 - Data from Network Shared Drive
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1050 - New Service
  • T1053 - Scheduled Task
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1059.005 - Visual Basic
  • T1060 - Registry Run Keys / Startup Folder
  • T1063 - Security Software Discovery
  • T1064 - Scripting
  • T1066 - Indicator Removal from Tools
  • T1068 - Exploitation for Privilege Escalation
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1071.001 - Web Protocols
  • T1071.004 - DNS
  • T1075 - Pass the Hash
  • T1076 - Remote Desktop Protocol
  • T1077 - Windows Admin Shares
  • T1078 - Valid Accounts
  • T1079 - Multilayer Encryption
  • T1081 - Credentials in Files
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1084 - Windows Management Instrumentation Event Subscription
  • T1085 - Rundll32
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1088 - Bypass User Account Control
  • T1090 - Connection Proxy
  • T1093 - Process Hollowing
  • T1094 - Custom Command and Control Protocol
  • T1095 - Standard Non-Application Layer Protocol
  • T1096 - NTFS File Attributes
  • T1097 - Pass the Ticket
  • T1098 - Account Manipulation
  • T1099 - Timestomp
  • T1101 - Security Support Provider
  • T1102 - Web Service
  • T1105 - Remote File Copy
  • T1106 - Execution through API
  • T1107 - File Deletion
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1115 - Clipboard Data
  • T1116 - Code Signing
  • T1124 - System Time Discovery
  • T1132 - Data Encoding
  • T1134 - Access Token Manipulation
  • T1135 - Network Share Discovery
  • T1145 - Private Keys
  • T1172 - Domain Fronting
  • T1175 - Distributed Component Object Model
  • T1178 - SID-History Injection
  • T1185 - Man in the Browser
  • T1188 - Multi-hop Proxy
  • T1190 - Exploit Public-Facing Application
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1195.002 - Compromise Software Supply Chain
  • T1197 - BITS Jobs
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1207 - DCShadow
  • T1483 - Domain Generation Algorithms
  • T1485 - Data Destruction
  • T1497 - Virtualization/Sandbox Evasion
  • T1505.003 - Web Shell
  • T1573.002 - Asymmetric Cryptography
  • T1595.002 - Vulnerability Scanning

Motivation

  • Espionage
  • Information theft

Malwares

  • CloudDuke
  • CosmicDuke
  • CozyDuke
  • GeminiDuke
  • GoldFinder
  • GoldMax
  • HammerDuke
  • MiniDuke
  • OnionDuke
  • PinchDuke
  • SUNBURST
  • SUNSHUTTLE
  • SeaDuke
  • Sibot
  • TEARDROP
  • WellMess

Vulnerabilities

  • CVE-2010-0232
  • CVE-2015-1641
  • CVE-2018-13379
  • CVE-2019-1653
  • CVE-2019-2725
  • CVE-2019-7609
  • CVE-2019-9670
  • CVE-2019-11510
  • CVE-2019-19781
  • CVE-2020-4006
  • CVE-2020-5902
  • CVE-2020-14882
  • CVE-2021-21972