ATK7

Presumed Origin: Russia < Back

Alias: APT 29, APT29, Cozer, Cozy Bear, CozyBear, CozyCar, Cozy Duke, CozyDuke, Dukes, EuroAPT, Grizzly Steppe, Group 100, Hammer Toss, Iron Hemlock, Minidionis, NOBELIUM, Office Monkeys, OfficeMonkeys, SeaDuke, The Dukes, UNC2452, YTTRIUM

ATK7 (aka: APT29, NOBELIUM, UNC2452) is an attacker group that exists since at least 2008 and that is believed to act for the Russian government. The group is composed of highy competent members that are well organized, allowing for complex and long-running campaigns. The group's main goal is espionage and intelligence collection. The group therefore targets Western organizations, with a special focus on governmental bodies, think tanks... It as also occasionally expanded its reach to governments in the Middle East, Asia, Africa, etc. In order to reach its goal, the group has used multiple families of malware.

The group aims to act fast, albeit in a noisy way: Their campaigns are not designed in order to be discrete, but to be distributed to a large number of victims, followed by deployment of a malware that will quickly grab and exfiltrate every potentially interesting information. When a victim of interest has been unmasked, the group will then often switch to a different, stealthier malware, designed for long-term persistence, in order to gather intelligence.

In recent years, the group has been leading these campaigns bi-annually.

The group is suspected to be responsible for the 2015 hack of multiple governmental institutions in the USA, including the White House, the Pentagon and the DoS.

The threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components.

They ran an election fraud themed phishing campaign in mid-2021 which delivered a Cobalt Strike beacon.

In the same year, they've also been observed targeting an Israeli and an Irianian embassy, the Indian gouvernment with maldoc delivering multiple versions of the same Cobalt Strike beacon.

In 2022, the European government and several diplomatic institutions were targeted in the same way.

REFERENCES

- 04/03/2021, Microsoft, GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence, https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- 13/12/2020, FireEye, Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
- https://securityaffairs.co/wordpress/78195/apt/apt29-malware-analysis.html
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
- https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/

Target sector

Defense
Government and administration agencies
Healthcare
Information Technology
International Organizations
Media
Military

Target countries

Azerbaijan
Belgium
Czechia
Georgia
Russian Federation
Romania
Portugal
Poland
Kazakhstan
Ireland
Hungary
Luxembourg
Kyrgyzstan
Spain
Turkey
Uganda
Ukraine
United States Of America
Uzbekistan

Attack pattern

T1001 - Data Obfuscation
T1002 - Data Compressed
T1003 - Credential Dumping
T1005 - Data from Local System
T1007 - System Service Discovery
T1008 - Fallback Channels
T1010 - Application Window Discovery
T1015 - Accessibility Features
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1020 - Automated Exfiltration
T1021 - Remote Services
T1023 - Shortcut Modification
T1024 - Custom Cryptographic Protocol
T1025 - Data from Removable Media
T1026 - Multiband Communication
T1027 - Obfuscated Files or Information
T1028 - Windows Remote Management
T1029 - Scheduled Transfer
T1030 - Data Transfer Size Limits
T1032 - Standard Cryptographic Protocol
T1033 - System Owner/User Discovery
T1035 - Service Execution
T1036 - Masquerading
T1039 - Data from Network Shared Drive
T1043 - Commonly Used Port
T1045 - Software Packing
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1050 - New Service
T1053 - Scheduled Task
T1055 - Process Injection
T1056 - Input Capture
T1057 - Process Discovery
T1059 - Command-Line Interface
T1059.005 - Visual Basic
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1064 - Scripting
T1066 - Indicator Removal from Tools
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1071 - Standard Application Layer Protocol
T1071.001 - Web Protocols
T1071.004 - DNS
T1075 - Pass the Hash
T1076 - Remote Desktop Protocol
T1077 - Windows Admin Shares
T1078 - Valid Accounts
T1079 - Multilayer Encryption
T1081 - Credentials in Files
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1084 - Windows Management Instrumentation Event Subscription
T1085 - Rundll32
T1086 - PowerShell
T1087 - Account Discovery
T1088 - Bypass User Account Control
T1090 - Connection Proxy
T1093 - Process Hollowing
T1094 - Custom Command and Control Protocol
T1095 - Standard Non-Application Layer Protocol
T1096 - NTFS File Attributes
T1097 - Pass the Ticket
T1098 - Account Manipulation
T1099 - Timestomp
T1101 - Security Support Provider
T1102 - Web Service
T1105 - Remote File Copy
T1106 - Execution through API
T1107 - File Deletion
T1113 - Screen Capture
T1114 - Email Collection
T1115 - Clipboard Data
T1116 - Code Signing
T1124 - System Time Discovery
T1132 - Data Encoding
T1134 - Access Token Manipulation
T1135 - Network Share Discovery
T1145 - Private Keys
T1172 - Domain Fronting
T1175 - Distributed Component Object Model
T1178 - SID-History Injection
T1185 - Man in the Browser
T1188 - Multi-hop Proxy
T1190 - Exploit Public-Facing Application
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1195.002 - Compromise Software Supply Chain
T1197 - BITS Jobs
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1207 - DCShadow
T1483 - Domain Generation Algorithms
T1485 - Data Destruction
T1497 - Virtualization/Sandbox Evasion
T1505.003 - Web Shell
T1573.002 - Asymmetric Cryptography
T1595.002 - Vulnerability Scanning

Motivation

Espionage
Information theft

Malwares

CloudDuke
CosmicDuke
CozyDuke
GeminiDuke
GoldFinder
GoldMax
HammerDuke
MiniDuke
OnionDuke
PinchDuke
SUNBURST
SUNSHUTTLE
SeaDuke
Sibot
TEARDROP
WellMess

Vulnerabilities

CVE-2010-0232
CVE-2015-1641
CVE-2018-13379
CVE-2019-1653
CVE-2019-2725
CVE-2019-7609
CVE-2019-9670
CVE-2019-11510
CVE-2019-19781
CVE-2020-4006
CVE-2020-5902
CVE-2020-14882
CVE-2021-21972