{"id":7261,"date":"2022-08-12T08:34:49","date_gmt":"2022-08-12T15:34:49","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7261"},"modified":"2023-04-05T12:27:53","modified_gmt":"2023-04-05T19:27:53","slug":"an-exploration-of-russia-based-apt29s-recent-campaigns","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/an-exploration-of-russia-based-apt29s-recent-campaigns\/","title":{"rendered":"An Exploration of Russia-based APT29\u2019s Recent Campaigns"},"content":{"rendered":"

The infamous APT29 group has resurged in recent widespread campaigns that resort to credential extraction for gaining deeper access to vulnerable networks. Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor, and VMware are all in the crosshairs of APT29, bent on stealing credentials.<\/p>\n

 <\/p>\n

This blog details the Tactics, Techniques, and Procedures (TTPs) of the APT 29 group deployed in their recent campaign.\u00a0<\/strong><\/p>\n

 <\/p>\n

Who is APT 29?<\/h2>\n

The APT29 threat group has been attributed to the Russian government and is operating since 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.<\/p>\n

Popular by the acronyms Nobelium, Cozy Bear or APT29, the group was also called out to be the Russian Foreign Intelligence Service (SVR) in a recent joint advisory<\/a> released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).\u00a0 The advisory came in at the time of the Russia-Ukraine cyber war<\/a>, with economic sanctions imposed against the Russian government, tech firms, and nationals.<\/p>\n

 <\/p>\n

APT 29 \u2013 Tricks and Techniques<\/h2>\n

APT 29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. It typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and Windows Management Instrumentation (WMI). APT 29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and\/or infection method of victims.\"\"<\/p>\n

 <\/p>\n

Deepest Secrets of Russian APT 29<\/h2>\n

Operational Flow<\/strong><\/p>\n

Pupy<\/a>, Meterpreter<\/a>, and other custom\/modified scripts and payloads were tested and developed to execute the attack. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary’s malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.<\/p>\n