APT29

Posted: July 17, 2020

APT29 Description

APT29 is a Russia-based threat actor specializing in exfiltrating information from high-security targets like government networks and diplomatic embassies. This Persistent Threat is comparable to a more professional version of the loosely-related Fancy Bear or APT28 group. Users should install security updates for limiting infection possibilities and let high-quality anti-malware solutions remove all threats related to APT29.

Russian Spies Develop an Interest in the Medical Field

Although APT29 (Cozy Bear, Office Monkeys, the Dukes and various other nicknames) is a Persistent Threat group since 2008, it remains stable and vigorous as an agent of data theft, similarly to its 'brother,' APT28. APT29's most infamous hacking expedition is, likely, its successful infiltration of the Democratic National Committee, but it also targets think tanks, non-government organizations (NGOs), European defense ministries and others. A recent catalog of these hackers' behavior shows, not a change of strategy, but focus.

As of the summer of 2020, APT29 attacks targets that have vested interests in or information concerning vaccination research for COVID-19. Unlike some espionage campaigns that convince victims to compromise networks through crafted e-mail messages and attachments, APT29 doesn't depend on any outside assistance. For a different way inside, it scans organizations' known IP addresses for software vulnerabilities and exploits them. Examples of at-risk software include Citrix Systems' cloud computing products, the Pulse Secure application and Zimbra's e-mail and collaboration suites.

Post-analysis, these attacks also give new insight into APT29's post-compromise methodology. Besides using previous tools like CHOPSTICK and CORESHELL, APT29 also has more modern Trojans: WellMess and WellMail. Both of them are backdoor Trojans that configure their attacks through Command & Control directives. Malware experts estimate their use as early-stage threats for credentials theft and greater network accessibility.

Sending Bears Back to the Woods

APT29, sometimes called Grizzly Steppe in conjunction with its kin Fancy Bear, has a long-standing history of relative professionalism and a willingness to use a range of backdoor and remote admin-capable tools. However, their current attacks depend on public vulnerabilities, which in most cases, are preventable through security patches. Admins should double-check all vulnerable software for updates that could prevent any attacks through APT29's current exploits.

Besides processing arbitrary shell commands, APT29's Trojans also are equipped with file exfiltration for collecting information and downloading for installing other threats frequently. Ideally, users should inform themselves on the basics of some of APT29's kit of tools, including recent backdoor Trojans like WellMess and older ones like MiniDuke (an Adobe PDF exploiter) and the HAMMERTOSS RAT. Most infections consist of multi-stage attacks with several threats and an emphasis on undetectable backdoor access for the attackers.

Entities at risk from APT29's campaigns include government entities ranging from the military to the diplomatic, but also industries like healthcare and the energy sector. Users always should depend on well-updated anti-malware services for rooting out and removing APT29's threats, which receive deployment with the intention of covert and long-term infiltration.

APT29's pivot towards collecting a solution to the Coronavirus epidemic is a surprise scarcely. Whether their hackers' intentions are charitable or mercantile, they serve as excellent examples of how public information can become a weapon between nations' cyber-wars.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to APT29 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.