APT29

APT29 is a Russia-based threat actor specializing in exfiltrating information from high-security targets like government networks and diplomatic embassies. This Persistent Threat is comparable to a more professional version of the loosely-related Fancy Bear or APT28 group. Users should install security updates for limiting infection possibilities and let high-quality anti-malware solutions remove all threats related to APT29.

Russian Spies Develop an Interest in the Medical Field

Although APT29 (Cozy Bear, Office Monkeys, the Dukes and various other nicknames) is a Persistent Threat group since 2008, it remains stable and vigorous as an agent of data theft, similarly to its 'brother,' APT28. APT29's most infamous hacking expedition is, likely, its successful infiltration of the Democratic National Committee, but it also targets think tanks, non-government organizations (NGOs), European defense ministries and others. A recent catalog of these hackers' behavior shows, not a change of strategy, but focus.

As of the summer of 2020, APT29 attacks targets that have vested interests in or information concerning vaccination research for COVID-19. Unlike some espionage campaigns that convince victims to compromise networks through crafted e-mail messages and attachments, APT29 doesn't depend on any outside assistance. For a different way inside, it scans organizations' known IP addresses for software vulnerabilities and exploits them. Examples of at-risk software include Citrix Systems' cloud computing products, the Pulse Secure application and Zimbra's e-mail and collaboration suites.

Post-analysis, these attacks also give new insight into APT29's post-compromise methodology. Besides using previous tools like CHOPSTICK and CORESHELL, APT29 also has more modern Trojans: WellMess and WellMail. Both of them are backdoor Trojans that configure their attacks through Command & Control directives. Malware experts estimate their use as early-stage threats for credentials theft and greater network accessibility.

Sending Bears Back to the Woods

APT29, sometimes called Grizzly Steppe in conjunction with its kin Fancy Bear, has a long-standing history of relative professionalism and a willingness to use a range of backdoor and remote admin-capable tools. However, their current attacks depend on public vulnerabilities, which in most cases, are preventable through security patches. Admins should double-check all vulnerable software for updates that could prevent any attacks through APT29's current exploits.

Besides processing arbitrary shell commands, APT29's Trojans also are equipped with file exfiltration for collecting information and downloading for installing other threats frequently. Ideally, users should inform themselves on the basics of some of APT29's kit of tools, including recent backdoor Trojans like WellMess and older ones like MiniDuke (an Adobe PDF exploiter) and the HAMMERTOSS RAT. Most infections consist of multi-stage attacks with several threats and an emphasis on undetectable backdoor access for the attackers.

Entities at risk from APT29's campaigns include government entities ranging from the military to the diplomatic, but also industries like healthcare and the energy sector. Users always should depend on well-updated anti-malware services for rooting out and removing APT29's threats, which receive deployment with the intention of covert and long-term infiltration.

APT29's pivot towards collecting a solution to the Coronavirus epidemic is a surprise scarcely. Whether their hackers' intentions are charitable or mercantile, they serve as excellent examples of how public information can become a weapon between nations' cyber-wars.