APT29 has been accused of targeting coronavirus vaccine organizations, but this is not the first time the group has attracted global attention
In a July 2020 report, the UK and its allies publicly blamed cyber-attacks on organizations involved in coronavirus vaccine development on APT29, a hacking group linked to Russian intelligence agencies.
The National Cyber Security Centre (NCSC), part of GCHQ, blamed APT29 for an ongoing campaign of malicious activity predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property.
Known targets of APT29 include UK, US and Canadian vaccine research and development organizations, according to a joint alert by NCSC and its intelligence partners in the Canadian Communication Security Establishment and the National Security Agency (NSA).
A full assessment (PDF) offers advice to potentially targeted organizations, as well as firing a shot against the bow of Russian intelligence by publicly calling the Kremlin out for what the NCSCs director of operations, Paul Chichester, described as despicable attacks against those doing vital work to combat the coronavirus pandemic.
But what do we know about this threat group? The Daily Swig takes a deeper look.
APT29 is a hacking group that western intelligence agencies and various cybersecurity firms have linked to Russian state intelligence agencies.
Hacked security camera footage allowed the Dutch intelligence service AIVD to link APT29 to the Russian Foreign intelligence service (SVR).
Security intelligence firm CrowdStrike attributed APT29 to either the SVR or Russias Federal Security Service (FSB).
APT in this instance stands for advanced persistent threat security industry shorthand for a state-sponsored threat group.
APT29 has been given various nicknames by cybersecurity firms, including Cozy Bear, CozyDuke, and the Dukes, among others.
As well as espionage around Covid-19 vaccine data, APT29 has been blamed for a number of other high-profile attacks over the last five years, according to analysis from FireEye Mandiant.
These alleged incidents include:
According to Symantec, APT29 has been attacking diplomatic organizations and governments since at least 2010, if not earlier.
APT29 Cozy Bear was implicated alongside another Kremlin-linked hacker group, Fancy Bear (APT28, widely credited as a unit of the Russian military intelligence directorate, GRU), in the cyber-attacks against the DNC during 2016 US presidential election.
The threat group is known to be interested in foreign intelligence, according to Finnish security firm F-Secure.
APT29 has traditionally focused on intelligence to inform national and security policy, rather than the theft of intellectual property, Calvin Gan, manager at F-Secures tactical defense unit, told The Daily Swig.
However, Covid-19 could be such a major national security priority for Russia that they need all hands on deck.
The tradecraft of APT29 is generally credited as more subtle and sophisticated than that of APT28, the even more infamous Kremlin-linked cybercrime group.
Ben Read, senior manager of analysis at Mandiant Threat Intelligence, told The Daily Swig: APT29 has historically targeted geopolitical intelligence, with a focus on stealing information.
They have not been linked to the type of disruptive operations that APT28 and Sandworm team have undertaken but have instead operated with much more discretion.
APT29 uses a variety of tactics, techniques, and procedures (TTPs) including spear-phishing and custom malware known as WellMess and WellMail.
According to Mandiant, APT29 is an adaptive and disciplined threat group that hides its activity on a victims network.
In the past it has communicated infrequently and in a way that closely resembles legitimate traffic, Mandiant explains.
By using legitimate popular web services, the group has taken advantage of encrypted SSL connections, making detection even more difficult.
APT29 is one of the most evolved and capable threat groups, according to Mandiants analysis:
It deploys new backdoors to fix its own bugs and add features. It monitors network defender activity to maintain control over systems. APT29 has also often used compromised servers for [command and control] communication.
It counters attempts to remediate attacks. It also maintains a fast development cycle for its malware, quickly altering tools to hinder detection.
APT29 has been known to switch tactics and approaches (notably between smash-and-grab and slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims, according to an ATT&CK Evaluations assessment by Mitre Corporation.
APT29 is known to employ a vast arsenal of malware toolsets, according to F-Secure:
The Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.
These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible.
If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.
More details on APT29s alleged tactics can be found in a recent white paper on APT29 by F-Secure (PDF).
Patch management and other techniques can help to defend against APT29 and similar attackers.
APT groups typically update their arsenal fairly quickly and are customized to the target or environment that they are interested in, F-Secures Gan explained.
While EDR [endpoint detection and response] is around to spot for suspicious behaviors within the network, it is only one part of the defense strategy.
There are other processes and technologies that must be in place to minimize loopholes as much as possible. This includes patch management, as we have seen in the recent advisory of how APT29 purportedly gained a foothold through known vulnerabilities.
Tony Cole, CTO at Attivo Networks, added: Its unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials.
Organizations must step up their efforts to counter adversaries targeting them.
Read more of the latest cyber-attack news
Cole continued: Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending.
Charity Wright, a cyber threat intelligence advisor at IntSights and former NSA Chinese espionage expert, told The Daily Swig: The Russian intelligence services are organized and deliberate about their targeting, missions, and toolsets. They adapt and overcome target defenses and typically go after strategic intelligence, military, and government entities.
She advised: Organizations should understand what valuable data they have, which state-sponsored groups would be likely to target them either for their proprietary data or to use them as a third party to pivot to their target, and be prepared to defend against those APTs.
Utilizing a threat intelligence service, creating intelligence requirements, and integrating tactical intelligence into their defense strategy is vital to protecting their assets. I would also encourage them to conduct threat modeling and purple team exercises to prepare for increases in attacks from nation-state cyber threats.
Russias basic stance is to acknowledge that cyber-attacks are happening but to deny any responsibility.
In July 2020, Russias Ambassador to the UK, Andrei Kelin, gave an interview with Deborah Haynes, foreign affairs editor at Sky News, claiming that Russia itself was frequently targeted by cyber-attacks and calling for the creation of a convention on cyber-warfare.
READ MORE Russian national pleads guilty over involvement in $568m cybercrime operation
We would like to set up a normal order, under the UN auspices, probably a convention, which would provide for easily understandable rules of cooperation, Kelin said. Otherwise there will be a cyber chaos.
When pressed on accusations that Russias cyber activities pose threat to the UK, Kelin raised doubts about attribution.
The cyber world is extremely complicated, but attribution of cyber-attacks to the government of any country is very dubious, he said.
During the interview, Kelin went on to dismiss the latest, very specific accusation that Russian intelligence agencies as being behind cyber-attacks against vaccine research centers. Those accusations are about nothing, he said.
YOU MIGHT ALSO LIKE Declassified: GCHQ celebrates 100 years of secrets well kept
Read the original:
Who is behind APT29? What we know about this nation-state cybercrime group - The Daily Swig
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy - April 26th, 2014 [April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA - April 26th, 2014 [April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia - April 26th, 2014 [April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video - April 26th, 2014 [April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video - April 26th, 2014 [April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video - April 26th, 2014 [April 26th, 2014]
- UK: China will offer fig leaves to US exposed by NSA leaker - Assange - Video - April 26th, 2014 [April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video - April 27th, 2014 [April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video - April 27th, 2014 [April 27th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video - April 27th, 2014 [April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video - April 27th, 2014 [April 27th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video - April 27th, 2014 [April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video - April 27th, 2014 [April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video - April 27th, 2014 [April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video - April 27th, 2014 [April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video - April 27th, 2014 [April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video - April 27th, 2014 [April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video - April 27th, 2014 [April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video - April 27th, 2014 [April 27th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting - April 28th, 2014 [April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video - April 28th, 2014 [April 28th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video - April 28th, 2014 [April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video - April 28th, 2014 [April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video - April 28th, 2014 [April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes - April 29th, 2014 [April 29th, 2014]
- NSA will sit on security vulnerabilities because of terrorism - April 29th, 2014 [April 29th, 2014]
- New water records show NSA Utah Data Center likely behind schedule - April 29th, 2014 [April 29th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video - April 29th, 2014 [April 29th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video - April 29th, 2014 [April 29th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video - April 29th, 2014 [April 29th, 2014]
- Germany: NSA spying "unacceptable" says SPD - Video - April 29th, 2014 [April 29th, 2014]
- NSA Surveillance 2 - Video - April 29th, 2014 [April 29th, 2014]
- NSA Surveillance Panel 1 - Video - April 29th, 2014 [April 29th, 2014]
- Chalk Talk How Snowden Breached NSA Security - Video - April 29th, 2014 [April 29th, 2014]
- NSA reveals some cyber security flaws are left secret - April 30th, 2014 [April 30th, 2014]
- NSA data center uses less water than expected - April 30th, 2014 [April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video - April 30th, 2014 [April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says - May 1st, 2014 [May 1st, 2014]
- New NSA chief: Agency has lost trust - May 1st, 2014 [May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' - May 1st, 2014 [May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors - May 1st, 2014 [May 1st, 2014]
- Anonymous NSA - Video - May 1st, 2014 [May 1st, 2014]
- Cutting off H2O to the NSA - Video - May 1st, 2014 [May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video - May 1st, 2014 [May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video - May 1st, 2014 [May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video - May 1st, 2014 [May 1st, 2014]
- CIS111: NSA Uncovered - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video - May 1st, 2014 [May 1st, 2014]
- Germany: NSA may have accidentally outed secret base - Video - May 1st, 2014 [May 1st, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video - May 1st, 2014 [May 1st, 2014]
- Tech firms to increase alerts about police requests for data -- report - May 2nd, 2014 [May 2nd, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video - May 2nd, 2014 [May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden - May 3rd, 2014 [May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology - May 3rd, 2014 [May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video - May 3rd, 2014 [May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video - May 3rd, 2014 [May 3rd, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video - May 4th, 2014 [May 4th, 2014]
- Code Talker Induction into NSA Hall of Honor - Video - May 4th, 2014 [May 4th, 2014]
- NSA ( National Security Agency ) refusal to release documents on UFO's - Video - May 4th, 2014 [May 4th, 2014]
- Obama & NSA Refuse FOIA Request on Malaysia Flight deemed classified - Video - May 4th, 2014 [May 4th, 2014]
- Kafkawinstons World`s Channel Terminated NSA is replacing Channel`s with Sockpuppet Channel`s - Video - May 4th, 2014 [May 4th, 2014]
- NSA Volunteer Justin Hall at the NSA Comedy Tour February 2014 - Video - May 4th, 2014 [May 4th, 2014]
- Barack Obama on NSA Surveillance I'd Be Concerned Too If I Wasn't in Government - Video - May 4th, 2014 [May 4th, 2014]
- GBPPR Vision #26: Overview of the NSA's TAWDRYYARD Radar Retro-Reflector - Video - May 4th, 2014 [May 4th, 2014]
- NSA proof phone Case - Video - May 5th, 2014 [May 5th, 2014]
- 2014 NSA 2014 Million Dollar Publisher's Lab - Video - May 5th, 2014 [May 5th, 2014]
- Gen. Michael Hayden - the Former Director of NSA and the CIA - Video - May 5th, 2014 [May 5th, 2014]
- REVEALED: Here's The Solution To That Encoded NSA Puzzle Tweet - May 5th, 2014 [May 5th, 2014]
- Michael Hayden's Unwitting Case Against Secret Surveillance - May 5th, 2014 [May 5th, 2014]
- NSA's Encrypted Tweet: We're Hiring Code Breakers - May 5th, 2014 [May 5th, 2014]
- Russ Tice: Life as a NSA Whistleblower - Video - May 5th, 2014 [May 5th, 2014]
- What Is Going on at NSA These Days - Video - May 5th, 2014 [May 5th, 2014]
- What is the Role of the NSA? AFF Dallas Debates - Video - May 5th, 2014 [May 5th, 2014]
- Edward Snowden said CIA , and NSA had 52. 6 Billion for black budget - Video - May 5th, 2014 [May 5th, 2014]
- NSA looks to appeal to young cryptographers through coded ads - May 6th, 2014 [May 6th, 2014]
- Code Cracked: Mysterious NSA Tweet Is Decrypted in Seconds - May 6th, 2014 [May 6th, 2014]