An Exploration of Russia-based APT29’s Recent Campaigns

The infamous APT29 group has resurged in recent widespread campaigns that resort to credential extraction for gaining deeper access to vulnerable networks. Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor, and VMware are all in the crosshairs of APT29, bent on stealing credentials.

 

This blog details the Tactics, Techniques, and Procedures (TTPs) of the APT 29 group deployed in their recent campaign. 

 

Who is APT 29?

The APT29 threat group has been attributed to the Russian government and is operating since 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.

Popular by the acronyms Nobelium, Cozy Bear or APT29, the group was also called out to be the Russian Foreign Intelligence Service (SVR) in a recent joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).  The advisory came in at the time of the Russia-Ukraine cyber war, with economic sanctions imposed against the Russian government, tech firms, and nationals.

 

APT 29 – Tricks and Techniques

APT 29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. It typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and Windows Management Instrumentation (WMI). APT 29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.

 

Deepest Secrets of Russian APT 29

Operational Flow

Pupy, Meterpreter, and other custom/modified scripts and payloads were tested and developed to execute the attack. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary’s malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.

  • Initial Compromise: Malware is executed on the victim; establishes C2 connection

  • Collection and Exfiltration: Adversary performs smash-and-grab data theft

  • Deploy Stealth Toolkit: Adversary drops secondary malware, elevated privileges, and establishes new C2 connection

  • Clean Up and Reconnaissance: Adversary drops new tools, cleans up artefacts of breach, and surveys the victim environment.

  • Establish Persistence: Adversary establishes two separate means of persistent access to the victim.

  • Credential Access: Adversary gathers various forms of credential materials

  • Collection and Exfiltration: Adversary collects data from victim user, exfiltrates data to attacker-controller infrastructure.

  • Expand Access: Adversary enumerates then executes payload on a remote workstation.

  • Clean Up, Collection, and Exfiltration: Adversary drops new tools, performs smash-and-grab data theft, then cleans up artefacts of breach on a remote workstation

  • Persistence Execution: Adversary persistence mechanisms are executed when the initial victim machine is rebooted

ATT&CK Description

The Operations Flow chains techniques together into a logical order that commonly occurs across APT29 operations. In the case of APT29, we break their operations into two distinct scenarios:

  1. The attack begins with a smash-and-grab, followed by rapid espionage to gather and exfiltrate data. The attackers then move on to stealthier techniques to persist in the network, collect sensitive data, access credentials and move laterally across, finally leading to the execution of tried-and-tested persistence mechanisms.
  2. This is a slower approach that focuses on staying undetected while moving from target compromise to persistence. Credentials are harvested, active connections are entrenched, the entire domain is compromised, and a simulated time-lapse executes established persistence methods.

 

Environment

  • WinRM enabled for all Windows hosts

  • Powershell execution policy set to Bypass

  • Registry modified to allow storage of wdigest credentials

  • Registry modified to disable Windows Defender

  • Group Policy modified to disable Windows Defender

  • Configured firewall to allow SMB

  • Created an SMB share

  • Set UAC to never notify

  • RDP enabled for all Windows hosts

Indicators of Compromise

  • 213.74.101.65

  • 213.74.139.196

  • 212.252.30.170

  • 5.196.167.184

  • 37.139.7.16

  • 149.56.20.55

  • 91.227.68.97

  • 138.201.186.43

  • 5.45.119.124

  • 193.37.212.43

  • 146.0.77.60

  • 51.159.28.101

 

Five Vulnerabilities Exploited by APT 29

CISA, FBI, and NSA revealed five bugs exploited by Russia’s APT29 group. The exposure drew attention to five vulnerabilities in popular enterprise equipment that have and are still being abused by Russian state hackers to breach corporate and government networks.

CVE ID Vendors Severity Base Score CWE ID CWE Name Ransomware Strains APT Groups Assocaitions Exploit Type Patches
CVE-2018-13379 Fortiguard CRITICAL 9.8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Apostle
Conti
Cring
Pay2Key
LockBit
Agrius
APT 29
APT 33
APT 34
APT 39
APT 5
Fox Kitten
WebApp

Patch

CVE-2019-11510 PulseSecure CRITICAL 10 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Black Kingdom
Sekhmet
Maze
Mailto
Pay2Key
Sodinokibi
APT 28
APT 29
APT 33
APT 34
APT 39
APT 41
APT 5
Fox Kitten
WebApp

Patch

CVE-2019-9670 Zimbra CRITICAL 9.8 CWE-611

Improper Restriction of XML External Entity Reference

APT29 RCE

Patch

CVE-2019-19781 Citrix CRITICAL 9.8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) MedusaReborn
CryptoMix
DoppelPaymer
Snake
Golang
Maze
Nefilim
Pay2Key
Ragnarok
Sodinokibi
Sodinokibi
Vatet Loader
APT 29
APT 33
APT 34
APT 39
APT 41
Dragonfly 2.0
Fox Kitten
RCE

Patch

CVE-2020-4006 Vmware CRITICAL 9.1 CWE-78

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

APT29

Patch

 

Securin has a proactive approach to identifying and determining the risk before an attack. We can support organizations to maintain cyber hygiene by continuous monitoring, scanning, prioritizing patching, and thus help mitigate risks.

 

The campaign has targeted organizations across multiple sectors, including government, consulting, technology, and telecom, mainly in the regions of North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.

 

Securin’s extensive research into threat actors and the vulnerabilities they exploit has unearthed a humungous 53 vulnerabilities associated with the APT29 group. Get in touch to know more about our research.

Lessons Learned: Best practices to protect organizations from attack

  1. Patch exposed vulnerabilities, update firmware, and upgrade product versions without delay.

  2. Perform an exposure assessment and adopt regular pentesting practices.

  3. Set up an out-of-band management network.

  4. Remove or disable unused assets, technologies, and protocols.

  5. Have a well-laid-out incident response plan.

 

With the latest data intelligence being targeted, organizations involved in COVID vaccine research are at high risk and are recommended to use the IoCs to detect signs of APT29 intrusions in their network. According to the results of this threat group, one can interpret those simple tactics, techniques, and procedures, combined with social engineering methods, can lead to successful implementation of cyberattacks on any information system and become a real cyber threat.

 

The Securin team recommends performing continuous vulnerability scanning for detection and effective, timely remediation.

Securin’s AI-based threat and vulnerability intelligence can help organizations look ahead and predict the possibility of future attacks. 

Share This Post On