APT29 has been accused of targeting coronavirus vaccine organizations, but this is not the first time the group has attracted global attention
In a July 2020 report, the UK and its allies publicly blamed cyber-attacks on organizations involved in coronavirus vaccine development on APT29, a hacking group linked to Russian intelligence agencies.
The National Cyber Security Centre (NCSC), part of GCHQ, blamed APT29 for an ongoing campaign of malicious activity predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property.
Known targets of APT29 include UK, US and Canadian vaccine research and development organizations, according to a joint alert by NCSC and its intelligence partners in the Canadian Communication Security Establishment and the National Security Agency (NSA).
A full assessment (PDF) offers advice to potentially targeted organizations, as well as firing a shot against the bow of Russian intelligence by publicly calling the Kremlin out for what the NCSCs director of operations, Paul Chichester, described as despicable attacks against those doing vital work to combat the coronavirus pandemic.
But what do we know about this threat group? The Daily Swig takes a deeper look.
APT29 is a hacking group that western intelligence agencies and various cybersecurity firms have linked to Russian state intelligence agencies.
Hacked security camera footage allowed the Dutch intelligence service AIVD to link APT29 to the Russian Foreign intelligence service (SVR).
Security intelligence firm CrowdStrike attributed APT29 to either the SVR or Russias Federal Security Service (FSB).
APT in this instance stands for advanced persistent threat security industry shorthand for a state-sponsored threat group.
APT29 has been given various nicknames by cybersecurity firms, including Cozy Bear, CozyDuke, and the Dukes, among others.
As well as espionage around Covid-19 vaccine data, APT29 has been blamed for a number of other high-profile attacks over the last five years, according to analysis from FireEye Mandiant.
These alleged incidents include:
According to Symantec, APT29 has been attacking diplomatic organizations and governments since at least 2010, if not earlier.
APT29 Cozy Bear was implicated alongside another Kremlin-linked hacker group, Fancy Bear (APT28, widely credited as a unit of the Russian military intelligence directorate, GRU), in the cyber-attacks against the DNC during 2016 US presidential election.
The threat group is known to be interested in foreign intelligence, according to Finnish security firm F-Secure.
APT29 has traditionally focused on intelligence to inform national and security policy, rather than the theft of intellectual property, Calvin Gan, manager at F-Secures tactical defense unit, told The Daily Swig.
However, Covid-19 could be such a major national security priority for Russia that they need all hands on deck.
The tradecraft of APT29 is generally credited as more subtle and sophisticated than that of APT28, the even more infamous Kremlin-linked cybercrime group.
Ben Read, senior manager of analysis at Mandiant Threat Intelligence, told The Daily Swig: APT29 has historically targeted geopolitical intelligence, with a focus on stealing information.
They have not been linked to the type of disruptive operations that APT28 and Sandworm team have undertaken but have instead operated with much more discretion.
APT29 uses a variety of tactics, techniques, and procedures (TTPs) including spear-phishing and custom malware known as WellMess and WellMail.
According to Mandiant, APT29 is an adaptive and disciplined threat group that hides its activity on a victims network.
In the past it has communicated infrequently and in a way that closely resembles legitimate traffic, Mandiant explains.
By using legitimate popular web services, the group has taken advantage of encrypted SSL connections, making detection even more difficult.
APT29 is one of the most evolved and capable threat groups, according to Mandiants analysis:
It deploys new backdoors to fix its own bugs and add features. It monitors network defender activity to maintain control over systems. APT29 has also often used compromised servers for [command and control] communication.
It counters attempts to remediate attacks. It also maintains a fast development cycle for its malware, quickly altering tools to hinder detection.
APT29 has been known to switch tactics and approaches (notably between smash-and-grab and slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims, according to an ATT&CK Evaluations assessment by Mitre Corporation.
APT29 is known to employ a vast arsenal of malware toolsets, according to F-Secure:
The Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.
These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible.
If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.
More details on APT29s alleged tactics can be found in a recent white paper on APT29 by F-Secure (PDF).
Patch management and other techniques can help to defend against APT29 and similar attackers.
APT groups typically update their arsenal fairly quickly and are customized to the target or environment that they are interested in, F-Secures Gan explained.
While EDR [endpoint detection and response] is around to spot for suspicious behaviors within the network, it is only one part of the defense strategy.
There are other processes and technologies that must be in place to minimize loopholes as much as possible. This includes patch management, as we have seen in the recent advisory of how APT29 purportedly gained a foothold through known vulnerabilities.
Tony Cole, CTO at Attivo Networks, added: Its unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials.
Organizations must step up their efforts to counter adversaries targeting them.
Read more of the latest cyber-attack news
Cole continued: Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending.
Charity Wright, a cyber threat intelligence advisor at IntSights and former NSA Chinese espionage expert, told The Daily Swig: The Russian intelligence services are organized and deliberate about their targeting, missions, and toolsets. They adapt and overcome target defenses and typically go after strategic intelligence, military, and government entities.
She advised: Organizations should understand what valuable data they have, which state-sponsored groups would be likely to target them either for their proprietary data or to use them as a third party to pivot to their target, and be prepared to defend against those APTs.
Utilizing a threat intelligence service, creating intelligence requirements, and integrating tactical intelligence into their defense strategy is vital to protecting their assets. I would also encourage them to conduct threat modeling and purple team exercises to prepare for increases in attacks from nation-state cyber threats.
Russias basic stance is to acknowledge that cyber-attacks are happening but to deny any responsibility.
In July 2020, Russias Ambassador to the UK, Andrei Kelin, gave an interview with Deborah Haynes, foreign affairs editor at Sky News, claiming that Russia itself was frequently targeted by cyber-attacks and calling for the creation of a convention on cyber-warfare.
READ MORE Russian national pleads guilty over involvement in $568m cybercrime operation
We would like to set up a normal order, under the UN auspices, probably a convention, which would provide for easily understandable rules of cooperation, Kelin said. Otherwise there will be a cyber chaos.
When pressed on accusations that Russias cyber activities pose threat to the UK, Kelin raised doubts about attribution.
The cyber world is extremely complicated, but attribution of cyber-attacks to the government of any country is very dubious, he said.
During the interview, Kelin went on to dismiss the latest, very specific accusation that Russian intelligence agencies as being behind cyber-attacks against vaccine research centers. Those accusations are about nothing, he said.
YOU MIGHT ALSO LIKE Declassified: GCHQ celebrates 100 years of secrets well kept
Read the original:
Who is behind APT29? What we know about this nation-state cybercrime group - The Daily Swig
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- UK: China will offer fig leaves to US exposed by NSA leaker - Assange - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- NSA will sit on security vulnerabilities because of terrorism [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- Germany: NSA spying "unacceptable" says SPD - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- Chalk Talk How Snowden Breached NSA Security - Video [Last Updated On: April 29th, 2014] [Originally Added On: April 29th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Tech firms to increase alerts about police requests for data -- report [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Code Talker Induction into NSA Hall of Honor - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- NSA ( National Security Agency ) refusal to release documents on UFO's - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Obama & NSA Refuse FOIA Request on Malaysia Flight deemed classified - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Kafkawinstons World`s Channel Terminated NSA is replacing Channel`s with Sockpuppet Channel`s - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- NSA Volunteer Justin Hall at the NSA Comedy Tour February 2014 - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Barack Obama on NSA Surveillance I'd Be Concerned Too If I Wasn't in Government - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- GBPPR Vision #26: Overview of the NSA's TAWDRYYARD Radar Retro-Reflector - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- NSA proof phone Case - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- 2014 NSA 2014 Million Dollar Publisher's Lab - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- Gen. Michael Hayden - the Former Director of NSA and the CIA - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- REVEALED: Here's The Solution To That Encoded NSA Puzzle Tweet [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- Michael Hayden's Unwitting Case Against Secret Surveillance [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- NSA's Encrypted Tweet: We're Hiring Code Breakers [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- Russ Tice: Life as a NSA Whistleblower - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- What Is Going on at NSA These Days - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- What is the Role of the NSA? AFF Dallas Debates - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- Edward Snowden said CIA , and NSA had 52. 6 Billion for black budget - Video [Last Updated On: May 5th, 2014] [Originally Added On: May 5th, 2014]
- NSA looks to appeal to young cryptographers through coded ads [Last Updated On: May 6th, 2014] [Originally Added On: May 6th, 2014]
- Code Cracked: Mysterious NSA Tweet Is Decrypted in Seconds [Last Updated On: May 6th, 2014] [Originally Added On: May 6th, 2014]