Russian hacker group APT29 is one of the most technically skilled and organized threat actors operating today. It is especially good at adapting to defensive IT security strategies, breaking into well-defended networks, and spreading malware that can’t be found using investigative tools.

APT29’s main targets are political groups, study firms, governments and government contractors, as well as important industries in the US and Europe, like energy, healthcare, education, finance, and technology.

APT29’s main goals are to, well, mess up national security, damage important assets, and get involved in politics. Here’s a quick primer on the hacking group.

APT29 aliases

This particular group has a lot of nicknames, including:

• Cozy Bear
• The Dukes
• Group 100
• CozyDuke
• EuroAPT
• CozyCar
• Cozer
• Office Monkey
• YTTRIUM
• Iron Hemlock
• Iron Ritual
• Cloaked Ursa
• Nobelium
• Group G0016
• UNC2452
• Dark Halo
• NobleBarron

They have been active since 2008 and are thought to have come from Russia’s Foreign Intelligence Service (SVR), which we’ll explain a bit later in the article.

History of APT29

APT29 first made headlines in 2015 when it accessed the Pentagon’s network through the use of phishing. It uses an approach called the Hammertoss, which involves the utilization of false Twitter accounts for communication with C2 personnel.

As part of a campaign that was referred to as “GRIZZLY STEPPE,” APT29 hacked the servers of the Democratic National Committee in the days leading up to the 2016 election in the US. The hackers used a phishing attempt to get victims to reset their passwords by utilizing a bogus website.

In 2019, the Russian hackers managed to compromise the ministries of several European Union countries, as well as the US-based embassy.

In 2020, the threat actor conducted vulnerability scanning of public-facing IP addresses in order to gain access to the system of vaccine developers working on the COVID-19 virus in Canada, the United States of America, and the United Kingdom.

The year 2020 saw the distribution of the SUNBURST virus. In a series of highly targeted attacks, the group hacked SolarWinds Orion software and dropped a remote access trojan (RAT), harming multiple businesses all over the world, including several government entities.

APT29 is widely believed to be funded and sponsored by the Russian state based on several factors:

• Targets: APT29 primarily targets governments, diplomatic entities, NGOs, and IT service providers, particularly in the US and Europe, aligning with potential Russian intelligence interests.
• Sophistication: The group’s techniques and resources suggest significant backing, exceeding the capabilities of most independent hacker groups.
• Historical links: Past activities linked to APT29, like the SolarWinds supply chain compromise and interference in the 2016 US elections, align with Russian strategic goals.
• Attribution by security experts and governments: Multiple cybersecurity firms and intelligence agencies, including CISA, have attributed APT29’s operations to the Russian government.

However, the group has widened its attacks, targeting multinational businesses with no ties to specific governments, causing widespread concern.

APT29 attack methods

Microsoft announced that the company was one of many targeted organizations that APT29 attempted to hack in late 2023. The full scope of affected organizations is still unknown.

APT29 uses various techniques to gain access and maintain their foothold, including:

• Password spraying: Guessing common passwords to gain initial access to accounts.
• Compromising legitimate accounts: Using stolen credentials or exploiting vulnerabilities to access legitimate accounts within the target network.
• Abusing OAuth applications: Misusing authorized applications to access and steal data, even after losing access to the initial compromised account.

Attack methods vary. In general, the APT29 virus uses a backdoor and dropper to exfiltrate data to a C2 server. APT29 droppers and spyware components frequently have similar traits. However, the files’ functionality varies slightly according to the actor’s requirements.

APT29 frequently spearheads phishing targets via emails that link to a website that hosts a ZIP archive. The bundle includes a RAR SFX that instals the malware and displays an empty PDF fake.

The group has also sent out fake Flash videos via email attachments, e.g., ‘Office Monkeys LOL video.zip.’ When opened, it plays a goofy video and then drops an APT29 application that quickly spreads through computers. Many of APT’s components were signed with forged Intel and AMD digital certificates, infecting devices through entire companies. The file then gathers system information before invoking a WMI instance in the “rootsecuritycenter” namespace to identify security products on the system before dropping additional data-gathering malware. The code attempts to circumvent many security systems, including antivirus tools like Kaspersky.

Why is APT29 of concern?

APT29 has been linked to cyberattacks against major organizations like Microsoft and Hewlett-Packard Enterprise (HPE) in late 2023 and early 2024. These attacks targeted corporate email accounts and potentially other sensitive data.

Microsoft’s announcement in 2024 implies the attacks might be more widespread than initially thought, targeting other organizations beyond the disclosed ones. This raises concerns about the group’s potential reach and impact.

The group uses various sophisticated techniques like password spraying, compromising legitimate accounts, and abusing OAuth applications to gain access and maintain footholds within target systems. This makes them difficult to detect and remove. 

One of the reasons some believe that the group is funded by the Russian Foreign Intelligence Service is because APT29 seeks to gather sensitive information that is strategically valuable to Russia. This might include political secrets, industrial espionage, or personal data. As a Russian state-sponsored group, APT29’s activities have geopolitical implications. Their targets suggest an interest in gathering intelligence for strategic purposes, potentially fueling tensions between Russia and other countries.

These incidents highlight the importance of robust cybersecurity measures for organizations, including multi-factor authentication, monitoring for suspicious activity, and securing OAuth applications.

Protect your organization against APT29

Securing your business against sophisticated groups like APT29 requires a layered approach, focusing on both technical measures and employee awareness. There are a few steps you have to take:

• Implement multi-factor authentication (MFA): This significantly increases the difficulty of unauthorized access, even if attackers obtain passwords.
• Patch systems regularly: Keep all software and operating systems updated to address known vulnerabilities that attackers might exploit.
• Segment your network: Divide your network into smaller zones to limit the potential damage if attackers gain access to one area.
• Monitor your network activity: Use security tools to detect suspicious activity and potential intrusions.
• Secure your email: Implement email security solutions with robust spam and phishing filters and educate employees on identifying suspicious emails.
• Control and monitor OAuth applications: Grant minimal permissions to OAuth applications and monitor their activity for signs of misuse.
• Use strong passwords and password managers: Encourage employees to use strong, unique passwords and consider implementing password managers.
• Regularly back up your data: Have a robust backup and recovery plan in place to minimize data loss in case of an attack.
• Train your employees: Don’t neglect cybersecurity awareness training. Regularly train employees on cybersecurity best practices, including identifying phishing attempts, password hygiene, and reporting suspicious activity. Wherever possible, conduct simulated phishing attacks to test employee awareness and the effectiveness of training. 

Finally, close gaps in your cybersecurity by moving to a consolidated platform like Coro. Too many organizations are relying on a heavy amount of tools to defend against different threats, but the danger lies in the exploitable spaces created by disperate tools. 

To learn more, read our post: “Why a Cybersecurity Platform Beats Standalone Applications.”