APT29
Aliases: IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.
Open interactive actor investigation
ATT&CK techniques
T1621
Multi-Factor Authentication Request GenerationT1003.002
Security Account ManagerT1588.002
ToolT1090.004
Domain FrontingT1528
Steal Application Access TokenT1568
Dynamic ResolutionT1068
Exploitation for Privilege EscalationT1546.003
Windows Management Instrumentation Event SubscriptionT1547.001
Registry Run Keys / Startup FolderT1136.003
Cloud AccountT1098.005
Device RegistrationT1587.003
Digital CertificatesT1005
Data from Local SystemT1105
Ingress Tool TransferT1651
Cloud Administration CommandT1566.001
Spearphishing AttachmentT1078.004
Cloud AccountsT1053.005
Scheduled TaskT1016.001
Internet Connection DiscoveryT1587.001
MalwareT1583.006
Web ServicesT1090.003
Multi-hop ProxyT1037
Boot or Logon Initialization ScriptsT1027.006
HTML SmugglingT1070.004
File DeletionT1203
Exploitation for Client ExecutionT1550.003
Pass the TicketT1204.001
Malicious LinkT1036.005
Match Legitimate Name or LocationT1110.003
Password SprayingT1114.002
Remote Email CollectionT1027.001
Binary PaddingT1556.007
Hybrid IdentityT1059.001
PowerShellT1133
External Remote ServicesT1037.004
RC ScriptsT1021.007
Cloud ServicesT1595.002
Vulnerability ScanningT1566.002
Spearphishing LinkT1070.006
TimestompT1586.003
Cloud AccountsT1090.002
External ProxyT1573
Encrypted ChannelT1047
Windows Management InstrumentationT1110.001
Password GuessingT1199
Trusted RelationshipT1566.003
Spearphishing via ServiceT1078
Valid AccountsT1505.003
Web ShellT1059.006
PythonT1665
Hide InfrastructureT1218.005
MshtaT1003.004
LSA SecretsT1190
Exploit Public-Facing ApplicationT1553.005
Mark-of-the-Web BypassT1649
Steal or Forge Authentication CertificatesT1087.004
Cloud AccountT1098.002
Additional Email Delegate PermissionsT1078.003
Local AccountsT1546.008
Accessibility FeaturesT1059.009
Cloud APIT1586.002
Email AccountsT1562.008
Disable or Modify Cloud LogsT1204.002
Malicious FileT1548.002
Bypass User Account ControlT1027.002
Software PackingT1562.001
Disable or Modify ToolsT1036.004
Masquerade Task or ServiceT1059.003
Windows Command ShellT1140
Deobfuscate/Decode Files or InformationT1550.004
Web Session CookieT1003.006
DCSyncT1560.001
Archive via UtilityT1069.002
Domain GroupsT1059.005
Visual BasicT1027
Obfuscated Files or InformationT1213
Data from Information RepositoriesT1555
Credentials from Password StoresT1057
Process DiscoveryT1087
Account DiscoveryT1583.001
DomainsT1036
MasqueradingT1083
File and Directory DiscoveryT1070
Indicator RemovalT1195.002
Compromise Software Supply ChainT1484.002
Trust ModificationT1098.001
Additional Cloud CredentialsT1078.002
Domain AccountsT1069
Permission Groups DiscoveryT1550
Use Alternate Authentication MaterialT1021.001
Remote Desktop ProtocolT1584.001
DomainsT1550.001
Application Access TokenT1213.003
Code RepositoriesT1021.006
Windows Remote ManagementT1606.001
Web CookiesT1082
System Information DiscoveryT1482
Domain Trust DiscoveryT1095
Non-Application Layer ProtocolT1074.002
Remote Data StagingT1090.001
Internal ProxyT1001.002
SteganographyT1589.001
CredentialsT1102.002
Bidirectional CommunicationT1555.003
Credentials from Web BrowsersT1606.002
SAML TokensT1553.002
Code SigningT1562.004
Disable or Modify System FirewallT1070.008
Clear Mailbox DataT1552.004
Private KeysT1218.011
Rundll32T1021.002
SMB/Windows Admin SharesT1071.001
Web ProtocolsT1562.002
Disable Windows Event LoggingT1098.003
Additional Cloud RolesT1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1539
Steal Web Session CookieT1558.003
KerberoastingT1018
Remote System DiscoveryT1087.002
Domain AccountT1547.009
Shortcut Modification
Multi-Factor Authentication Request GenerationT1003.002
Security Account ManagerT1588.002
ToolT1090.004
Domain FrontingT1528
Steal Application Access TokenT1568
Dynamic ResolutionT1068
Exploitation for Privilege EscalationT1546.003
Windows Management Instrumentation Event SubscriptionT1547.001
Registry Run Keys / Startup FolderT1136.003
Cloud AccountT1098.005
Device RegistrationT1587.003
Digital CertificatesT1005
Data from Local SystemT1105
Ingress Tool TransferT1651
Cloud Administration CommandT1566.001
Spearphishing AttachmentT1078.004
Cloud AccountsT1053.005
Scheduled TaskT1016.001
Internet Connection DiscoveryT1587.001
MalwareT1583.006
Web ServicesT1090.003
Multi-hop ProxyT1037
Boot or Logon Initialization ScriptsT1027.006
HTML SmugglingT1070.004
File DeletionT1203
Exploitation for Client ExecutionT1550.003
Pass the TicketT1204.001
Malicious LinkT1036.005
Match Legitimate Name or LocationT1110.003
Password SprayingT1114.002
Remote Email CollectionT1027.001
Binary PaddingT1556.007
Hybrid IdentityT1059.001
PowerShellT1133
External Remote ServicesT1037.004
RC ScriptsT1021.007
Cloud ServicesT1595.002
Vulnerability ScanningT1566.002
Spearphishing LinkT1070.006
TimestompT1586.003
Cloud AccountsT1090.002
External ProxyT1573
Encrypted ChannelT1047
Windows Management InstrumentationT1110.001
Password GuessingT1199
Trusted RelationshipT1566.003
Spearphishing via ServiceT1078
Valid AccountsT1505.003
Web ShellT1059.006
PythonT1665
Hide InfrastructureT1218.005
MshtaT1003.004
LSA SecretsT1190
Exploit Public-Facing ApplicationT1553.005
Mark-of-the-Web BypassT1649
Steal or Forge Authentication CertificatesT1087.004
Cloud AccountT1098.002
Additional Email Delegate PermissionsT1078.003
Local AccountsT1546.008
Accessibility FeaturesT1059.009
Cloud APIT1586.002
Email AccountsT1562.008
Disable or Modify Cloud LogsT1204.002
Malicious FileT1548.002
Bypass User Account ControlT1027.002
Software PackingT1562.001
Disable or Modify ToolsT1036.004
Masquerade Task or ServiceT1059.003
Windows Command ShellT1140
Deobfuscate/Decode Files or InformationT1550.004
Web Session CookieT1003.006
DCSyncT1560.001
Archive via UtilityT1069.002
Domain GroupsT1059.005
Visual BasicT1027
Obfuscated Files or InformationT1213
Data from Information RepositoriesT1555
Credentials from Password StoresT1057
Process DiscoveryT1087
Account DiscoveryT1583.001
DomainsT1036
MasqueradingT1083
File and Directory DiscoveryT1070
Indicator RemovalT1195.002
Compromise Software Supply ChainT1484.002
Trust ModificationT1098.001
Additional Cloud CredentialsT1078.002
Domain AccountsT1069
Permission Groups DiscoveryT1550
Use Alternate Authentication MaterialT1021.001
Remote Desktop ProtocolT1584.001
DomainsT1550.001
Application Access TokenT1213.003
Code RepositoriesT1021.006
Windows Remote ManagementT1606.001
Web CookiesT1082
System Information DiscoveryT1482
Domain Trust DiscoveryT1095
Non-Application Layer ProtocolT1074.002
Remote Data StagingT1090.001
Internal ProxyT1001.002
SteganographyT1589.001
CredentialsT1102.002
Bidirectional CommunicationT1555.003
Credentials from Web BrowsersT1606.002
SAML TokensT1553.002
Code SigningT1562.004
Disable or Modify System FirewallT1070.008
Clear Mailbox DataT1552.004
Private KeysT1218.011
Rundll32T1021.002
SMB/Windows Admin SharesT1071.001
Web ProtocolsT1562.002
Disable Windows Event LoggingT1098.003
Additional Cloud RolesT1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1539
Steal Web Session CookieT1558.003
KerberoastingT1018
Remote System DiscoveryT1087.002
Domain AccountT1547.009
Shortcut Modification
Correlated CTI and IR reports
ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionAttribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionApplying Sherman Kent s Analytic Discipline to CTI A Practical Analyst Guide
1200km Medium · authored report mentionAttribution Methodology How to Build Defend and Challenge a Threat Actor Attribution
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionMalicious Activity as a Statistical Signal A Detection Engineering Analysis of Anomaly Based
1200km Medium · authored report mention
1200km CTI repository · explicit report mentionAttribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionApplying Sherman Kent s Analytic Discipline to CTI A Practical Analyst Guide
1200km Medium · authored report mentionAttribution Methodology How to Build Defend and Challenge a Threat Actor Attribution
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionMalicious Activity as a Statistical Signal A Detection Engineering Analysis of Anomaly Based
1200km Medium · authored report mention