Skip to content

G0016 APT29

APT29 is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).2723 They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.75124

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.1825 Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.915321726

Item Value
ID G0016
Associated Names IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune
Version 4.0
Created 31 May 2017
Last Modified 16 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IRON RITUAL 22
IRON HEMLOCK 21
NobleBaron 10
Dark Halo 2
StellarParticle 34
NOBELIUM 15121413
UNC2452 9
YTTRIUM 11
The Dukes 781617
Cozy Bear 1816174
CozyDuke 1
SolarStorm 26
Blue Kitsune 2019

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control APT29 has bypassed UAC.30
enterprise T1087 Account Discovery During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.2
enterprise T1087.002 Domain Account During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing Get-ADUser and Get-ADGroupMember.422
enterprise T1087.004 Cloud Account APT29 has conducted enumeration of Azure AD accounts.34
enterprise T1098 Account Manipulation -
enterprise T1098.001 Additional Cloud Credentials During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.414
enterprise T1098.002 Additional Email Delegate Permissions APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxes.29

During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.24134
enterprise T1098.003 Additional Cloud Roles During the SolarWinds Compromise, APT29 granted company administrator privileges to a newly created service principle.4
enterprise T1098.005 Device Registration APT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.29

During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.2
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.8

For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.1542
enterprise T1583.006 Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.3912
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.17
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.2444
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT29 added Registry Run keys to establish persistence.30
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing APT29 has successfully conducted password guessing attacks against a list of mailboxes.29
enterprise T1110.003 Password Spraying APT29 has conducted brute force password spray attacks.1334
enterprise T1651 Cloud Administration Command APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.34
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.33303221

During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.2464
enterprise T1059.003 Windows Command Shell During the SolarWinds Compromise, APT29 used cmd.exe to execute commands on remote machines.246
enterprise T1059.005 Visual Basic For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.17
enterprise T1059.006 Python APT29 has developed malware variants written in Python.33
enterprise T1059.009 Cloud API APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API 14
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts APT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.2829
enterprise T1586.003 Cloud Accounts APT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.29
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains For the SolarWinds Compromise, APT29 compromised domains to use for C2.15
enterprise T1136 Create Account -
enterprise T1136.003 Cloud Account APT29 can create new users through Azure AD.34
enterprise T1555 Credentials from Password Stores During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.44
enterprise T1555.003 Credentials from Web Browsers During the SolarWinds Compromise, APT29 stole users’ saved passwords from Chrome.4
enterprise T1213 Data from Information Repositories During the SolarWinds Compromise, APT29 accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.4
enterprise T1213.003 Code Repositories During the SolarWinds Compromise, APT29 downloaded source code from code repositories.47
enterprise T1005 Data from Local System During the SolarWinds Compromise, APT29 extracted files from compromised networks.2
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.8
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim’s OWA server.2
enterprise T1140 Deobfuscate/Decode Files or Information During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.45
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware APT29 has used unique malware in many of their operations.73014

For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.8

For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.9344

enterprise T1587.003 Digital Certificates APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.2019
enterprise T1484 Domain Policy Modification -
enterprise T1484.002 Domain Trust Modification During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.2243
enterprise T1482 Domain Trust Discovery During the SolarWinds Compromise, APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.2 They also used AdFind to enumerate domains and to discover trust between federated domains.444
enterprise T1568 Dynamic Resolution During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.2
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant.29

During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.217
enterprise T1573 Encrypted Channel APT29 has used multiple layers of encryption within malware to protect C2 communication.21
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.8
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription APT29 has used WMI event subscriptions for persistence.30

During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.8

During the SolarWinds Compromise, APT29 used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with rundll32.exe.4443
enterprise T1546.008 Accessibility Features APT29 used sticky-keys to obtain unauthenticated, privileged console access.3038
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol During the SolarWinds Compromise, APT29 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim’s OWA servers.2
enterprise T1190 Exploit Public-Facing Application APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.1716

During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.217
enterprise T1203 Exploitation for Client Execution APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.71712
enterprise T1068 Exploitation for Privilege Escalation APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.32
enterprise T1133 External Remote Services APT29 has used compromised identities to access networks via VPNs and Citrix.1629

For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.154
enterprise T1083 File and Directory Discovery During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.2
enterprise T1606 Forge Web Credentials -
enterprise T1606.001 Web Cookies During the SolarWinds Compromise, APT29 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.2
enterprise T1606.002 SAML Tokens During the SolarWinds Compromise, APT29 created tokens using compromised SAML signing certificates.4122
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.001 Credentials For the SolarWinds Compromise, APT29 conducted credential theft operations to obtain credentials to be used for access to victim environments.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.29

During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.44
enterprise T1562.002 Disable Windows Event Logging During the SolarWinds Compromise, APT29, used AUDITPOL to prevent the collection of audit logs.44
enterprise T1562.004 Disable or Modify System Firewall During the SolarWinds Compromise, APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.44
enterprise T1070 Indicator Removal During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.9
enterprise T1070.004 File Deletion APT29 has used SDelete to remove artifacts from victim networks.30

During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.9
enterprise T1070.006 Timestomp During the SolarWinds Compromise, APT29 modified timestamps of backdoors to match legitimate Windows files.44
enterprise T1070.008 Clear Mailbox Data During the SolarWinds Compromise, APT29 removed evidence of email export requests using Remove-MailboxExportRequest.2
enterprise T1105 Ingress Tool Transfer APT29 has downloaded additional tools and malware onto compromised networks.30207

During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.9
enterprise T1036 Masquerading During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.9
enterprise T1036.004 Masquerade Task or Service During the SolarWinds Compromise, APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.2
enterprise T1036.005 Match Legitimate Name or Location APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.1029

During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.246
enterprise T1556 Modify Authentication Process -
enterprise T1556.007 Hybrid Identity APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.40
enterprise T1621 Multi-Factor Authentication Request Generation APT29 has used repeated MFA requests to gain access to victim accounts.36
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding APT29 used large size files to avoid detection by security solutions with hardcoded size limits.10
enterprise T1027.002 Software Packing APT29 used UPX to pack files.30
enterprise T1027.003 Steganography During Operation Ghost, APT29 used steganography to hide payloads inside valid images.8
enterprise T1027.006 HTML Smuggling APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.32
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.307
enterprise T1003 OS Credential Dumping -
enterprise T1003.006 DCSync During the SolarWinds Compromise, APT29 used privileged accounts to replicate directory service data with domain controllers.43444
enterprise T1069 Permission Groups Discovery During the SolarWinds Compromise, APT29 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.2
enterprise T1069.002 Domain Groups During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.7123221
enterprise T1566.002 Spearphishing Link APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.301231
enterprise T1566.003 Spearphishing via Service APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.12
enterprise T1057 Process Discovery During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.2444
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy During the SolarWinds Compromise, APT29 used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB.445
enterprise T1090.003 Multi-hop Proxy A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.3034
enterprise T1090.004 Domain Fronting APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.30
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers.4
enterprise T1021.002 SMB/Windows Admin Shares During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.4
enterprise T1021.006 Windows Remote Management During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.45
enterprise T1021.007 Cloud Services APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.35
enterprise T1018 Remote System Discovery During the SolarWinds Compromise, APT29 used AdFind to enumerate remote systems.44
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT29 has used named and hijacked scheduled tasks to establish persistence.30

During the SolarWinds Compromise, APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted.293
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT29 has installed web shells on exploited Microsoft Exchange servers.17
enterprise T1649 Steal or Forge Authentication Certificates APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.37
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting During the SolarWinds Compromise, APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.44
enterprise T1539 Steal Web Session Cookie During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.4
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing During the SolarWinds Compromise, APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.9
enterprise T1553.005 Mark-of-the-Web Bypass APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.32
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain During the SolarWinds Compromise, APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.4891744
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta APT29 has use mshta to execute malicious scripts on a compromised host.32
enterprise T1218.011 Rundll32 During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.4144
enterprise T1082 System Information Discovery During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.44
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.15
enterprise T1199 Trusted Relationship APT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.34

During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.174
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.4317
enterprise T1550 Use Alternate Authentication Material During the SolarWinds Compromise, APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.4322
enterprise T1550.001 Application Access Token During the SolarWinds Compromise, APT29 used compromised service principals to make changes to the Office 365 environment.4
enterprise T1550.003 Pass the Ticket APT29 used Kerberos ticket attacks for lateral movement.30
enterprise T1550.004 Web Session Cookie During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged duo-sid cookie to bypass MFA set on an email account.24
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.1231
enterprise T1204.002 Malicious File APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. 73221
enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization’s VPN infrastructure.29

During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally.91517
enterprise T1078.002 Domain Accounts For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.8

During the SolarWinds Compromise, APT29 used domain administrators’ accounts to help facilitate lateral movement on compromised networks.4
enterprise T1078.003 Local Accounts During the SolarWinds Compromise, APT29 used compromised local accounts to access victims’ networks.4
enterprise T1078.004 Cloud Accounts APT29 has gained access to a global administrator account in Azure AD.29

During the SolarWinds Compromise, APT29 used a compromised O365 administrator account to create a new Service Principal.4
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.8
enterprise T1047 Windows Management Instrumentation APT29 used WMI to steal credentials and execute backdoors at a future time.30

During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.4344

Software

ID Name References Techniques
S0677 AADInternals 34 Cloud Account:Account Discovery Device Registration:Account Manipulation Cloud Administration Command Cloud Service Discovery PowerShell:Command and Scripting Interpreter Cloud Account:Create Account Domain Trust Modification:Domain Policy Modification Exfiltration Over Alternative Protocol SAML Tokens:Forge Web Credentials Email Addresses:Gather Victim Identity Information Domain Properties:Gather Victim Network Information Hybrid Identity:Modify Authentication Process Multi-Factor Authentication:Modify Authentication Process Modify Registry LSA Secrets:OS Credential Dumping Cloud Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Link:Phishing for Information Steal Application Access Token Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials
S0552 AdFind 46432 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0521 BloodHound 32 Local Account:Account Discovery Domain Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0635 BoomBox 14 Domain Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information Execution Guardrails Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery Ingress Tool Transfer Masquerading Obfuscated Files or Information Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Malicious File:User Execution Web Service
S0054 CloudDuke 7 Web Protocols:Application Layer Protocol Ingress Tool Transfer Bidirectional Communication:Web Service
S0154 Cobalt Strike 917121410322231 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0050 CosmicDuke 721 Web Protocols:Application Layer Protocol Automated Exfiltration Clipboard Data Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Data from Local System Data from Network Shared Drive Data from Removable Media Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exploitation for Privilege Escalation File and Directory Discovery Keylogging:Input Capture Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Scheduled Task:Scheduled Task/Job Screen Capture
S0046 CozyCar 721 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Rename System Utilities:Masquerading Obfuscated Files or Information LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution System Information Discovery Virtualization/Sandbox Evasion Bidirectional Communication:Web Service
S0634 EnvyScout 14 JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Execution Guardrails Forced Authentication Hidden Files and Directories:Hide Artifacts Masquerading HTML Smuggling:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Attachment:Phishing Rundll32:System Binary Proxy Execution System Information Discovery Malicious File:User Execution
S0512 FatDuke 821 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Masquerading Native API Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Discovery Internal Proxy:Proxy Query Registry Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0661 FoggyWeb 53 Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Archive via Library:Archive Collected Data Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Masquerading Native API Network Sniffing Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Reflective Code Loading Shared Modules Private Keys:Unsecured Credentials Use Alternate Authentication Material
S0049 GeminiDuke 7 Local Account:Account Discovery Web Protocols:Application Layer Protocol File and Directory Discovery Process Discovery System Network Configuration Discovery System Service Discovery
S0597 GoldFinder 15171422 Web Protocols:Application Layer Protocol Automated Collection Internet Connection Discovery:System Network Configuration Discovery
S0588 GoldMax 1517121422 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Ingress Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Software Packing:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Cron:Scheduled Task/Job System Network Configuration Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion
S0037 HAMMERTOSS 721 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Steganography:Data Obfuscation Symmetric Cryptography:Encrypted Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Hidden Window:Hide Artifacts One-Way Communication:Web Service
S0100 ipconfig 52 System Network Configuration Discovery
S0513 LiteDuke 821 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Ingress Tool Transfer Steganography:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Query Registry Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0175 meek 30 Domain Fronting:Proxy
S0002 Mimikatz 7434 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0051 MiniDuke 7821 Web Protocols:Application Layer Protocol Domain Generation Algorithms:Dynamic Resolution Fallback Channels File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Internal Proxy:Proxy System Information Discovery Dead Drop Resolver:Web Service
S0637 NativeZone 10 Deobfuscate/Decode Files or Information Execution Guardrails Masquerading Rundll32:System Binary Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion
S0039 Net 52 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0052 OnionDuke 7821 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Endpoint Denial of Service OS Credential Dumping One-Way Communication:Web Service
S0048 PinchDuke 7 Web Protocols:Application Layer Protocol Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Data from Local System File and Directory Discovery OS Credential Dumping System Information Discovery
S0518 PolyglotDuke 821 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Ingress Tool Transfer Modify Registry Native API Obfuscated Files or Information Steganography:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Rundll32:System Binary Proxy Execution Dead Drop Resolver:Web Service
S0150 POSHSPY 56 PowerShell:Command and Scripting Interpreter Data Transfer Size Limits Domain Generation Algorithms:Dynamic Resolution Asymmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Timestomp:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information
S0139 PowerDuke 57 Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Destruction File and Directory Discovery NTFS File Attributes:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Steganography:Obfuscated Files or Information Process Discovery Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0029 PsExec 78 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0565 Raindrop 451422 Deobfuscate/Decode Files or Information Match Legitimate Name or Location:Masquerading Masquerading Steganography:Obfuscated Files or Information Obfuscated Files or Information Software Packing:Obfuscated Files or Information Time Based Evasion:Virtualization/Sandbox Evasion
S0511 RegDuke 821 PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Windows Management Instrumentation Event Subscription:Event Triggered Execution Ingress Tool Transfer Modify Registry Obfuscated Files or Information Steganography:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Bidirectional Communication:Web Service
S0684 ROADTools 34 Cloud Account:Account Discovery Automated Collection Cloud Service Discovery Cloud Groups:Permission Groups Discovery Remote System Discovery Cloud Accounts:Valid Accounts
S0195 SDelete 30 Data Destruction File Deletion:Indicator Removal
S0053 SeaDuke 72133 Web Protocols:Application Layer Protocol Archive via Library:Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Remote Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution File Deletion:Indicator Removal Ingress Tool Transfer Software Packing:Obfuscated Files or Information Pass the Ticket:Use Alternate Authentication Material Valid Accounts
S0589 Sibot 15171422 Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Command Obfuscation:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Query Registry Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery Web Service Windows Management Instrumentation
S0633 Sliver 1721 Access Token Manipulation DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Standard Encoding:Data Encoding Steganography:Data Obfuscation Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Process Injection Screen Capture System Network Configuration Discovery System Network Connections Discovery
S0516 SoreFang 1652 Local Account:Account Discovery Domain Account:Account Discovery Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Exploit Public-Facing Application File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Domain Groups:Permission Groups Discovery Process Discovery Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery
S0559 SUNBURST 91222 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Protocol Impersonation:Data Obfuscation Steganography:Data Obfuscation Dynamic Resolution Symmetric Cryptography:Encrypted Channel Image File Execution Options Injection:Event Triggered Execution File and Directory Discovery Disable or Modify Tools:Impair Defenses Indicator Removal File Deletion:Indicator Removal Clear Network Connection History and Configurations:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Process Discovery Query Registry Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Time Based Evasion:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0562 SUNSPOT 314 Access Token Manipulation Stored Data Manipulation:Data Manipulation Deobfuscate/Decode Files or Information Execution Guardrails File and Directory Discovery File Deletion:Indicator Removal Match Legitimate Name or Location:Masquerading Native API Obfuscated Files or Information Process Discovery Compromise Software Supply Chain:Supply Chain Compromise
S0096 Systeminfo 52 System Information Discovery
S0057 Tasklist 52 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0560 TEARDROP 9121422 Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Match Legitimate Name or Location:Masquerading Modify Registry Obfuscated Files or Information Query Registry
S0183 Tor 30 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy
S0682 TrailBlazer 4 Web Protocols:Application Layer Protocol Junk Data:Data Obfuscation Data Obfuscation Windows Management Instrumentation Event Subscription:Event Triggered Execution Masquerading
S0636 VaporRage 14 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Execution Guardrails Ingress Tool Transfer
S0515 WellMail 541617 Archive Collected Data Data from Local System Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Ingress Tool Transfer Non-Application Layer Protocol Non-Standard Port System Network Configuration Discovery System Owner/User Discovery
S0514 WellMess 2019551617 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Domain Groups:Permission Groups Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery

References

  1. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  2. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  3. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  4. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  5. Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. 

  6. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  7. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  8. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  9. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  10. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

  11. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  12. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  13. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. 

  14. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  15. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  16. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. 

  17. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. 

  18. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. 

  19. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. 

  20. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  21. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. 

  22. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. 

  23. UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021. 

  24. UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021. 

  25. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. 

  26. Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023. 

  27. White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021. 

  28. ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022. 

  29. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. 

  30. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  31. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. 

  32. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  33. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. 

  34. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. 

  35. Mandiant. (2022, August). Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29. Retrieved February 21, 2023. 

  36. Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022. 

  37. Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022. 

  38. Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017. 

  39. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  40. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. 

  41. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. 

  42. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  43. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. 

  44. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  45. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  46. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  47. MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021. 

  48. Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. 

  49. FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023. 

  50. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. 

  51. SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021. 

  52. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  53. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  54. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  55. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  56. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  57. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.