Home  >  APT29

APT29 Evaluation: Overview

Adversary Emulated

APT29, Cozy Bear, The Dukes, (also referred to as ATT&CK Evaluations Round 2)




In progress


Bitdefender, Cylance, Carbon Black, CrowdStrike, CyCraft, Cybereason, EndGame, F-Secure, FireEye, GoSecure, HanSight, Kaspersky, Malwarebytes, McAfee, Windows Defender ATP, Palo Alto Networks, ReaQta, Secureworks, SentinelOne, Symantec, Trend Micro

Emulation Tools

Scenario 1: Pupy, Meterpreter, custom tools
Scenario 2: PoshC2, custom tools

ATT&CK Description

APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008.  [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

Emulation Notes

APT29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.

Scenario Overview

Two scenarios emulate publicly reported APT29/Cozy Bear/The Dukes tradecraft and operational flows. The first scenario (executed with Pupy, Meterpreter, and custom tooling) begins with the execution of a payload delivered by a widespread "spray and pray" spearphishing campaign, followed by a rapid "smash and grab" collection and exfiltration of specific file types. After completing the initial data theft, the value of the target is realized, and the adversary drops a secondary, stealthier toolkit used to further explore and compromise the target network.

The second scenario (executed with PoshC2 and custom tooling) focuses on a very targeted and methodical breach, beginning with the execution of a specially crafted payload designed to scrutinize the target environment before executing. The scenario continues through a low and slow takeover of the initial target and eventually the entire domain. Both scenarios include executing previously established persistence mechanisms after a simulated time lapse to further the scope of the breach.

Additional Resources
  1. The Dukes: 7 years of Russian cyberespionage
  2. GRIZZLY STEPPE – Russian Malicious Cyber Activity
  3. Bears in the Midst: Intrusion into the Democratic National Committee
  4. Who is COZY BEAR (APT 29)?
  5. FireEye - APT29