APT29

APT29 is a cyber threat group that has been active since 2008 and is generally considered a proxy for Russia’s Foreign Intelligence Service (SVR). APT29 is also known as Cozy Bear. They have been observed attacking government organizations across Europe, within NATO, and targeting research institutes in those areas. APT29 gained notoriety after the compromise of the Democratic National Committee. More recently, the SolarWinds supply chain attack was attributed to the SVR. The targets of this campaign were widespread. They included technology, government, telecommunications, and many other industries within Europe, North America, Asia, and the Middle East. Also, at the time of the attacks on the Democratic National Committee, it is believed that APT29 also targeted the Department of State and the United States White House.

The cybersecurity cognoscenti believe that APT29 has attempted to compromise dozens of targets. Most recently, APT20 threat actors have been targeting Microsoft 365 accounts in various attempts to exfiltrate sensitive data. According to Mandiant, the attackers have shown sophisticated capabilities in their attempts to disable features such as the Advanced Audit, which would make it impossible to trace their movements through the audit of potentially compromised accounts. Additionally, in a display of further technical prowess, APT29 seems to be self-enrolling for multifactor authentication within the Microsoft Azure Active Directory.

APT29 is known for its deep investment in customer malware. This malware includes custom-compiled binaries which leverage tools like PowerShell. APT29 is said to moderate its operational tempo based on many factors. This approach reflects a very high level of sophistication and makes APT20 all the more dangerous and effective in its efforts.

It is also worth noting that threat actors such as APT29 have demonstrated the ability to integrate cloud storage services such as DropBox and Google Drive to camouflage their activity and avoid detection. Furthermore, it would appear that some of the more recent APT29 campaigns have utilized Google Drive cloud storage services, perhaps for the first time, which makes APT29 all the more deceptive and dangerous.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.