The Advanced Persistent Threat (APT) group “APT29” (also known as Cozy Bear, Cozy Duke, The Dukes) is a Russian-based group first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 has been actively conducting cyber espionage campaigns since 2008, and primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.
APT29 is a highly sophisticated group that employs a variety of tactics to accomplish their malicious objectives. Similar to other APT groups, APT29’s primary initial infection is spear phishing; APT29 will also wrap its malware with legitimate applications for distribution. Their spear phishing emails are crafted with information gathered from legitimate locations that would be relevant to the target recipient. For example, the group was found to use news articles and paste the content into Word document attachments with malicious macros. Enabling of the macro begins the infection process for one of numerous APT29 malwares; typically the first infection is a backdoor, such as HammerToss, or a toolset such as CosmicDuke. APT29 backdoors often have the ability to download a secondary backdoor, such as POSHSPY, which is used as insurance to maintain persistence if a first-stage backdoor such as PowerDuke, is discovered.
Over the past decade, as described below, APT29 has shown that it is one of the most sophisticated APT groups currently known. The group has conducted numerous campaigns with various tactics that distribute advanced, custom malware to targets located around the globe. APT29’s ability to consistently update spear phishing email content allows them to craft content that is relatable to their targets by providing timely information increases the probability of infection. Tactics are in place that cover every facet of their operations. Distribution, infrastructure, new malwares, and evasion tactics are consistently updated, causing threat intelligence researchers to remain ever vigilant in order to identify new malicious activity.
Figure 1 - APT29 Activity from 2008-2012
Figure 2 - APT29 Activity from 2013-2017
The earliest known malicious APT29 activity was two campaigns that took place in November 2008. These campaigns distributed a custom trojan called “PinchDuke,” according to F-Secure researchers. The only information tying APT29 activity back to 2008 are the timestamps of two PinchDuke samples created on November 5 and 12, 2008.
The earliest identified campaigns targeting the West began in 2009 when the group targeted the following: Ministry of Defense of Georgia, Ministries of foreign affairs of Turkey and Uganda, the North Atlantic Treaty Organization (NATO), and an unnamed U.S. foreign policy think tank. These entities were targeted during various campaigns throughout 2009. The primary tactic used was spear phishing emails withcontext that changed depending on the target and current geopolitical events. The primary objective, of these spear phishing emails, was to install the group’s custom malware toolset called “GeminiDuke.” The email attachments were found to be legitimate news articles that were copied and pasted into documents. F-secure researchers believed the 2009 campaigns were part of an operation by Russia to gather information “on the sentiment of the targeted countries with respect to the plans being discussed at the time for the US to locate their ‘European Interceptor Site’ missile defense base in Poland, with a related radar station that was intended to be located in the Czech Republic.” This theme of geopolitically-themed spear phishing emails continued into 2010.
The spring of 2010 brought about change for APT29 by concentrating its targeting to countries in the Caucasus region, this targeting change also brought a change in their malware usage. The group’s new distribution list consisted of: member countries of the Commonwealth of States which included Azerbaijan, Kazakhstan, Kyrgyzstan, and Uzbekistan. In the first half of 2010, the group began to move away from the PinchDuke trojan in favor of a new information stealing malware toolset called “CosmicDuke.” Researchers believe that the credential stealing capabilities of PinchDuke were slowly implemented into CosmicDuke and, in addition, CosmicDuke was found to embed PinchDuke so it could later be executed on an infected machine during the transition period. APT29 continued their geopolitically-themed spear phishing tactics to distribute CosmicDuke while also taking their first known steps in privilege escalation vulnerabilities. However, instead of finding the vulnerability like some APT groups are capable of, APT29 instead took advantage of open source reporting. The privilege escalation vulnerability used by APT29 was disclosed by security researcher Tavis Ormandy on January 19, 2010 and registered as “CVE-2010-0232.” The Microsoft Windows kernel vulnerability was implemented into CosmicDuke seven days after proof-of-concept code for the vulnerability was published in open sources. These campaigns, new malware, implementation of proof-of-concept code for a vulnerability provided by a security researchers further indicate the sophistication and tenacity of APT29. By the following year, the group evolved again adding new tactics into its arsenal.
APT29 began expanding their infrastructure in 2011. Prior to this year, the group added infrastructure via compromising websites and renting servers to use for Command and Control (C2), and servers that they owned were connected to via IP addresses instead of domains. This was done in an attempt to better conceal their malicious activity. However, during 2011 the group began to register domains in two instances, once in January and again in February, all of which were registered with the name “John Kasai of Klagenfurt, Austria.” With new infrastructure also came two more malwares in “CozyDuke” and “MiniDuke.” At this time, APT29 had three information stealing malwares in its arsenal, CosmicDuke, GeminiDuke, and PinchDuke. MiniDuke represented a simple backdoor that could receive and execute commands on an infected machine, and was found to have code similarities with GeminiDuke. The addition of CozyDuke brought new malicious capabilities. CozyDuke in comparison, boasts more features than MiniDuke and functions more as a malware platform that has different modules which can be used for different objectives such as maintaining persistence via Registry keys, or downloading other malwares. CozyDuke can be instructed to download different modules from a C2 server. Interestingly, with new malware and infrastructure tactics added to its repertoire in 2011, APT29’s activity was dormant the following year in comparison.
2012 represented a year in which APT29 did not add any new tactics or malwares to its arsenal. Instead the group continued to develop and distribute its existing tools, mostly CosmicDuke and MiniDuke. GeminiDuke and CozyDuke were observed to have been used less frequently in this year, however, development of the malwares did occur. For context surrounding this year, Vladimir Putin was elected president for the second time, which was his third term. Putin took the position from his friend, sometimes referred to as his protege, Dmitry Medvedev, who was subsequently appointed as Prime Minister. It may be possible that during election years APT29 focuses on expanding their malicious capabilities, such as infrastructure and tactics and tools, rather than conducting new campaigns.
In 2013, the group exploited an Adobe Reader zero-day vulnerability, registered as “CVE-2013-0640,” to drop a sophisticated malware called “ItaDuke,” according to Kaspersky Lab researchers. Researchers now believe that Kaspersky had actually reported on the MiniDuke malware, which the group had been using since at least 2011. The group distributed emails that contained a malicious PDF file themed around a human rights seminar, Ukraine’s foreign policy, and NATO membership plans. The PDF files contained the Adobe Reader exploit that affects versions 9, 10, and 11. If exploitation is successful, a downloader that is a dropper will then retrieve a “customized backdoor written in Assembler,” i.e. MiniDuke. Upon a system boot, the downloader utilizes a set of calculations which creates a unique fingerprint for the infected host; this fingerprint is then used to create a unique encryption method for malware communication. In addition, other communication methods in this campaign were observed to be accomplished via pre-made Twitter accounts. The malware searches for specific tweets that contain URLs to access C2 servers. If the malware successfully connects to the C2, the backdoor will receive commands such as installing new backdoors onto the system via GIF file. If for some reason the Twitter accounts were taken down, MiniDuke is capable of searching Google for encrypted strings to find C2 servers. In contrast to 2012, APT29 activity took place in multiple campaigns.
APT29 themed their decoy documents, which aimed to infect users with CosmicDuke, used in their spear phishing emails in two notable formats. The first document included a letter that was signed by the then First Deputy Minister for Foreign Affairs of Ukraine. The second document, titled “Ukraine’s Search for a Regional Foreign Policy,” included a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of Foreign affairs. In an unexpected twist, researchers identified a malicious document that was themed around an order for growth hormones and it appeared to be part of a larger campaign that was targeting Russian-speaking individuals who bought and sold illegal substances. Researchers believe that this campaign was conducted by a group not associated to APT29, and point to the evidence that the CosmicDuke malware is referred to by Kaspersky Lab as “Bot Gen Studio,” which is technically a “legal spyware tool.” This may indicate that a creator of the malware distributed it to two different groups.
In February 2014, Kaspersky Lab researchers found that APT29 was using the custom backdoor written in assembly called, CosmicDuke, that was observed to still use Twitter accounts to retrieve C2 URLs. This version of CosmicDuke was found to be compiled via a framework called “BotGenStudio.” The malware is able to spoof the names and icons of recognizable applications, such as AcrobatUpdater.exe, Chrome.exe, javacc.exe, and WLMerger.exe, and gains persistence by creating a task via Windows Task Scheduler. During this timeframe, the Miniduke backdoor downloader component was updated in an attempt to increase the now reported on malware’s stealth capabilities. The group updated the MiniDuke loader component to what is now called the “Nemesis Gemina loader.” This loader component was also implemented in the CosmicDuke malware.
With the public exposure of MiniDuke causing APT29 to update loader components for it, the public reporting on CosmicDuke in July 2014 also underwent changes. These changes included removing redundant code in attempts to make the malware appear different, and forging Nemesis Gemina loader timestamps. The group was found to have changed the loader timestamp to March 25, 2010, although researchers found that the actual compilation date was July 30, 2014. During 2014, APT29 again showcased their sophistication by not only changing detection techniques but also by introducing a new malware platform and distribution method.
Continuing in 2014, APT29 was once again found to have created another custom malware toolset. The new toolset, dubbed “OnionDuke” and discovered by F-Secure researchers, functions similarly to CozyDuke in that the malware has various modules for different functions. OnionDuke contains modules for denial-of-service attacks, information theft, password stealing, and even posting spam to Russian social media network “VKontakte.” To distribute OnionDuke, APT29 wrapped the malware with legitimate applications. Torrent files were then created that would host these trojanized applications and any individual who used the torrent files to download the applications would be infected with OnionDuke. In addition, OnionDuke was also distributed via a portable executable that masquerades as a GIF image file via a TOR exit node. The GIF file was found to actually be a DLL file “that’s decrypted, written to the disk, and executed and connect[ed] to [a] hardcoded C&C domain” from which the malware can receive commands to execute other OnionDuke components. OnionDuke was used to create a botnet of approximately 1,400 compromised hosts machines. While theories vary upon the use of this botnet there are several possibilities for its use. These include the ability to gather credentials which could be sold on underground forums, distribute spam emails, or conduct relatively small-scale denial-of-service attacks.
By 2015, other security firms such as Symantec and FireEye began reporting on malicious activity attributed to APT29. For instance, Symantec found that a threat group was distributing a custom information stealing trojan called “Cozyduke” via phishing emails. These targeted attacks are now attributed to APT29. This campaign, which dates back to early March 2014 and continued into 2015, targeted diplomatic and governmental organizations. The emails used to target said organizations were themed around “Office Monkeys” videos and “eFax” emails that were “booby-trapped” with Cozyduke payloads. In addition to stealing information and sending to a C2 server, Cozyduke was also observed to be capable of installing other forms of malware on an infected machine. Specifically, machines infected with Cozyduke was found installing the Miniduke backdoor in July 2014. The consistent addition of new custom malware indicated the sophistication of APT29, and just several months later in October the group was discovered to be using a new malware called “Seaduke.”
The Seaduke trojan, which is written in Python, is distributed by Cozyduke via compromised websites. Cozyduke itself receives commands from actor controlled websites via a database file. One of these commands is to execute an encoded PowerShell script to download and execute the Seaduke trojan. Seaduke communicates with the website C2 over HTTP/HTTPS that is layered beneath Base64 encoding and RC4/AES encryption. Seaduke is capable of: archiving data, downloading and uploading files, harvesting emails from a MS Exchange Server using stolen credentials, self-deletion, stealing passwords via a Mimikatz PowerShell, and stealing data via authentic cloud software. The Seaduke trojan is used by APT29 in highly-targeted attacks, thus the infections are lower in volume compared to the Miniduke trojan for example.
In July of 2015, FireEye researchers published a report discussing a new custom malware used by APT29 dubbed “Hammertoss.” The sophisticated piece of malware uses legitimate services for C2 communication to make it more difficult to detect. Hammertoss has been observed using GitHub, Twitter, and cloud storage services for C2 communication; the group has created a tool for creating daily Twitter accounts and even embedding pictures with commands for the malware. In addition, two variants of the Hammertoss malware were found called “Uploader” and “tDiscover.” Uploader uses a hard-coded server for its C2, and is capable of going to a specific URL to acquire an image with a specific file size. In comparison, tDiscover will first contact Twitter to obtain a C2 prior to going to the URL to obtain an image. APT29 is focused on conducting long-lasting espionage campaigns, and communication obfuscation is a primary method the group uses to disguise malicious activity with what appears to be legitimate activity.
Multiple security firms and the U.S. intelligence community believe that the May 2016 breach of the U.S. Democratic National Committee (DNC) was conducted by two different Russian state-sponsored groups. These groups are now known to be APT28 (Fancy Bear), and APT29 (Cozy Bear). CrowdStrike incident response was called in by the DNC and concluded that APT29 had gained access to the DNC network (likely via a spear phishing email) back in the summer of 2015. The group used the “SeaDaddy” (SeaDuke) implant in tandem with a PowerShell backdoor on its DNC target, with persistence accomplished via the Windows Management Instrumentation that was used to “launch malicious code automatically after a specified period of system uptime or on a specific schedule.” Similar to other threat groups and APTs, APT29 deployed the Mimikatz credential stealer to move laterally within a network. In addition, the group also gained illicit access to unclassified networks belonging to the U.S. Joint Chiefs of Staff, the State Department, and the White House.
The spear phishing campaigns targeted a range of organizations in numerous industries. The emails during this timeframe were primarily attempting to redirect a recipient to a malicious website with a provided link that led to a dropper hosted on the webpage. The dropper, once executed, would download one of multiple Remote Access Trojans (RATs). These RATs include, ADobeARM, ATI-Agent, and MiniDionis. The dropper and the RAT payloads are highly configurable via encrypted configuration files, and also contain checks for debugger, sandbox, and virtual machine detectability to avoid analysis.
Other spear phishing tactics observed in August 2016 include distributing Microsoft Word and Excel document that contained authentic content that was harvested from the organization the email purported to be from. If a recipient enables the malicious macro in said files, a downloader would be installed on the machine. This downloader would call out to a compromised web server and download a PNG image. APT29 used steganography methods in the PNG files to conceal components of a new custom backdoor called “PowerDuke.” The PowerDuke campaign began in August and continued through October and targeted multiple Non-governmental Organizations, U.S. and European-based think tanks, and universities.
A separate PowerDuke campaign began in November 2016 and, being the month and year of the U.S. presidential election, was themed after now U.S. President Trump’s claim that elections were being rigged. The first wave of the emails claimed to be from eFax (email@example.com) and whose content claimed to have information related to “The ‘Shocking’ Truth About Election Rigging in the United States.” If the link provided was followed, ZIP file opened, and Microsoft shortcut file (.LNK) followed, Powershell commands would be executed that check to see if a virtual machine is being used, dropped the PowerDuke backdoor, and lastly launch a new clean document. The second identified document continued with the election rigging theme. This time the eFax Solution email, with the subject line containing “Elections Outcome Could Be revised [Facts of Elections Fraud],” document (firstname.lastname@example.org) was a Microsoft Word document with a malicious macro that dropped the PowerDuke backdoor. The third wave of spear phishing emails is believed to be the most distributed, according to Volexity researchers, and claimed to from Harvard University. The subject line for this wave contained the text “Why American Elections Are Flawed” and contained a link to a ZIP file along with a PIN to access it. Inside the ZIP file was an executable that would install PowerDuke if executed. The fourth and fifth waves of this spear phishing campaign changed from statements made by Trump, and instead focused on Hillary and Bill Clinton’s charity organization.
The fourth document was found to once again being distributed via a Harvard University email address; the email address was likely spoofed but could have been compromised to attempt to add legitimacy. The emails purported to be forwarding a message and document from the Clinton Foundation regarding “what really happened during elections.” The document followed APT29 tactics and contained a malicious macro that would begin the infection process for PowerDuke if enabled. The fifth wave also claimed to be a forwarded message from Harvard of a Clinton Foundation message, specifically a Laura Graham from the Foundation. This wave’s malicious document followed the same tactics as the first wave in that the email directed the recipient to a ZIP file that contained a .LNK file. The .LNK file would check for virtual machines, drop PowerDuke, and then launch a benign document.
In March 2017, FireEye Mandiant researchers reported that APT29 was employing a new technique called “domain fronting.” Essentially, domain fronting can disguise outbound network connections to make it appear like they are requests from well-known websites. Using this technique with The Onion Router (TOR) and the TOR obfuscation plugin “meek,” the group created their own encrypted network tunnel that appeared to connect to Google via TLS, while actually providing a hidden communication tunnel for APT29 to remotely access a host via Terminal Services (TS). The TOR services are installed and executed during the installation process of the group’s backdoor. The backdoor creates directories upon installation that impersonate Google services with executable files titled “googleService.exe” (the primary TOR executable and “GoogleUpdate.exe” (the meek-client plugin) in attempts to remain hidden on an infected machine.
As shown through this timeline, APT29 is one the most sophisticated APT groups documented in the cybersecurity community. The adaptability of the group is showcased through multiple custom malwares, infrastructure, and spear phishing campaigns and is also indicative of state-sponsored group, in this case, the government of the Russian Federation. As APT groups sponsored from countries around the world continue to be documented, the groups too will continue to change their tactics and malware. Therefore, it is crucial to be aware of what groups target which industries to assist in identifying the tactics and indicators associated to the group.
Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Global Research & Analysis Team (GReAT), “The MiniDuke Mystery: PDF 0-Day Government Spy Assembler 0x29A Micro Backdoor,” Securelist, accessed May 8, 2018, published February 27, 2013, https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/.
F-Secure Labs Threat Intelligence, “The Dukes: 7 years of Russian cyberespionage,” F-Secure, accessed May 6, 2018, published September 17, 2015, https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf. 3-4.
Ibid., 3, 5, 26.
Ibid., 6, 18.
Global Research & Analysis Team (GReAT), “The MiniDuke Mystery: PDF 0-Day Government Spy Assembler 0x29A Micro Backdoor,” https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/.
F-Secure Labs Threat Intelligence, “The Dukes: 7 years of Russian cyberespionage,” F-Secure, September 17, 2015, https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf. 9.
Ibid., 10, 26.
Global Research & Analysis Team (GReAT),” Miniduke is back: Nemesis Gemina and the Botgen Studio,” Kaspserky Lab Securelist, accessed May 6, 2018, published July 3, 2014, https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/.
F-Secure Labs Threat Intelligence, “The Dukes: 7 years of Russian cyberespionage,” 10.
Ibid., 9, 11-12.
Eduard Kovacs, “OnionDuke APT Malware Distributed Via Malicious Tor Exit Node,” Security Week, accessed May 8, 2018, published November 14, 2014, https://www.securityweek.com/onionduke-apt-malware-distributed-malicious-tor-exit-node.
Symantec Security Response, “”Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory,” Symantec Official Blog, accessed May 8, 2018, published July 13, 2015, https://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory.
FireEye Threat Intelligence, “HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group,” FireEye, accessed May 9, 2018, published July 29, 2015, https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf. 6.
Dimitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” CrowdStrike Blog, accessed May 9, 2018, published June 15,2016, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.
Steven Adair, “PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs,” Volexity Blog, accessed May 9, 2018, published November 9, 2016, https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/.
Matthew Dunwood, “APT29 Domain Fronting with TOR,” FireEye Blog, accessed May 10, 2018, published March 27, 2017, https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html.