APT29: focus on a Russian state-sponsored opponent

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

In this article, we present a profile of APT29, also known as The Dukes and CozyBear, one of Russia’s top state-sponsored adversaries.

APT29: what is it?

APT29, also known by the names The Dukes, CozyBear, Dark Halo, and NOBELIUM, has been active since at least 2008 and has been conducting Computer Network Exploitation activities to gather intelligence in support of Moscow’s foreign and security policies. Analysts have associated it with the SVR (Služba vnešnej razvedki), the Russian Foreign Intelligence Service.

Its victimology includes global realities, but its main targets are Western governments and their related organizations. It has also targeted entities in the former Soviet area, such as organizations linked to Chechen extremism.

Global campaigns, between supply chain and social engineering

Among the most notable operations associated with the group in the past, the supply chain attack based on exploiting vulnerabilities in the SolarWinds Orion framework affected several high-level organizations in the US.

American, Polish, and British intelligence agencies have reported that, since September 2023, APT29 has begun to exploit on a large scale, and likely opportunistically, TeamCity’s CVE-2023-42793, a popular CI/CD server from JetBrains used by software developers and IT companies.

Victims of these attacks include manufacturing and hosting provider companies in the United States, Europe, Asia and Australia.

In a campaign last year, it adopted a particular social engineering technique. In detail, it used compromised Microsoft 365 tenants belonging to small businesses to send phishing messages via Microsoft Teams. The goal appears to have been the exfiltration of sensitive information regarding the technology, manufacturing, media and NGO sectors.

A large APT29 operation as part of the cyber conflict with Ukraine

In recent months, APT29 has been associated with several campaigns attributable to the conflict between Russia and Ukraine.

One in particular, described last November by the Ukrainian National Cyber Security Coordination Center, was allegedly aimed at gathering information on Azerbaijan’s strategic activities and involved embassies, international organizations and internet service providers from several nations, including Italy, Azerbaijan, Greece and Romania, as well as some large international organizations such as UNICEF, UNHCR and the World Bank.

The offensive began with phishing e-mails that used the advertisement for the sale of a BMW as bait (a tactic already used to target embassies in Kiev). Attached to the messages was a RAR archive that exploits the File Extension Spoofing vulnerability CVE-2023-38831, which allows malicious code to be executed on target systems.

The latest excellent victims of APT29: Microsoft and HPE

APT29 was recently named as the culprit behind compromises that occurred against Microsoft and Hewlett Packard Enterprise (HPE).

In the case of Microsoft, the attack was reportedly initiated in November 2023 and resulted in adversaries gaining access to some corporate email accounts, including those of senior leadership team members and cybersecurity team employees.

The access to HPE’s systems, on the other hand, would date back to May 2023 and would have allowed the exfiltration of data from corporate email accounts belonging to individuals about certain segments, including cybersecurity, go-to-market, and other businesses. Analysts believe the incident is related to a previous HPE breach.

The Redmond giant has identified other victims, whose names have not been disclosed, and more recently found evidence that the adversary is using information already exfiltrated from corporate e-mail systems to gain, or attempt to gain, additional unauthorized access.

Telsy and TS-WAY

TS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

TS-Intelligence

TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

Learn more about TS-WAY’s services.