Discover and read the best of Twitter Threads about #APT29
Most recents (16)
Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles
spiegel.de/politik/deutsc…
spiegel.de/politik/deutsc…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.
washingtonpost.com/national-secur…
washingtonpost.com/national-secur…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian
theguardian.com/technology/202…
theguardian.com/technology/202…
Vor einem Jahr bin ich mit einer Quelle ins Gespräch gekommen, die hunderte geheime Dokumente schickte. E-Mails, Tabellen, Verträge, vor allem aber: Beschreibungen von Systemen, die für die russischen Geheimdienste entwickelt werden. Wir nennen sie #VulkanFiles
Die Quelle schrieb: "Die GRU und der FSB verstecken sich hinter dieser Firma". Und tatsächlich finden wir in den #VulkanFiles spuren zu den russischen Geheimdiensten, sorgar noch zu einem dritten, dem SVR. Und zum Militär.
Die #VulkanFiles sind interne Daten der IT-Firma "NTC Vulkan". Auf den ersten Blick ein harmloser IT-Dienstleister. In Wirklichkeit bauen sie Werkzeuge für die digitale Kriegsführung. Und für die berüchtigten Hacker von "Sandworm", die seit Jahren die Ukraine ins Visier nehmen
Paul Manafort was working with Russia's GRU and the SVR on the Barker Plan and the Mariupol Plan.
Russian collusion, @DonaldJTrumpJr.
Russian collusion, @DonaldJTrumpJr.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?
Russian collusion.
Russian collusion.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?
Russian collusion.
Russian collusion.
Attendees to the Trump Tower meeting included Donald Trump Jr., Natalia Veselnitskaya (SVR), Rinat Akhmetshin (GRU), Anatoli Samochornov, Ike Kaveladze (Crocus), Paul Manafort, Jared Kushner & Rob Goldstone (Emin Agalarov's Proxy).
Russia's GRU & SVR were helping Paul Manafort.
Russia's GRU & SVR were helping Paul Manafort.
Russia's SVR was helping Paul Manafort on The Barker Plan.
Evgeny Fokin.
#UnitedWithUkraine #StandWithUkraine
Evgeny Fokin.
#UnitedWithUkraine #StandWithUkraine
Russia's GRU was helping Paul Manafort on The Mariupol Plan.
Konstantin Kilimnik.
#UnitedWithUkraine #StandWithUkraine
Konstantin Kilimnik.
#UnitedWithUkraine #StandWithUkraine
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
What was William Barr doing in London and did it involve The Barker Plan?
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
What was William Barr doing in London and did it involve The Barker Plan?
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
#ArrestBarrNow
Mercury Public Affairs and The Barker Plan.
It is a Conspiracy to Defraud the United States.
#ArrestBarrNow
⚠️URGENT⚠️
Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.
Details: thehackernews.com/2020/12/us-age…
#infosec #cybersecurity #sysadmin
Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.
Details: thehackernews.com/2020/12/us-age…
#infosec #cybersecurity #sysadmin
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.
thehackernews.com/2020/12/us-age…
#infosecurity
thehackernews.com/2020/12/us-age…
#infosecurity
New: #Russia's #APT29, aka #CozyBear, is targeting US, #Canadian #British organizations doing #COVID19 vaccine development, per #UK’s @NCSC - findings supported by @CISAgov
Targets include "governmental, diplomatic, think-tank, healthcare and energy" organizations
Targets include "governmental, diplomatic, think-tank, healthcare and energy" organizations
BREAKING: 🇷🇺Russian cyber spies are trying to steal research into #coronavirus vaccines & treatments from 🇬🇧UK, 🇺🇸US & 🇨🇦Canada, the 3 countries claim.
The attack is ongoing, with British cyber experts working to defend research institutes, labs & other targets in UK @NCSC says
The attack is ongoing, with British cyber experts working to defend research institutes, labs & other targets in UK @NCSC says
The UK's @NCSC (which is leading this charge) accused a group called #APT29 - aka "the Dukes”/“Cozy Bear” - for the attacks & said it “almost certainly operates as part of Russian intelligence services”
The NCSC said its assessment is supported by its US + Canadian counterparts
The NCSC said its assessment is supported by its US + Canadian counterparts
Paul Chichester, @NCSC ops director, says: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic... We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
OK so this is my last week at @Mandiant / @FireEye 😢
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce Next we discussed email. #APT29 consistently stole email throughout the intrusion. In addition to stealing mail from VIPs, they targeted the IR team to monitor the investigation. This made for some interesting opportunities for counter-intel (e.g. OOO msg during remediation) 41/n
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce #APT29 used a PowerShell script to dump mail through Exchange Web Services (EWS). Their script provided options to select inbox/sent/trash and date range. We were able to reconstruct their activity, based on output captured in PowerShell logs (once PS logs were enabled). 42/n
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce The script used legit Microsoft.Exchange.WebServices.dll to interact with EWS. We documented this, along with various other email theft methodologies we've seen #APT29 use, in MTrends 2017: bit.ly/2n5YOP7
43/n
43/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec We're finally seeing cross-platform script backdoors as a much wider trend. (Payloads in Go, D, etc). We highlighted this in our 2019 predictions:
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r The Python-based SEADADDY (SeaDuke) implant became APT29's workhorse for years, but we agree with @FSecure/@lehtior2's awesome 2015 deepdive on "The Dukes" that it emerged in mid-2014. READ: labsblog.f-secure.com/2015/09/17/the…
37/n
37/n
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary fireeye.com/blog/threat-re…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥
Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥
Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!
Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.
Learn more here 📺: (it's not officially called APTinder)
Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.
Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3
🖼️ #1: Suspected #APT33 ⏲️ fireeye.com/blog/threat-re…
🖼️ #2: Suspected #APT29 ⏲️ fireeye.com/blog/threat-re…
🖼️ #1: Suspected #APT33 ⏲️ fireeye.com/blog/threat-re…
🖼️ #2: Suspected #APT29 ⏲️ fireeye.com/blog/threat-re…
Researchers attributed the Nov 14 attack on U.S. think tanks, non-profits, public sector to #APT29 or #CozyBear, which overlaps with the group we call #YTTRIUM. We don’t believe that there’s enough evidence for this attribution. Here’s our analysis: msft.social/fTgUCI
The attack used spear-phishing emails that mimicked OneDrive notifications and impersonated individuals from the US Department of State. If recipients clicked a link on the emails, they began an exploitation chain that gave attackers remote access. cloudblogs.microsoft.com/microsoftsecur…
The attack appeared to target organizations involved with policy formulation and politics or have some influence in that area. Although targets are distributed across the globe, majority are in the United States, particularly in and around Washington, D.C. cloudblogs.microsoft.com/microsoftsecur…
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
