Discover and read the best of Twitter Threads about #APT29

Most recents (11)


Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.


#infosec #cybersecurity #sysadmin
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.…

#infosecurity Image
Read 4 tweets
New: #Russia's #APT29, aka #CozyBear, is targeting US, #Canadian #British organizations doing #COVID19 vaccine development, per #UK’s @NCSC - findings supported by @CISAgov

Targets include "governmental, diplomatic, think-tank, healthcare and energy" organizations
Per #UK's @NCSC, #Russia's #APT29, or #CozyBear, is using custom malware - ‘WellMess’ & ‘WellMail’ - "with the intention of stealing information and intellectual property relating to the development and testing of #COVID19 vaccines"
Full assessment from #Britain's @NCSC on #Russia cyber actor #CozyBear looking to hack/steal intel on #COVID19 vaccine research here:…
Read 5 tweets
BREAKING: 🇷🇺Russian cyber spies are trying to steal research into #coronavirus vaccines & treatments from 🇬🇧UK, 🇺🇸US & 🇨🇦Canada, the 3 countries claim.
The attack is ongoing, with British cyber experts working to defend research institutes, labs & other targets in UK @NCSC says
The UK's @NCSC (which is leading this charge) accused a group called #APT29 - aka "the Dukes”/“Cozy Bear” - for the attacks & said it “almost certainly operates as part of Russian intelligence services”
The NCSC said its assessment is supported by its US + Canadian counterparts
Paul Chichester, @NCSC ops director, says: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic... We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
Read 5 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2:…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
Read 9 tweets
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce Next we discussed email. #APT29 consistently stole email throughout the intrusion. In addition to stealing mail from VIPs, they targeted the IR team to monitor the investigation. This made for some interesting opportunities for counter-intel (e.g. OOO msg during remediation) 41/n
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce #APT29 used a PowerShell script to dump mail through Exchange Web Services (EWS). Their script provided options to select inbox/sent/trash and date range. We were able to reconstruct their activity, based on output captured in PowerShell logs (once PS logs were enabled). 42/n
Read 4 tweets
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.

Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.

Read 6 tweets
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️…
🖼️ #2: Suspected #APT29 ⏲️…
Read 4 tweets
Researchers attributed the Nov 14 attack on U.S. think tanks, non-profits, public sector to #APT29 or #CozyBear, which overlaps with the group we call #YTTRIUM. We don’t believe that there’s enough evidence for this attribution. Here’s our analysis:
The attack used spear-phishing emails that mimicked OneDrive notifications and impersonated individuals from the US Department of State. If recipients clicked a link on the emails, they began an exploitation chain that gave attackers remote access.… Image
The attack appeared to target organizations involved with policy formulation and politics or have some influence in that area. Although targets are distributed across the globe, majority are in the United States, particularly in and around Washington, D.C.… Image
Read 3 tweets
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Read 8 tweets
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!