Discover and read the best of Twitter Threads about #apt29

Most recents (16)

Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian…
Read 8 tweets
Vor einem Jahr bin ich mit einer Quelle ins Gespräch gekommen, die hunderte geheime Dokumente schickte. E-Mails, Tabellen, Verträge, vor allem aber: Beschreibungen von Systemen, die für die russischen Geheimdienste entwickelt werden. Wir nennen sie #VulkanFiles Image
Die Quelle schrieb: "Die GRU und der FSB verstecken sich hinter dieser Firma". Und tatsächlich finden wir in den #VulkanFiles spuren zu den russischen Geheimdiensten, sorgar noch zu einem dritten, dem SVR. Und zum Militär.
Die #VulkanFiles sind interne Daten der IT-Firma "NTC Vulkan". Auf den ersten Blick ein harmloser IT-Dienstleister. In Wirklichkeit bauen sie Werkzeuge für die digitale Kriegsführung. Und für die berüchtigten Hacker von "Sandworm", die seit Jahren die Ukraine ins Visier nehmen
Read 7 tweets
Paul Manafort was working with Russia's GRU and the SVR on the Barker Plan and the Mariupol Plan.

Russian collusion, @DonaldJTrumpJr.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?

Russian collusion.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?

Russian collusion.
Read 40 tweets
Attendees to the Trump Tower meeting included Donald Trump Jr., Natalia Veselnitskaya (SVR), Rinat Akhmetshin (GRU), Anatoli Samochornov, Ike Kaveladze (Crocus), Paul Manafort, Jared Kushner & Rob Goldstone (Emin Agalarov's Proxy).

Russia's GRU & SVR were helping Paul Manafort.
Russia's SVR was helping Paul Manafort on The Barker Plan.

Evgeny Fokin.

#UnitedWithUkraine #StandWithUkraine
Russia's GRU was helping Paul Manafort on The Mariupol Plan.

Konstantin Kilimnik.

#UnitedWithUkraine #StandWithUkraine
Read 21 tweets
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.

What was William Barr doing in London and did it involve The Barker Plan?
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.

Read 44 tweets

Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.


#infosec #cybersecurity #sysadmin
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.…

#infosecurity Image
Read 4 tweets
New: #Russia's #APT29, aka #CozyBear, is targeting US, #Canadian #British organizations doing #COVID19 vaccine development, per #UK’s @NCSC - findings supported by @CISAgov

Targets include "governmental, diplomatic, think-tank, healthcare and energy" organizations
Per #UK's @NCSC, #Russia's #APT29, or #CozyBear, is using custom malware - ‘WellMess’ & ‘WellMail’ - "with the intention of stealing information and intellectual property relating to the development and testing of #COVID19 vaccines"
Full assessment from #Britain's @NCSC on #Russia cyber actor #CozyBear looking to hack/steal intel on #COVID19 vaccine research here:…
Read 5 tweets
BREAKING: 🇷🇺Russian cyber spies are trying to steal research into #coronavirus vaccines & treatments from 🇬🇧UK, 🇺🇸US & 🇨🇦Canada, the 3 countries claim.
The attack is ongoing, with British cyber experts working to defend research institutes, labs & other targets in UK @NCSC says
The UK's @NCSC (which is leading this charge) accused a group called #APT29 - aka "the Dukes”/“Cozy Bear” - for the attacks & said it “almost certainly operates as part of Russian intelligence services”
The NCSC said its assessment is supported by its US + Canadian counterparts
Paul Chichester, @NCSC ops director, says: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic... We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
Read 5 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2:…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
Read 9 tweets
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce Next we discussed email. #APT29 consistently stole email throughout the intrusion. In addition to stealing mail from VIPs, they targeted the IR team to monitor the investigation. This made for some interesting opportunities for counter-intel (e.g. OOO msg during remediation) 41/n
@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce #APT29 used a PowerShell script to dump mail through Exchange Web Services (EWS). Their script provided options to select inbox/sent/trash and date range. We were able to reconstruct their activity, based on output captured in PowerShell logs (once PS logs were enabled). 42/n
Read 4 tweets
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.

Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.

Read 6 tweets
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️…
🖼️ #2: Suspected #APT29 ⏲️…
Read 4 tweets
Researchers attributed the Nov 14 attack on U.S. think tanks, non-profits, public sector to #APT29 or #CozyBear, which overlaps with the group we call #YTTRIUM. We don’t believe that there’s enough evidence for this attribution. Here’s our analysis:
The attack used spear-phishing emails that mimicked OneDrive notifications and impersonated individuals from the US Department of State. If recipients clicked a link on the emails, they began an exploitation chain that gave attackers remote access.… Image
The attack appeared to target organizations involved with policy formulation and politics or have some influence in that area. Although targets are distributed across the globe, majority are in the United States, particularly in and around Washington, D.C.… Image
Read 3 tweets
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Read 8 tweets
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!