Profile picture
Matthew Dunwoody @matthewdunwoody
, 13 tweets, 4 min read Read on Twitter
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
#APT29 abandons their phishing backdoor as soon as they pivot off patient zero, in favor of their operational tools.
#APT29 deploys stealthy persistence backdoors on systems with no other activity, and ignores them unless needed.
#APT29 uses a phishing backdoor so that when defenders identify the backdoor/email, they will miss the other backdoors and declare victory.
#APT29 phishing attacks are often designed to reside in roaming profiles, in order to persist in VDI environments.
#APT29 sometimes uses misdirection for opsec. They're brazen in some of their activity to hide more discreet actions.
#APT29 appears to use multiple teams for intrusion. B team establishes initial access and persistence. A team completes mission.
#APT29 may phish their primary targets directly, rather than phishing colleagues and moving to target, to ensure access to data.
#APT29 has rotated, changed and combined TTPs during incidents to determine how they are being detected and to confuse defenders.
#APT29 actively monitors the security and IT organizations of victims to track detection and response efforts.
I suspect that #APT29 uses large-scale phishing campaigns to hide their true targets (more distraction-based opsec)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Dunwoody
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#APT29

More from @matthewdunwoody see all

Profile picture
In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.
A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many
However, trying to remove large numbers of implants and missing some, CURLing all of their C2 from your network, uploading several post-exploit backdoor samples to VT, discussing the intrusion in email, etc. - those are things that are more likely to elicit a response.
Read 9 tweets

Related threads

Profile picture
Unpopular opinion of the day: #phishing awareness campaigns and teaching your users to stay frosty is a close to useless endeavour. A waste of resources. Read on to see my point (1/n) /cc @troyhunt @randomdross @sirdarckcat
I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems off to me.
First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don't think I need to point out why you can't fight the former with awareness.
Read 27 tweets
Profile picture
🔥@GOP operative Peter Smith raised >$100,000 to pay #Russian🇷🇺hackers to find Clinton’s emails. 10 days after telling his story to the @WSJ, he committed suicide, yet a friend spoke w/him about a new project hours before his death & says he was “excited.”
wsj.com/articles/gop-o…
Smith continued his quest for HRC’s emails *after* the US warned of #Russian🇷🇺interference & went to extraordinary lengths to ensure secrecy, communicating via saved DRAFT (unsent) emails in a shared Gmail account.🤨
🔥One sent email said the >$100k in donations were to be sent to a DC-based scholarship fund for **Russian students**👉🏼“This $100k total with the $50k received from you (Smith) will allow us to fund the Washington Scholarship Fund for the Russian students for the promised $150K.”
Read 6 tweets
Profile picture
#Russian🇷🇺diplomats held secret talks in London last year and plotted to smuggle Julian Assange out of #Ecuador’s London embassy in a diplomatic vehicle and transport him to #Russia.

But WikiLeaks isn’t a cutout for Russian intelligence or anything.🙄

theguardian.com/world/2018/sep…
Fidel Narváez (close Assange confidant) recently was Ecuador’s London consul & served as a point of contact w/#Russia🇷🇺.

Narváez previously tried to help Edward Snowden👉🏼travelled to Moscow & gave Snowden a “safe-conduct“ document.🙄

#SHOCKER
#TrumpRussia
Four separate sources said the Kremlin was willing to offer support for Assange’s escape plot – including allowing Assange to travel to #Russia🇷🇺and live there.

So NOT shocking.🙄

Read 3 tweets
Profile picture
#OBSERVATIONS: A few thoughts in reflecting on the Trump legal team letter that argues the President is above the law.

1. TRUMP'S LAWYERS BASICALLY CONCEDE HE OBSTRUCTED JUSTICE.

They aren't saying he didn't obstruct. They're saying because he's the President, it's not a crime.
2. TRUMP'S TEAM LEAKED THE LETTER, DESPITE TRUMP ACCUSING MUELLER'S TEAM OF THE LEAK.

Trump tweeted this week that he doesn’t have time to focus on the Russia investigation b/c he's so busy president-ing...

WHICH IS THE SAME ARGUMENT MADE IN THE LETTER.

Here's Trump accusing Mueller's team of leaking...

We know the Special Counsel doesn't leak.

It's NOT A COINCIDENCE that the claims in the letter mirror Trump's tweets this week. Once again, just like the #49Questions by Sekulow, it's from Trump's side.
Read 7 tweets
Profile picture
💣BOOM💣

THREAD: the FBI warned Hope Hicks earlier this year about repeated attempts by #Russian🇷🇺operatives to make contact with her during the presidential transition‼️1/

nytimes.com/2017/12/08/us/…
After Trump took office, FBI CI agents met w/Hicks in the Situation Room at least twice, gave her the names of the #Russians who had contacted her, and said that they were not who they claimed to be.🙄 2/
The FBI was concerned that the emails to Hicks was part of a #Russian🇷🇺intelligence op, and urged Ms. Hicks to be cautious.🤨 3/
Read 12 tweets
Profile picture
#Russian🇷🇺from Internet Research Agency troll farm👉🏼forced to watch ‘House of Cards’ to understand US politics‼️😳

yahoo.com/news/russian-t…
#Russian🇷🇺was troll in 2015 & posted comments on NYTimes & WaPo articles👉🏼told to emphasize the Clintons’ past “corruption scandals.” 🤔2/
English-speaking #Russian🇷🇺trolls "had goal to set up the Americans against their own government to cause unrest, cause discontent." 😳3/
Read 7 tweets

Trending hashtags

#MuellerTime #Russian #Russia #socialmedia #kompromat #sanctions #indictments #felony #FARA #GOP #RELATED #TrumpRussia #Ecuador #Russians #OSINT #TrumpRussiaMAtrix #Cyprus #Latakia #security #conspiracy #Busted #phishing #ImpeachTrump #Collusion #scam

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!