@ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce Next we discussed email. #APT29 consistently stole email throughout the intrusion. In addition to stealing mail from VIPs, they targeted the IR team to monitor the investigation. This made for some interesting opportunities for counter-intel (e.g. OOO msg during remediation) 41/n @ItsReallyNick @cglyer @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r @FSecure @lehtior2 @salesforce #APT29 used a PowerShell script to dump mail through Exchange Web Services (EWS). Their script provided options to select inbox/sent/trash and date range. We were able to reconstruct their activity, based on output captured in PowerShell logs (once PS logs were enabled). 42/n

In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.

https://twitter.com/da_667/status/1028130149219356672

A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many

Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's): #APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.