APT29 (Advanced Persistent Threat) is a hacking group that originates from Russia. This hacking group also acts under the aliases Cozy Bear, Cozy Duke, the Dukes, and Office Monkeys. The cybergang traces its origins to the 2008 MiniDuke malware, and they have been continuously improving and updating their hacking arsenal as well as attack strategies and infrastructure. APT29 often goes after high-value targets all over the world. APT29’s most recent efforts have focused on stealing COVID-19-vaccine data from medical institutions across the globe.
Some cybersecurity researchers strongly suspect APT29 of having close ties with Russian intelligence services and the Russian Federal Security Service (FSB), in particular.
Tool Kit and Notable Attacks
Regardless of the chosen target, APT29 always conducts two-stage attacks featuring a backdoor Trojan and a malware dropper. The former aims to retrieve personal data and send it back to a remote Command-and-Control server (C&C), while the latter does the actual damage, depending on the targeted organization. The toolkits are subject to regular updates and tweaks for enhanced AV evasion.
APT29 is a rather popular hacking group as they are often making headlines due to their attacks that target high-profile organizations worldwide – government agencies military organizations, diplomatic missions, telecommunication businesses, and various commercial entities. Here are some of the most notable attacks APT29 has allegedly been involved with:
- The 2014 spam email campaigns which aimed to plant CozyDuke and Miniduke malware into research institutes and state agencies in the U.S.
- The 2015 Cozy Bear spear-phishing attack that crippled the Pentagon’s email system for a while.
- The Cozy Bear attack against the Democratic National Committee prior to the 2016 Presidential Elections in the United States, as well as the series of raids against US-based NGOs an think tanks.
- The January 2017 Norwegian Government spearphishing attack which affected the country’s Labor Party, the Ministry of Defense, and the Ministry of Foreign Affairs.
- The 2019 Operation Ghost infection wave which introduced the newly crafted Polyglot Duke, RegDuke, and FatDuke malware families.
Still Going Strong Twelve Years Later
APT29 continues to go after high-profile targets in 2020. There are reports that this hacking group has gone after various medical research institutions located in the United States, Canada, and the United Kingdom. It would appear that APT29 is specifically targeting medical institutions, which are directly linked to COVID-19 research, including the development of a potential vaccine as well as effective treatments. APT29 scans IP ranges, which belong to the medical institutions in question and then checks if there are any vulnerabilities, which it can exploit. Once APT29 successfully breaches a targeted network, the hacking group deploys the WellMess malware or the WellMail threat.
The targeted medical institutions have not provided much information regarding the case because it likely involves classified data. However, it is safe to assume that APT29 is looking for classified information and documents in regards to the COVID-19 research. The hacking tools that APT29 utilizes are capable of obtaining data from the compromised host, as well as planting additional threats on the infected system.
Beware of New APT29-Related Scams
Many cybercriminals are using the COVID-19 to propagate low-level scams and various threats. However, the case of the APT29 is far more interesting. One can speculate that it is a Russian reconnaissance operation that may or may not be backed by the Kremlin.
Medical institutions need to be very wary of cyber attacks as they have been in the eye of the storm throughout 2020. It is important to keep all your software up-to-date, make sure you use very secure login credentials, apply all patches to your firmware, and do not forget to obtain a reputable, modern anti-virus software suite.