The threat group APT29, also known as Cozy Bear, is well-known for their alleged work infiltrating the U.S. Democratic National Committee during the 2016 presidential election cycle, but that’s only the tip of the iceberg of what this group has been up to. There have been stretches of time where they’ve seemed to decrease their activity, but they’re still particularly relevant. Naturally, part of this is due to the upcoming 2020 election. But also, research has shown that even during quiet times, there is evidence that the group has continued their cyberespionage activities and even evolved the types of malware they use to execute them.
APT29 is known for using at least 23 different techniques documented in MITRE ATT&CK including many associated with Defense Evasion, so this is a great group to learn about in terms of sophistication and trying to prolong their access by avoiding discovery.
APT29 also uses a lot of different software, including their own malware. Their own software includes CloudDuke, CosmicDuke, CozyCar, GeminiDuke, HAMMERTOSS and lots of other tools with “duke” in the name in conjunction with one of the other names the group goes by: CozyDuke.
This group’s targets have apparently included entities in the commercial and public sectors of Germany, Uzbekistan, South Korea and the US and the list goes on. APT29 often starts with an elaborate phishing campaign against their target.
APT29 demonstrates the power of a group that likely has state-sponsored support behind them. During this real training for free event, Brian Coulson and Sally Vincent — members of LogRhythm Labs’ threat research team – will do a deep-dive into this threat group, their activities, and how you can automate the detection and mitigation of threats either associated with the group or that use similar techniques.
Please join us for this real training for free session.