Open in app

Sign in

Write

Sign in

Shifting Threat Intelligence Though the Lens of APT29

Kade Morton
20 min readDec 30, 2020

Threat intelligence is sometimes seen as a mystic art but is rarely objectively tested. Tactical threat intelligence, atomic indicators of compromise (IoCs) like IP addresses and malware hashes, are shared around the defender community and the widely held belief is that this impedes adversaries such as advanced persistent threats (APTs).

This article will examine APT29 and the case will be made for a repeatable methodology more focused on strategic threat intelligence, tactics, techniques and procedures (TTPs), over IoCs. This write up is a cut down version of the talk given at ChCon 2020.

Disclaimers

The below research covers a time frame of 2008 to 2019, with a focus on 2013 to 2019. It was conducted before the SolarWinds breach (2020) became public, showing that new information about APT29 is continuing to surface. As this is the case, new information may come to light after publication, superseding what is written here. If in doubt, check the sources at the end of the article.

Just after the talk was presented in October 2020 MITRE ATT&CK came out with a large update, so some new areas of MITRE ATT&CK are not explored. However, the information presented is still actionable. For this write up, sub TTPs are not referenced, but if you would like to look at the raw research the sub TTPs are there.

The TTPs were mapped by a single analyst and there is some degree of interpretation with mapping TTPs. Another analyst might come up with a slightly different set of TTPs, but the overall picture should be the same.

Beliefs around threat intelligence

Any information related to an adversary that can be used to improve your security posture can be threat intelligence. There is a widely held belief around threat intelligence, that information can be disclosed to ‘burn’ APTs. The idea is that IoCs related to an APT, like the infrastructure or malware they use, are shared among the community. This is tactical threat intelligence as IoCs focus on low level adversary activities.

Sharing IoCs, such as IP addresses and malware hashes, enables updates to be made to defensive tools that in turn enable the detection of the APT. This, in theory, renders the group unable to operate until they retool.

To test this theory, information on an APT was gathered and analysed to see if after disclosures an APT is unable to operate. For the purpose of this research APT29 was chosen, but the methodology is applicable to any group. Only articles freely available in the public domain were used.

APT29 activity

APT29 has been around since at least November 2008 if you take compile dates of malware samples as evidence. Compile dates can be faked, so this is not conclusive proof, but November 2008 is the first known compile date of SeaDuke and PinchDuke, malware that is attributed to APT29. January 2009 is the first known compile date of GeminiDuke.

The fact that APT29 continued to develop new malware families before they were even in the public eye is noteworthy. They were not replacing malware that had been disclosed and therefore possibly burned, they just continued to tool up of their own accord. In April 2009 APT29 was seen targeting government entities and foreign policy think tanks, which suggests espionage as the group’s goal.

The first known compile dates of MiniDuke and CosmicDuke were in 2010, so at this stage the group is still creating new malware despite a lack of publicity. In the Northern Hemisphere spring of 2010 APT29 was seen targeting a number of government entities, and this is the last known compile date of PinchDuke. The group stopped deploying this malware, not in response to published research or disclosure, but for some other reason.

2011 was the first known compile date of CozyDuke, which was stylistically different from previous malware used by APT29. This is noteworthy as it points to the group using a software development lifecycle, creating new malware as needed and shelving old malware once it was obsolete.

February 2013 is the earliest compile date of OnionDuke. It’s at this point that three articles are published covering different aspects of MiniDuke. This is the first time the general public becomes aware of APT29’s activities. In the Northern Hemisphere summer of 2013 OnionDuke is seen being spread by Torrent files.

September 2013 is the earliest compile date of PolygotDuke, and a separate campaign starts whereby APT29 targets individuals selling growth hormones within the country APT29 is believed to operate from. This shows a pivot away from pure espionage to a dual law enforcement and espionage mandate, and the group continues this dual function for roughly one year before reverting back to purely foreign targets.

In July 2014, two reports covering CosmicDuke are published, claiming that CosmicDuke is used to target government entities, energy and telecom operators, military organisations and military contractors. By the end of July Cosmic Duke had been stripped back, possibly in response to the media coverage it had, but it was still being deployed. This is noteworthy as it shows that APT29 does not retire malware wholesale once information about that malware has entered the public domain. They may refine their malware to try and avoid detection, but they may keep deploying the same malware family.

October 2014 is the first and last known compile date of LiteDuke and an article on OnionDuke is published. The next month in November another paper on OnionDuke is published and OnionDuke isn’t seen again after this point. It’s possible that the malware had outlived its usefulness and updating it wasn’t worth the return on investment, but the group continued to operate. In January 2015 a high-volume spear phishing campaign was seen that was attributed to APT29. The phishing initially dropped CozyDuke and selected targets then had SeaDuke and HammerDuke deployed to their environments.

In July 2015, APT29 was seen targeting think tanks and NGOs through spearphishing with a new malware variant called CloudDuke. Two articles are published on CloudDuke that month, but in the same month APT29 send another wave of emails with CloudDuke. In multiple instances APT29 pushed ahead with attacks using tools that were effectively ‘burned’ due to information on the tools, and therefore how to detect them, being in the public domain.

Also in July 2015, APT29 entered the network of the Democratic National Committee (DNC) using SeaDuke. They remained there for roughly ten months when in April 2016 APT28 also enter the DNC network. APT28 was far less stealthy than APT29 and drew attention to themselves.

The next month in May CrowdStrike were on-site performing incident response for the DNC. The month after that in June 2016 the DNC breach was announced. Before SolarWinds, this was the most high-profile breach attributed to APT29. After this breach SeaDuke was never seen again, possibly because of the level of unprecedented media scrutiny on the breach. But again the group continued to operate.

In August 2016, just two months later, APT29 was seen launching a spearphishing wave against think tanks and NGOs using PowerDuke. September 2016 is the first known compile date of FatDuke, with more spearphishing following up in November 2016. Despite the headlines the group kept laying the groundwork for operations with spearphishing and kept creating new malware.

In 2017 multiple attacks on government entities were attributed to APT29, but there was not much information published by Western security firms or government agencies. This could represent retargeting away from Western spheres of influence and information gathering. August 2017 was the first compile date of RegDuke, with the last known compile date in August 2018.

Two months later in October 2018 an article was published covering RegDuke, PolygotDuke and FatDuke. It appears that the three malware families had already been retired before they were written about as APT29 had stopped deploying those three families. In October 2019 an article was published covering a campaign running from before 2015 attributed to APT29 targeting government entities. This was where the research was concluded, but there have been multiple attacks attributed to APT29 since 2019, the highest profile to date being the SolarWinds breach.

Analysis of APT29’s activity

Looking at APT29’s history they demonstrate the ability to refine their malware and create new malware, in and out of the limelight, and the ability to keep operating in and out of the limelight. Not a lot between 2008 and 2019 gave the group pause, rarely retiring an entire family of malware completely in close proximity to media coverage.

While this is based on a sample size of one group that is at the higher end of sophistication, the constructed timeline covers eleven years. This proves that in at least this instance the particular APT often did not retire tools once widely exposed and likely did not cease operations at any time. At least some APTs are resilient to being burned.

Using TTPs to define security controls

While strategic threat intelligence, atomic IoCs, might not impede an adversary there are still steps an organisation can take to defend themselves. You can map strategic threat intelligence, the group’s higher level TTPs to MITRE ATT&CK, then take the single most popular TTP displayed against each area of MITRE ATT&CK. This can then be mapped to controls. This will then generate a prioritised control list for your organisation. This methodology has been advocated by MITRE ATT&CK but is not yet widely adopted.

Even if you are not interested in APT29 this is a repeatable methodology you could use for other groups. You also don’t need to limit yourself to the single most observed TTP for each section of MITRE ATT&CK, you can map as many or as few TTPs to MITRE ATT&CK as you desire.

While this article argues for a shift towards TTPs and away from IoCs, that is not to say IoCs don’t have a place. They do, but as they are much more specific and easier to change, IoCs are more time sensitive and thus harder to gain utility from. The providence of IoCs should also be scrutinised. Verified IoCs are seen as useful to an organisation with a robust logging and monitoring regime in place. TTPs are seen as useful to any organisation no matter their security posture.

Below, TTPs of APT29 over the eleven year period are mapped to controls.

Initial Access

According to MITRE ATT&CK, initial access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Below are the TTPs observed for APT29:

Phishing is the main way APT29 enters a network. Valid accounts are worth noting because they are a versatile TTP that show up at multiple points of the attack lifecycle but for the purpose of making a prioritised control list, phishing will be focused on. The controls to put in place against phishing on the technology side would be antivirus to prevent malware from running and network intrusion detection/prevention to detect malicious emails. An email scanning solution would be ideal. On the training side the control to put in place would be user training to help users spot phishing before they interact with the email.

Execution

According to MITRE ATT&CK, execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Below are the TTPs observed for APT29:

It is a close tie between command and scripting interpreter and user execution, the former being functionality provided by the attacker’s tools and the latter being users opening phishing. However, command and scripting interpreter is the most prevalent. For controls against command and scripting interpreter, on the technology side antivirus is again applicable to detect the attacker’s tools. Also, an execution prevention solution to prevent unknown programs from running is desirable. For the policy side, an implemented hardening policy would give attackers less of a surface to exploit.

Persistence

According to MITRE ATT&CK, persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Below are the TTPs observed for APT29:

Something to note here is that the number of times a TTP for persistence is sighted is much less for initial access and execution. However, event triggered execution is the most prevalent. The events that are used by event triggered execution are often necessary events that occur in the normal usage of a network. This means monitoring for additions or modifications to mechanisms that could be used to trigger execution with, and alerting when they are altered, is desirable. This implies the ability to perform detection and alerting, so a Security Information and Event Management (SIEM) solution, or something similar, is required.

What events should be monitored for tampering with will be dependent on your environment, but any event that can trigger code to run, particularly if that code will run with privileges higher than a normal user, could be abused by an attacker. To keep this a focused exercise, it is suggested only the most common events in your environment be monitored.

Privilege Escalation

According to MITRE ATT&CK, privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. These techniques often overlap with persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Below are the TTPs observed for APT29:

Event triggered execution is a versatile TTP, allowing an attacker to run code at higher privileges than they themselves have. They can do this if they are able to find an event with higher privileges to run their code, just as it allows an attacker to continually run their code, granting them persistence. As event triggered execution is again the most prevalent TTP, the controls referenced against persistence are also relevant here.

Defense evasion

According to MITRE ATT&CK, defense evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Below are the TTPs observed for APT29:

It is notable that there were no TTPs observed for execution guardrails, elements that prevent malware from executing. It is common to see execution guardrails in malware developed by financially motivated attackers from certain countries. Some countries cultivate an implicit bargain that as long as attackers target foreigners outside the country and don’t cause problems domestically, authorities will overlook them.

One way to facilitate this is to have the malware check the language the system is using. If the language of the country you don’t want to harm is found, the malware crashes. APT29 is attributed to the authorities of just such a country, and it is interesting to note that while financially motivated criminals from this country have rules they must abide by, the authorities are not beholden to such rules.

Another notable finding is that the number of observed TTPs is high again, as it was for initial access and execution. Also, while TTPs with no hits are omitted from some of the graphs to save space, there are multiple TTPs for defense evasion that were observed year on year.

Obfuscated files or information is the most prevalent, using tactics like indicator removal, where indicators of malicious activity are removed. This marks APT29 as a relatively stealthy ATP. As far as controls against obfuscated files or information, antivirus and network intrusion detection/prevention are desirable, in an attempt to spot something out of place with files and traffic.

Credential access

According to MITRE ATT&CK, credential access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Below are the TTPs observed for APT29:

Low numbers of TTPs for credential access were observed. Credential access is an important part of an attack lifecycle, quite often an attacker will need credentials to access or log into something. APT29 is almost certainly collecting credentials, even in the years that no activity was observed. From the activity that was observed, due to the fact that a small number of TTPs were seen year on year it might be inferred that this group has a number of tried-and-true TTPs it regularly uses to access credentials.

Operating System (OS) credential dumping was the most prevalent TTP. This is largely due to the observation of a tool called mimikatz. Controls against OS credential dumping on the technology side include Active Directory (AD) configurations such as locking down domain controller (DC) replication and use of the protected users AD security group.

Often if an attacker can’t attack something in a live system they will access a backup copy to attack the same thing in the backup. To prevent this, ensure backups, especially DC backups, are encrypted. Mimikatz interacts with the LSA Subsystem Service (LSASS) so a final technical control is to monitor for malicious interaction with lsass.exe.

On the policy side of controls, a strong and enforced password policy will ensure that in the event that hashes are accessed that they are hard to crack. A policy of enforced privileged account management will also ensure the privileges are not handed out unnecessarily across the organisation, so if an account is compromised the attackers get access to minimal systems and services.

Discovery

According to MITRE ATT&CK, discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Below are the TTPs observed for APT29:

Much that was noted regarding the data for credential access is applicable to discovery. Low numbers of TTPs were observed and due to the fact that a small number of TTPs were seen year on year it might be inferred that this group has a number of tried-and-true TTPs it regularly uses to discover information while on a network.

System information discovery was the most commonly observed TTP. Often this is through legitimate means so monitoring for activity that is out of the normal is desirable. Monitoring and alerting on processes and command-line arguments for actions that gather system and network information can be put in place. Monitoring and alerting for interaction with the Windows API to gather information and for interaction with Windows system management tools such as Windows Management Instrumentation and PowerShell can also be put in place. This would be configured through a SIEM or a similar solution.

Lateral movement

According to MITRE ATT&CK, lateral movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Below are the TTPs observed for APT29:

Again, low numbers of TTPs were observed. As stated for credential access, just because we can’t see an activity occurring doesn’t mean it isn’t occurring. Lateral movement is almost certainly occurring for APT29 to find the information they are after. But to work with the observed TTPs, abusing remote services was the most prevalent form of lateral movement.

On the technology side multifactor authentication can be configured for remote services. On the policy side, enforced user account management will ensure that only users who need access to remote services have access to remote services. This will limit the chance that an attacker will gain access to remote services should accounts be compromised.

Collection

According to MITRE ATT&CK, collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Below are the TTPs observed for APT29:

Again, we have the same mantra of a small number of TTPs observed, but the same TTPs being consistently used. As archive collected data is the most prevalent TTP, detecting the writing of files with extensions and/or headers associated with compressed or encrypted file types and correlating that with data exfiltration is desirable.

Command and Control

According to MITRE ATT&CK, command and control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Below are the TTPs observed for APT29:

Data obfuscation was the most prevalent TTP, with APT29 consistently using steganography, embedding information in images, or encryption to hide their traffic. APT29 was also observed using social media such as Twitter and Dropbox for command and control, that to a network defender will look like normal traffic.

For controls against data obfuscation, network intrusion detection/prevention is desirable to try and detect abnormal traffic.

Exfiltration

According to MITRE ATT&CK, exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Below are the TTPs observed for APT29:

Again, we have the same mantra of a small number of TTPs observed, but the same TTPs being consistently used. As far as implementing controls against exfiltration over command and control channels, network intrusion detection/prevention is desirable to detect abnormal traffic. This traffic can be correlated against the writing of files with extensions and/or headers associated with compressed or encrypted file types, representing data being compressed and encrypted before exfiltration.

Impact

According to MITRE ATT&CK, impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

There were no TTPs related to impact that where observed for APT29. This is likely due to their focus on espionage. Their objective is to gather information rather than cause damage.

There are two further interesting observations from this data set. Below is the raw number of TTPs related to APT29 activity over the years:

There is a sharp decline in 2017, that is possibly due to the unprecedented level of scrutiny APT29 was under after the DNC breach of 2016, and/or re-targeting away from Western spheres of influence and information gathering. It’s noteworthy that 2018 saw a sharp increase, proving that the group certainly didn’t stop operating post 2016. The recent SolarWinds breach is also evidence of this.

Below are the numbers of TTPs against the MITRE ATT&CK categories seen over the years.

This information is collected from write ups, primarily from Western security vendors and government organisations. All of the above categories are vital for an attack, so in theory there should be an even spread of TTPs across the categories. However, there is a clear bias towards defense evasion, command and control, and to a lesser extent the early stages of an attack in initial access, execution, persistence and privilege escalation. Very little attention is given to credential access, discovery, lateral movement, collection and exfiltration, activities that largely take place once the attacker is established in the network.

There is no definitive answer for this observation at this time. One possible explanation could be that defenders think about and treat networks as a bubble. Things entering and exiting are important, but what happens inside the bubble is given less importance.

Another possible explanation is that a lot of the information in the referenced reports comes from vendor tools such as antivirus and network intrusion detection/prevention. It’s easier for such tools to detect TTPs like defense evasion and command and control, but much harder to detect activity such as discovery and lateral movement that largely abuses legitimate processes. It may also be enticing to talk about malware functionality and less exciting to talk about more mundane TTPs, like lateral movement, from a marketing point of view.

This bias should be taken into consideration by groups that are releasing information on APTs and if information for lesser discussed TTPs is present it should be shared. Defence against such groups will be easier if holistic data is available.

A prioritised control list

The controls that we have derived from collecting threat intelligence and looking at the most prevalent TTPs in each MITRE ATT&CK category form a prioritised control list that organisations could implement if they deem APT29 to be a threat.

Training

  • User awareness training for spotting phishing

Policy

  • Hardening policy
  • Password policy
  • Privileged account management policy with DCs a priority
  • User Account Management policy with remote services a priority
  • Log management due to the inclusion of a SIEM solution

Technology

  • Antivirus
  • Network intrusion detection/prevention
  • Execution prevention
  • Multifactor authentication with remote services a priority
  • A SIEM solution

SIEM rules

  • Additions or modifications of mechanisms used to trigger event-based execution
  • Processes interacting with lsass.exe
  • Processes and command-line arguments for actions that gather system and network information
  • Interaction with the Windows API to gather information
  • Interaction with Windows system management tools such as Windows Management Instrumentation and PowerShell
  • Writing of files with extensions and/or headers associated with compressed or encrypted file types, correlated with suspicious traffic out of the environment

While the SolarWinds breach is extensive and a number of organisations should consider APT29 a threat, not every organisation does, or even should. The take away is that the collection of information, freely available in the public domain, and analysis of that information against MITRE ATT&CK to generate TTPs that map to controls, is a repeatable process. Any organisation could apply this methodology and help them focus their security controls and their security budgets.

Summary

It can be hard to disrupt adversaries with threat intelligence. It is easier to make yourself a hard target. Rather than tactical threat intelligence and atomic IoCs, think about strategic threat intelligence, TTPs. There is a great deal of open-source threat intelligence you can map to Mire Att&ck. Identify the most relevant TTPs to you and turn strategic threat intelligence into a prioritised control list.

TTPs mapped to reports

References

Apt29
Apt
Security
Mitre Attack
Cybersecurity

--

--

Kade Morton

Written by Kade Morton

4 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams