Anatomy of a Hacker Group: APT29 (AKA Cozy Bear)

The threat group APT29, also known as Cozy Bear, is well-known for their alleged work infiltrating the U.S. Democratic National Committee during the 2016 presidential election cycle — but that’s only the tip of the iceberg when it comes to what this group has been up to. While there have been stretches of time where they’ve seemed to decrease their activity, they’re still particularly relevant.

Naturally, part of this is due to the upcoming 2020 election. But also, research has shown that even during quiet times, there is evidence that the group has continued their cyberespionage activities and even evolved the types of malware they use to execute them.

Examples of their self-developed malware include CloudDuke, CosmicDuke, CozyCar, GeminiDuke, and lots of other tools with “duke” in the name in conjunction with one of the other names the group goes by: CozyDuke.

They’re also known for using at least 23 different techniques documented in MITRE ATT&CK — including many associated with Defense Evasion — and their apparent targets span industries and geographies. They include entities in the commercial and public sectors of Germany, Uzbekistan, South Korea, the U.S., and more.

APT29 demonstrates the power of a group that likely has state-sponsored support behind them. This combined with the variety of tools and tactics, techniques, and procedures (TTPs) used make them a great group to learn about in terms of sophistication and trying to prolong their access by avoiding discovery.

Watch the on-demand webinar now to learn from members of LogRhythm Labs’ threat research team and Randy Franklin Smith of Ultimate Windows Security, who will do a deep-dive into this threat group, their activities, and how you can automate the detection and mitigation of threats either associated with the group or that use similar techniques.

Duration: 01:02:28