#APT29: Inside Russia’s Most Dangerous Hacking Group 2/2

🪆 APT29 — the cyber espionage group linked to Russia’s Foreign Intelligence Service — took control of Orion, a SolarWinds software. At the time, it was the largest-ever supply chain attack, a highly complex operation that led to some truly astonishing consequences. This is the second episode in this series of tales from the dark corners of cyberspace, where I explore cybercriminal groups with ties to global intelligence agencies. Sources: 📣 It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US https://www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions/ 🐤 Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ 🗑️ OS Credential Dumping, MITRE ATT&CK https://attack.mitre.org/techniques/T1003/ 🕵🏻 Russian cyberspies targeted the Slovak government for months https://therecord.media/russian-cyberspies-targeted-slovak-government-for-months 🤔 What Is Cobalt Strike and How Does It Work? https://www.cynet.com/network-attacks/cobalt-strike-white-hat-hacker-powerhouse-in-the-wrong-hands/ 🇫🇷 France warns of Nobelium cyberspies attacking French orgs https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/ 😶‍🌫️ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ 🖲️ Trello From the Other Side: Tracking APT29 Phishing Campaigns https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns 💾 Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/ ☑️ MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ 🇵🇱 NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine 🇷🇺 CERT Polska i SKW ostrzegają przed działaniami rosyjskich szpiegów https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/ 🔎 Kampania szpiegowska wiązana z rosyjskimi służbami specjalnymi https://www.gov.pl/web/baza-wiedzy/kampania-szpiegowska-wiazana-z-rosyjskimi-sluzbami-specjalnymi 🧑‍💻 Midnight Blizzard conducts targeted social engineering over Microsoft Teams https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/ 💥 APT29 Attacks Embassies Using CVE-2023-38831 https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29 attacks Embassies using CVE-2023-38831 - report en.pdf 👍🏻 AlessandroZ / LaZagne @ GitHub - PublicCredentials recovery project https://github.com/AlessandroZ/LaZagne Relevant xkcd: https://xkcd.com/1573/ © All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement. My socials: Instagram @mattchrobok https://www.instagram.com/mattchrobok/ Twixxer @ChrobokMatt https://twitter.com/ChrobokMatt Mastodon https://infosec.exchange/@mateuszchrobok LinkedIn @mateuszchrobok https://www.linkedin.com/in/mateuszchrobok/ TikTok @mattchrobok Facebook https://www.facebook.com/mattchrobok Chapters: 00:00 Intro 01:09 2021 StellarParticle 05:22 2021 Diplomats 08:37 2022 Trello 13:56 2023 ADFS 17:14 2023 Difference 20:06 2023 TeamCity 21:42 What To Do And How To Live? #APT29 #SVR #Russia #Moscow #Kremlin