APT29

State-backed: SVR, Russia.

Associated Groups : Dukes, Group 100, Cozy Duke, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, APT29, Cozy Bear, The Dukes, Minidionis, SeaDuke, Hammer Toss, YTTRIUM, Iron Hemlock, Grizzly Steppe

Estimated time of origin: 2008

Target sectors: Goverments of West, Central Asia, East Africa, and the Middle East.

Strategy : Uses Twitter, GitHub & cloud storage service to relay commands & extract data from compromised systems

Malwares:

• [HAMMERTOSS]
• TDISCOVER
• [UPLOADER]

Noteworthy:

• Uses Twitter, GitHub & cloud storage service to relay commands & extract data from compromised systems.
• Always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them.
• SolarWinds Orion supply chain attack.

Reference

F-Secure the Dukes MITRE ATT&CK FireEye HAMMERTOSS Malpedia