Read on Twitter
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
#APT29 abandons their phishing backdoor as soon as they pivot off patient zero, in favor of their operational tools.
#APT29 deploys stealthy persistence backdoors on systems with no other activity, and ignores them unless needed.
#APT29 uses a phishing backdoor so that when defenders identify the backdoor/email, they will miss the other backdoors and declare victory.
#APT29 phishing attacks are often designed to reside in roaming profiles, in order to persist in VDI environments.
#APT29 sometimes uses misdirection for opsec. They're brazen in some of their activity to hide more discreet actions.
#APT29 appears to use multiple teams for intrusion. B team establishes initial access and persistence. A team completes mission.
#APT29 may phish their primary targets directly, rather than phishing colleagues and moving to target, to ensure access to data.
#APT29 has rotated, changed and combined TTPs during incidents to determine how they are being detected and to confuse defenders.
#APT29 actively monitors the security and IT organizations of victims to track detection and response efforts.
I suspect that #APT29 uses large-scale phishing campaigns to hide their true targets (more distraction-based opsec)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
