G0016
G0016APT29
Description
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)
In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)
References
- https://attack.mitre.org/groups/G0016
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
- https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
- https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Software attributed to this22
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Software | WellMesss0514 | 100% | live |
| Software | OnionDukes0052 | 100% | live |
| Software | LiteDukes0513 | 100% | live |
| Software | FoggyWebs0661 | 100% | live |
| Software | PowerDukes0139 | 100% | live |
| Software | VaporRages0636 | 100% | live |
| Software | Sibots0589 | 100% | live |
| Software | GoldMaxs0588 | 100% | live |
| Software | NativeZones0637 | 100% | live |
| Software | CosmicDukes0050 | 100% | live |
| Software | CozyCars0046 | 100% | live |
| Software | HAMMERTOSSs0037 | 100% | live |
| Software | GeminiDukes0049 | 100% | live |
| Software | WellMails0515 | 100% | live |
| Software | MiniDukes0051 | 100% | live |
| Software | SUNSPOTs0562 | 95% | live |
| Software | FatDukes0512 | 95% | live |
| Software | GoldFinders0597 | 95% | live |
| Software | TEARDROPs0560 | 95% | live |
| Software | QUIETEXITs1084 | 95% | live |
| Software | Raindrops0565 | 95% | live |
| Software | BoomBoxs0635 | 95% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.