Follow us
All VPNs are chosen by the expert, but we may get a commission when you buy them via our links.

How is it challenging to detect and protect from Russian APT29? Learn about APT techniques in 6 basic steps with MITRE ATT&CK.

How security analysts detect advanced persistence threats such as Cozy Bear, Dark Halo, and NOBELIUM? We will learn how to apply the MITRE ATT&CK framework in 6 basic steps to get sophisticated techniques of nation-state hackers.

Published: June 18, 2021 By Dmytro Cherkashyn
Add comment

One of the most famous Russian threat groups Cozy Bear

Once you got this information, your life is never going to be as before. We are going to dive into the most sophisticated techniques used to hack high-grade cyber-protection systems for all time.

You might have heard about SolarWind cyber breach that created a huge buzzing wave around the world. This attack affected over 17,000 systems globally, with an estimated number of threatened end-points close to an incredible 60,000,000 (but I am sure much more than this). And we are still speaking about the same group.

SolarWinds attack short sequence of actions

APT 29 is, according to different sources, the threat group attributed to the Russian National Intelligence Service. What are they? How they perform? Let's look together.

Even if you are not a computer expert, you will understand the scope and complexity of work done by hackers to achieve their goals. It is terrific and exciting at the same time.

Table of Contents

 

What is APT (Advanced Persistent Threat)?

The term of APT – read Advance Persistent Threat – is coming from one US Air Force's Colonel, who started to use it in the meaning we know today.

And despite that fact, APT is the non-native definition, it really fits into the purpose.

  • Advanced, because it uses proprietary crafted techniques and tools, which usually include zero-days. Another point here is about domains APTs are aiming to attack.
    They are usually full of non-standard and pricey devices and procedures and process-based operations, meaning they rely not only on the technical knowledge of technology generally but specific details about the targeted organization.
  • Persistent, because they are focused on long-term undetected footholds instead of a one-time successful strike, as Ransomware operators do, for instance.
    With the rise of AI use in network detection and response systems, it is much harder to keep invisibility and make traces of malicious activities not logged. Still, they are spending most of their time to keep their presence unrevealed.
  • Threat, because it threatens us to the highest grade.
    Those guys are not looking for any monetary benefits. Instead, they are aiming at long-term social consequences, which are touching everybody in the world.

We will look closer, particularly to APT29, in subsequent chapters.

Spaces and actions of APT28 and APT29 groups

Image source – wikipedia.org

Why are experts searching for APT?

As mentioned before, APT possesses a very serious danger to state existence pillars and all existing infrastructure around the state.

The list of most critical infrastructure subjects is varying from one country to another, but it usually includes the financial sector, energy sector, transportation, healthcare, and communication sectors.

There are many informational interconnections between them as well as logical-physical relations.

For instance, targeting the energy sector and causing outages and widespread blackouts could affect other industries. It is hardly imagined today anything working without electricity for few minutes. What if one group causes a few days outage?

It is crucially important to understand how APTs are acting for several factors:

  1. Collection of indicators of compromise and attack trees, which can help identify APT presence inside a corporate network.
  2. Patterns match one case to another, helping the state security services attribute the attack to one of state or non-state actors. Huh, these are high political things, and these are going to be hot topics for any future cyber-defense doctrines.

How to use the MITRE ATT&CK framework?

Now, let us look at practical things. If you didn't hear about MITRE before, you could read about it on the official website.

What we are going to inspect and practicing is MITRE Adversaries Techniques Tactics and Common Knowledge Framework. This chapter focuses on how MITRE Framework helps to resolve challenges mentioned above in the previous chapter.

I am going to check exemplary through the MITRE toolset and explain their use cases.

  1. You may go directly to attack.mitre.org and scroll down to Matrix for Enterprise.
    It is one major, but not only a matrix from MITRE for today. There are also matrices specifically for mobile and industrial control systems.

    Directly on first page tactics and techniques matrix is presented

    Image source – attack.mitre.org

  2. Now we have many options on acting further, but we want to know about APT29. At this stage, we will change to a dedicated ATT&CK Navigator.

    MITRE ATT&CK Navigator link

    Image source – attack.mitre.org

  3. Click on “Create New Layer” and then “Enterprise”. The new window with the Matrix will appear in from of you.

    MITRE ATT&CK creating new Enterprise representation layer

    Image source – attack.mitre.org

  4. Using the button "Multi-select," open the list with Threat Groups, scroll down to the required one, "APT29," and click “View”. A new tab will be opened. Please, don't close the previous Tab manually. We will need to get back after looking at this step.
    Now you can read about the threat group itself and find much helpful information, which provides a lot of data for processing. But this is not yet, what we want from.

    MITRE ATT&CK opening tab with a comprehensive description of APT29 group

    Image source – attack.mitre.org

  5. Go back to the previous Tab from the beginning of the last step. Click “select” in front of APT29, and all relevant techniques will be marked with frames around them. Click the "Right button" on one of those surrounded blocks and find “invert selection”. After you are done, go to and click on “Toggle state”, after this, you are looking for the button “Show/Hide disabled”.

    MITRE ATT&CK making all not related techniques invisible in 3 steps

    Image source – attack.mitre.org

  6. From now, we see only some techniques for our specific threat group. It is much easier to follow the attack stages now.

    MITRE ATT&CK shows only techniques for APT29 along with standard tactics

    Image source – attack.mitre.org

At this point, we are working with a specific threat group only. The full functionality of MITRE ATT&CK is not possible to describe in the scope of one article, so we will leave some other case studies for future publications.

However, you might want to learn it on your own. It is not a wrong decision, taking into account professionally written instructions and online seminars available.

Defensive measures against APT threats

Unfortunately, such things as a "magic button" or an "all-in-one solution" for protection against different APTs are not existing yet. But suppose you have enough expertise and resources. In that case, it is possible to implement security controls helping to reduce risks associated with that threat.

You are likely to reduce present risks if you follow few general principles:

1. Think about security architecture first and not compensatory controls.

  • Build your network according to best practices. Communications only between necessary nodes should exist, all unnecessary bridges between higher- and lower- protection levels should be eliminated.
  • Make a list of your assets during the development stage, so you know what should be protected at all.
  • Group your assets into security zones and apply appropriate security controls to balance overall security.

2. Don't overestimate the technology role. The human factor is still playing all 99,5% of success (or fail).

  • Build a strong security culture in your organization. Make people believing a threat exists; without that, any other measures are not effective.
  • Invest in people training and professional development, so they are possessing state-of-the-art knowledge.
  • One may see this as unfriendly, but the zero-trust concept works today. Too many interconnections create a much broader threat landscape, which we should limit by any means.

3. Apply technology smartly.

  • Logging and Intrusion Detection Systems are a must. Automatic prevention systems are not always applicable.
  • Set VPN a mandatory tool for any remote working. This becomes a new normal, especially for the COVID-19 era.

Conclusion

Even though APT is a very sophisticated threat to any critical infrastructure facility's information system and essential services, read it - for human well-being. There are still methods existing, which can help detect and react to APTs attack timely.

We have just learned one framework for the purpose of catching malicious actors before they will strike somebody's business and our calm lives. Of course, there are other commercially available methodologies and services from companies, who are dealing with such activities as their daily business.

I would be happy to continue this series of articles and bring more light on the deep live of state-sponsored actors and their techniques and tactics. I also touched many adjacent corners, which are connected to the military and politicians. I see sense going deeply in there too.

If you like me to put my hands on any specific stuff, please, let me know about this in the comments below.

Stay tuned and watch around!

Editor-in-Chief
Dmytro Cherkashyn
Being a passionate security expert from Ukraine, Dmytro has passed through various security domains for the last 12 years, starting with the physical security of nuclear facilities and coming to operational technology cybersecurity for critical infrastructure in Germany.

Leave a comment

click to select