TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT29 / CozyDuke (まとめ)

【辞書】

◆APT 29 (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29


【概要】

APT28 ロシア連邦軍参謀本部情報総局(GRU)
APT29/CozyDuke ロシア連邦保安局(FSB)
  • 確認ベンダー
    1. Crowdstrike
    2. Fireeye
    3. Fidelis
  • 使用するマルウェア
    • OnionDuke


【ニュース】

◆The CozyDuke APT (Kaspersky(Securelist), 2015/04/21)
https://securelist.com/the-cozyduke-apt/69731/
https://malware-log.hatenablog.com/entry/2015/04/21/000000_2

◆No monkeys for CozyDuke (Kaspersky, 2015/04/28)
https://www.kaspersky.com/blog/no-monkeys-for-cozyduke/8543/
https://malware-log.hatenablog.com/entry/2015/04/28/000000_1

◆エフセキュア、CozyDukeと社会的地位のある標的を狙う諜報活動との関連を指摘 (PR Times, 2015/05/12 08:30)
http://prtimes.jp/main/html/rd/p/000000243.000001340.html
https://malware-log.hatenablog.com/entry/2015/05/12/000000_2

◆政府機関狙うサイバー攻撃「CozyDuke」 - 「MiniDuke」と関連か (Security NEXT, 2015/05/14)
http://www.security-next.com/058391
https://malware-log.hatenablog.com/entry/2015/05/14/000000

◆Guccifer 2.0 leaks docs on 11K donors, tries to draw attention back to DNC hacks (SC Magazine, 2016/07/15)
https://www.scmagazine.com/guccifer-20-leaks-docs-on-11k-donors-tries-to-draw-attention-back-to-dnc-hacks/article/527898/
https://malware-log.hatenablog.com/entry/2016/07/15/000000_2

◆Trump's Russian interests and Guccifer 2.0 (SC Magazine, 2016/07/26)
https://www.scmagazine.com/trumps-russian-interests-and-guccifer-20/article/529908/
https://malware-log.hatenablog.com/entry/2016/07/26/000000_2

◆扱いやすいトランプ氏を大統領にするため? 民主党のメール流出事件、背後にロシア政府の影 (NewSphere, 2016/07/28)
https://newsphere.jp/world-report/20160728-2/
https://malware-log.hatenablog.com/entry/2016/07/28/000000

◆Russian ‘Dukes’ of Hackers Pounce on Trump Win (Krebs on Security, 2016/11/16)
https://krebsonsecurity.com/tag/apt29/
https://malware-log.hatenablog.com/entry/2016/11/16/000000_2

◆ロシアによる米国へのサイバー攻撃「グリズリー・ステップ」 (AFP BB NEWS, 2016/12/30 12:39)
http://www.afpbb.com/articles/-/3112801
https://malware-log.hatenablog.com/entry/2016/12/30/000000_1

◆APT29 Domain Fronting With TOR (FireEye, 2017/03/27)
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
https://malware-log.hatenablog.com/entry/2017/03/29/000000_5

◆オランダ情報機関、米民主党へのロシアのハッキングを防犯カメラで「目撃」 (AFP BB NEWS, 2018/01/27 13:12)
http://www.afpbb.com/articles/-/3160177?cx_position=1
https://malware-log.hatenablog.com/entry/2018/01/27/000000_9

◆Dissecting Cozy Bear’s malicious LNK file (CyberForensicator, 2018/12/23)
http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/
https://malware-log.hatenablog.com/entry/2018/12/23/000000_2

◆10年以上活動するロシアのハッカー集団、2年ぶりに表舞台に (MIT Technology Review, 2019/11/18)
https://www.technologyreview.jp/s/168417/kremlin-hackers-are-back-in-the-spotlight-after-2016-election-breach/
https://malware-log.hatenablog.com/entry/2019/11/18/000000_<<

◆ハッカー集団「APT29」に対抗しうるMcAfee MVISION EDRの性能とは (ASCII.jp, 2020/05/21 17:00)
https://ascii.jp/elem/000/004/013/4013804/
https://malware-log.hatenablog.com/entry/2020/05/21/000000_4

【解説記事】

◆Lone hacker reportedly takes credit for DNC intrusions, releases opposition files on Trump (SC Magazine, 2016/06/16)
https://www.scmagazine.com/guccifer-20-claims-responsibility-for-dnc-hack-releases-reported-trump-opposition-files/article/529443/
https://malware-log.hatenablog.com/entry/2016/06/16/000000_2

◆Clinton Foundation possibly breached by Russian hackers who targeted DNC (SC Magazine, 2016/06/22)
https://www.scmagazine.com/clinton-foundation-possibly-breached-by-russian-hackers-who-targeted-dnc/article/529584/
https://malware-log.hatenablog.com/entry/2016/06/22/000000_3

◆Trump's Russian interests and Guccifer 2.0 (SC Magazine, 2016/07/26)
https://www.scmagazine.com/trumps-russian-interests-and-guccifer-20/article/529908/
https://malware-log.hatenablog.com/entry/2016/07/26/000000_2


【ブログ】

◆CozyDukeを侮るなかれ (Kaspersky, 2015/05/14)
https://blog.kaspersky.co.jp/no-monkeys-for-cozyduke/7488/
https://malware-log.hatenablog.com/entry/2015/05/14/000000_3

◆「Forkmeiamfamous」: Duke グループ最新の攻撃、Seaduke が登場 (Symantec, 2015/07/15)
https://www.symantec.com/connect/nl/blogs/forkmeiamfamous-duke-seaduke?page=1
https://malware-log.hatenablog.com/entry/2015/07/15/000000_1


【資料】

◆No Easy Breach DerbyCon 2016 (FireEye, 2016/09/27)
https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016
https://malware-log.hatenablog.com/entry/2016/09/27/000000_1


【関連情報】

◆COZYDUKE (F-Secure)
https://www.f-secure.com/documents/996508/1030745/CozyDuke


【IoC情報】

◆APT29
https://ioc.hatenablog.com/entry/2015/05/12/000000


【図表】

f:id:tanigawa:20180125212256p:plain
出典: https://www.symantec.com/connect/nl/blogs/forkmeiamfamous-duke-seaduke?page=1

f:id:tanigawa:20190502092351p:plain
TOR backdoor (just because it’s cool)
出典: https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016





【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020