Threat Research

When geopolitics goes digital: NATO, Russia, and state-backed cyber attacks

LogPoint
When geopolitics goes digital: NATO, Russia, and state-backed cyber attacks

Threat actors (including APT28, APT29, Sandworm, and Gamaredon) use a range of living-off-the-land binaries, DLL side‑loading, scheduled task and autorun persistence, credential dumping (Mimikatz, LSASS access), lateral tools (PsExec, Impacket), and cloud/file-host exfiltration to conduct reconnaissance, lateral movement, and C2. Detection recommendations include targeted hunting alerts and queries (for masqueraded XML scheduled tasks, autorun key modifications, unsigned DLL loads, PowerShell/web requests, OAuth abuse in Microsoft 365, and more) plus broader controls like EDR/NDR, defense-in-depth, patching, and logging. #APT28 #APT29

Keypoints

  • Multiple state‑linked groups (APT28, APT29, Sandworm, Gamaredon) reuse native Windows utilities and living‑off‑the‑land binaries (mshta, regsvr32, rundll32, certutil, powershell) for delivery, execution, and persistence.
  • Persistence techniques include scheduled tasks created via masqueraded XML files and autorun/startup entries; alerts like Suspicious Scheduled Task Creation via Masqueraded XML File and Autorun Keys Modification Detected are recommended for detection.
  • DLL side‑loading and unsigned DLL loads are used to execute WINELOADER and other payloads; hunt rules target unsigned DLLs loaded by utilities (regsvr32, rundll32, regasm, installutil) and DLLs loaded from writable or uncommon directories.
  • Credential access is performed via Mimikatz command lines and LSASS memory access; alerts include Mimikatz Command Line Detected and LSASS Memory Dump Detected to identify dumping and memory access attempts.
  • Discovery and lateral movement use native utilities and tools: windows enumeration binaries (whoami, net, ipconfig), SMB/network share access, PsExec and Impacket PsExec patterns (temporary services, name length regex), and named‑pipe indicators.
  • Command and control and exfiltration abuse public file hosts and APIs (Dropbox, Mega, Telegram API, Pastebin); hunting rules detect outbound connections and large sent_datasize to such hosts.
  • APT29 targets Microsoft 365/Azure via OAuth/app consent, device code auth, and disabling audit logs (Purview/Unified Audit); alerts for Entra ID consent/permission events, device code auth, and audit disabling are advised.

MITRE Techniques

  • [T1053] Scheduled Task/Job – Threat actor created scheduled tasks using masqueraded XML files to persist; detection uses “Suspicious Scheduled Task Creation via Masqueraded XML File” alert (quoted context: ‘created scheduled tasks using masqueraded XML files’).
  • [T1547.001] Registry Run Keys / Startup Folder – Actors add entries to Autorun registry keys or place payloads in Startup folder for persistence; detection via “Autorun Keys Modification Detected” alert (quoted context: ‘adding entries to Autorun registry keys or placing payloads in the Startup folder’).
  • [T1574.001] DLL Side‑Loading – DLL side‑loading used to load malicious DLLs (example: APT29 loaded a malicious DLL to execute WINELOADER); detection via “Unsigned DLLs loaded by Windows Utilities” and hunts for DLLs from writable/uncommon directories (quoted context: ‘APT29 leveraged this method by loading a malicious DLL to execute its WINELOADER malware’).
  • [T1003.001] LSASS Memory – Processes access lsass.exe with elevated rights to harvest credentials from memory; detection via “LSASS Memory Dump Detected” alert (quoted context: ‘monitor for processes that open lsass.exe with elevated access rights’).
  • [T1003.001] Credential Dumping (Mimikatz) – Use of Mimikatz for credential dumping observed in APT28, APT29, Sandworm; detection via “Mimikatz Command Line Detected” alert (quoted context: ‘Mimikatz is a widely used credential-dumping tool observed in the arsenals of APT28, APT29, and Sandworm’).
  • [T1016] System Network Configuration Discovery / [T1083] File and Directory Discovery – Use of native Windows utilities (whoami, nltest, net, ipconfig, systeminfo, quser, netstat) for reconnaissance and discovery; detection via “Reconnaissance using Windows Binaries Detected” alert (quoted context: ‘leverage native Windows binaries to enumerate victim environments’).
  • [T1021.510] Pass the Hash / Remote Services (PsExec) – Use of PsExec and Impacket PsExec for lateral movement, including creation of temporary services like PSEXESVC or random-name services/binaries; detection via “PsExec Tool Execution Detected” and regex hunts for 4-char service / 8-char executable patterns (quoted context: ‘APT28 and APT29 have been observed using PsExec for lateral movement’).
  • [T1048] Exfiltration Over Alternative Protocol – Abuse of cloud storage and file-sharing services (Dropbox, Mega, MediaFire, Pastebin, Telegram API) for data exfiltration; detection via “Network Connection to Suspicious Server” alert and sent_datasize thresholds (quoted context: ‘abuse cloud storage and file-sharing services for stealthy data exfiltration’).
  • [T1218] Signed Binary Proxy Execution (Regsvr32, Rundll32, Mshta, Certutil) – Living‑off‑the‑land binary abuse (mshta, regsvr32, rundll32, certutil, wscript, cscript, powershell) for remote code execution, download, and script execution; detection via corresponding suspicious activity alerts (quoted context: ‘abused native Windows utilities such as mshta.exe, rundll32.exe, regsvr32.exe, and certutil.exe to execute malicious code’).
  • [T1550.003] Use of OAuth / Application Access Token – OAuth/application consent abuse in Microsoft 365 (APT29 weaponized OAuth, created/compromised apps, granted permissions) and device code auth to obtain tokens; detection via Entra ID consent/permission alerts and device code authentication detection (quoted context: ‘weaponized OAuth by creating or compromising OAuth applications… device-flow authentications’).
  • [T1562.001] Disable or Modify Tools (Logging) – Tampering with Microsoft Purview and Unified Audit Logging to obscure activity; detection via “Microsoft Purview Audit Disabled” and “Microsoft 365 Unified Audit Logging Disabled” alerts (quoted context: ‘tampering with Microsoft 365 audit controls including disabling Purview, Advanced Auditing and Unified Audit Logging’).

Indicators of Compromise

  • [Scheduled Task/File] masqueraded XML scheduled task – example: scheduled tasks created via masqueraded XML files (context: persistence via scheduled tasks).
  • [Registry Keys] Autorun registry entries – example targets: HKLM/HKCUSoftwareMicrosoftWindowsCurrentVersionRun*, HKLM…WinlogonUserinit* (context: Autorun Keys Modification Detected alert).
  • [File Paths] Suspicious file locations – example paths: C:WindowsTemp*, C:ProgramData*, %AppData%Local* (context: DLLs or payloads placed in writable/uncommon directories; “and other common Temp/AppData locations”).
  • [Process Binaries] Living‑off‑the‑land executables – examples: mshta.exe, regsvr32.exe, rundll32.exe, certutil.exe, powershell.exe (context: abused legitimate binaries for execution and loading DLLs).
  • [Commands/Strings] Mimikatz command strings – examples: “*mimikatz*”, “*sekurlsa::*”, “*dpapi::*” (context: Mimikatz Command Line Detected alert hunting for command patterns).
  • [Network Domains/URLs] Public file hosts and APIs – examples: *dl.dropboxusercontent.com*, *api.telegram.org* (context: outbound C2/exfiltration channels; detection via Network Connection to Suspicious Server).
  • [Service/Binary Name Patterns] Impacket PsExec artifacts – example patterns: 4-character service names (random letters) and 8-character executable filenames (e.g., Abcd.exe, EfghIjKl.exe) (context: Impacket PsExec detection via regex).

Read more: https://logpoint.com/en/blog/when-geopolitics-goes-digital

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint