{ "id": "54af963a-5e97-4524-b425-89d9443bf7c7", "created_at": "2026-04-06T00:17:17.846185Z", "updated_at": "2026-04-10T13:12:28.759214Z", "deleted_at": null, "sha1_hash": "ea7c7f87d042d74e5d2032b750695641fef642cc", "title": "The layered infrastructure operated by APT29", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 144309, "plain_text": "The layered infrastructure operated by APT29\r\nBy Threat Detection Team Security division of NTT\r\nPublished: 2021-10-19 · Archived: 2026-04-05 19:56:23 UTC\r\nAfter the public reporting of APT29 activity, our analysts have mapped previously\r\nunseen layers of APT29 infrastructure.\r\nAfter the public reporting of APT29 activity, our analysts have mapped previously unseen layers of APT29\r\ninfrastructure. The most recent activity included targeting email servers belonging to diplomatic entities located in\r\nSouth America and Northern Africa. APT29 is a threat actor commonly associated with a national intelligence\r\nservice and has been widely reported to conduct espionage operations.\r\nWe initiated this research after RiskIQ reported their own research of command and control servers of the\r\nWellMess malware, operated by APT29. We discovered that some of the reported WellMess command and control\r\nservers (C2s) are used as layer 2 (L2) operator hosts (OH), while there’s also a layer 1 (L1) OH in contact with the\r\nvictim’s email server. The targeted email servers are running open-source webmail clients that have a history of\r\nvulnerabilities. Recent reporting by the National Cyber Security Center of the UK on APT29 activity confirms\r\nAPT29 operating procedure includes exploiting recently detected software vulnerabilities (as described in Further\r\nTTPs associated with SVR cyber actors, and APT29 targets COVID-19 vaccine development).\r\nTopics in this article\r\nhttps://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29\r\nPage 1 of 3\n\nAs shown in Figure 1, communication within the infrastructure is cyclical. This indicates an automated framework\r\nthat regularly communicates with, and possibly exfiltrates data from, the victim’s email servers. This behavior\r\nincludes what appears to be the actor, connecting to L2 OH over port TCP/8443 with anonymization through TOR\r\nat 8 PM UTC. This indicates that the actor likely included a Layer 3 host in the automated infrastructure setup.\r\nThe observed infrastructure setup confirms APT29’s ability to perform long-term automated operations. Such\r\ninfrastructure provides APT29 with the ability to continuously acquire sensitive data from the targeted\r\nenvironment, highlighting the espionage focus of the group.\r\nWe recommend searching for and investigate any traffic from the listed layer 1 operator hosts.\r\nThis analysis isn’t meant to be a complete exploration of the APT29 infrastructure but is representative of our\r\nongoing analysis. The analysis performed in this report includes only a subset of the APT29 related IPs reported\r\nby RiskIQ, and the reader shouldn’t necessarily assume these conclusions hold for the entire infrastructure.\r\nHow our visibility and actions help our clients\r\nOur Threat Intelligence researchers monitor telemetry of suspicious traffic traversing our Global IP Network\r\nService global Tier-1 IPv4/IPv6 backbone network for threat indicators. Correlating such findings with the\r\ninsights of our global Threat Detection (TD) and Managed Detection and Response (MDR) services enables a\r\ntruly unique perspective of the evolving cybersecurity threat landscape.\r\nhttps://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29\r\nPage 2 of 3\n\nResearch findings on threat actors and campaigns, such as APT29, are continuously being fed from our Threat\r\nIntelligence analysts back into our services as machine learning capabilities, behavior models, indicators of\r\ncompromise and threat intelligence. This process enhances the service’s ability to efficiently monitor, detect,\r\ntriage and respond to these threats on behalf of our clients often without an initial compromise.\r\nIndicators of compromise\r\nIndicators of compromise where the L1 OH is sending traffic to the L2 OH on the same row:\r\nSource: https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29\r\nhttps://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29" ], "report_names": [ "the-layered-infrastructure-operated-by-apt29" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434637, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea7c7f87d042d74e5d2032b750695641fef642cc.pdf", "text": "https://archive.orkl.eu/ea7c7f87d042d74e5d2032b750695641fef642cc.txt", "img": "https://archive.orkl.eu/ea7c7f87d042d74e5d2032b750695641fef642cc.jpg" } }