FireEye researchers, analysts and incident responders frequently share information and engage with the security community on Twitter and other social media platforms. Sometimes this information adds so much to ongoing discussions that we feel it is important to share on our blogs.

Recently, we detected intrusion attempts against multiple industries as part of a phishing campaign that we suspect is being carried out by APT29. Following the release of our blog post, one of the authors and the head skeptic, Andrew Thompson (@QW5kcmV3), took to Twitter to discuss various attribution possibilities that were considered along the way, as well as some of the challenges that come with attribution.

As promised, I'm going to share some of the hypotheses we considered. It would be challenging to capture all of the many hypotheses discussed, to include a U.S. government threat emulation, which was quickly ruled out due to the illegal compromise of third parties. Here we go. https://t.co/5kqyzQQeTY

— Andrew (@QW5kcmV3) November 19, 2018

H1. APT29 conducted the phishing campaign. They intentionally used the same virtual machine or builder to create the weaponized LNK as they did in 2016 with the intent of causing doubt and dissent within the security community. 1/X

— Andrew (@QW5kcmV3) November 19, 2018

The nation-state suspected to be associated with APT29 has a long history of leveraging deception, which at times includes revealing actual truth in such a way as to cause doubt amongst analysts. 2/X

— Andrew (@QW5kcmV3) November 19, 2018

The primary evidence to support the intentional flagrant operations security violation consisted of our collective experience responding to APT29 activity, the assumption that APT29 is sophisticated enough to understand metadata... 3/X

— Andrew (@QW5kcmV3) November 19, 2018

and the historical body of knowledge regarding the suspected nation-state's use of these types of techniques in other types of operations. 4/X

— Andrew (@QW5kcmV3) November 19, 2018

Furthermore, we can see how effective this ploy was initially, and we can certainly anticipate there will continue to be researchers alleging a False Flag deception operation has been conducted. 5/X

— Andrew (@QW5kcmV3) November 19, 2018

While we considered all reasonable hypotheses, we could not support a False Flag hypothesis with more than the re-use of the LNK. We also determined there were certain overlaps that are not publicly known, that would require additional insight into previous APT29 intrusions. 6/X

— Andrew (@QW5kcmV3) November 19, 2018

At this time, we assessed this would require more effort than is warranted to conduct deniable operations in this environment. This concludes my summary of my leading hypothesis. Additional hypotheses considered follow. 7/7

— Andrew (@QW5kcmV3) November 19, 2018

H2. APT29 conducted the phishing campaign. They used the same virtual machine without regard for OPSEC consequences. An assumed to be sophisticated actor with a long history of advanced tradecraft made a mistake. They possibly did not feel the risk warranted due diligence. 1/X

— Andrew (@QW5kcmV3) November 19, 2018

The actor did take enough measures to defeat some security measures, and they certainly used custom configurations to prevent default detection. This is well discussed in the blog. This indicates they cared---enough, as long as they found some success. 2/X

— Andrew (@QW5kcmV3) November 19, 2018

Given APT29's history of transitioning from the implant they use during initial compromise, it is reasonable to believe they could lull us to sleep by allowing us to quickly catch some of their early phase activities knowing they only need minutes on a box to transition. 3/X

— Andrew (@QW5kcmV3) November 19, 2018

After initial detection, we launched a Community Protection Event (CPE) and put serious resources behind getting after the problem. We felt great. You probably saw some of our celebratory tweets. It was too easy. Why was it too easy? This was the leading question throughout. 4/4

— Andrew (@QW5kcmV3) November 19, 2018

This concludes my thoughts about Hypothesis 2. Hypothesis 3 follows.

— Andrew (@QW5kcmV3) November 19, 2018

H3. A presently unidentified threat actor projected to be APT29. An actor could feasibly conduct an attack emulating APT29. It is technically feasible. We demonstrated how it could be done. 1/X

— Andrew (@QW5kcmV3) November 19, 2018

However, even though it is technically possible, we determined other non-technical operational aspects of the campaign led us away from this hypothesis fairly quickly. 2/X

— Andrew (@QW5kcmV3) November 19, 2018

An actor could mimic all publicly known aspects of previous APT29 activity, but what was notable is their display of non-publicly known aspects of past intrusions. It is true that an actor with an espionage capability, could learn this information. 3/X

— Andrew (@QW5kcmV3) November 19, 2018

However, we had no evidence to support the idea that an actor stole intrusion data in order to project as APT29. False-flag dominates the deception discussion in this space. What was less discussed are more common forms of deception that are actually employed by these actors. 4/4

— Andrew (@QW5kcmV3) November 19, 2018

Some forms of deception we considered but were unable to conclude due to our understanding that we only have a slice of the visibility into the entirety of the operation are below.

— Andrew (@QW5kcmV3) November 19, 2018

Depending on what we learn about the entire scope of the phishing campaign, beyond our customers, we may be able to detect the masking of targets. This is a technique employed by the nation-state suspected to be associated with APT29.

— Andrew (@QW5kcmV3) November 19, 2018

We explored the possibility that some of the links delivered may have been something other than Cobalt Strike. We know benign zips were delivered to researchers using improper HTTP headers. There were seemingly unique URLs for each 'target,' so it is possible. We didn't see it.

— Andrew (@QW5kcmV3) November 19, 2018

We generally accepted Cobalt Strike, no matter how custom, would not enable an actor long term access to a target environment. This was of little concern to us, given our understanding, specifically @matthewdunwoody's in the trenches experience watching APT29 transition implants.

— Andrew (@QW5kcmV3) November 19, 2018

Attribution is hard, especially when we're faced with so many things that contradict our perceptions. We expect APT29 to be...different. Who is to say they didn't just execute a sophisticated operation? They very well did, and we only know what we were shown.

— Andrew (@QW5kcmV3) November 19, 2018

One thing I can say with certainty, our early detection was a significant advantage. I do not know if they anticipated how fast 'we' would be able to detect their modified Pandora C2 profile. Fast detection and response, and a solid operational timeline made the difference.

— Andrew (@QW5kcmV3) November 19, 2018

The Cobalt Strike server was established approximately 30 days prior to the first identified emails being sent. That was interesting for me, as I'm used to groups, like APT34, executing against a target within five days of infrastructure establishment. This helps tell the story.

— Andrew (@QW5kcmV3) November 19, 2018

We were not the first ones to go live with a blog with regards to this activity. We were comfortable operating with the understanding that it was probably APT29, and frankly, if it is not---consider they should be mimicking APT29 enough that our playbook should be useful.

— Andrew (@QW5kcmV3) November 19, 2018

I mentioned we have an obligation to our customers first, and I believe that. Attribution can take a long time to do right. We're not even slapping the table on definitive attribution as of today. However, we assembled a team of experts to aggressively get after the intrusion.

— Andrew (@QW5kcmV3) November 19, 2018