Throughout this walkthrough, we will focus our investigation on APT29, one of the most sophisticated and persistent threat actors in the cyber threat landscape. Also known by numerous aliases including Cozy Bear, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, and UNC2452, APT29 is widely attributed to Russia's Foreign Intelligence Service (SVR). This threat actor has been responsible for numerous high-profile cyber espionage operations targeting government agencies, diplomatic institutions, think tanks, and critical infrastructure organizations worldwide. Their operations are characterized by advanced tradecraft, innovative techniques, and a persistent focus on intelligence collection aligned with Russian strategic interests.
This lab will guide learners through the practical application of OpenCTI for threat intelligence analysis, demonstrating how to navigate the platform's interface, search for threat actor information, explore associated campaigns and malware, map adversary behavior to the MITRE ATT&CK framework, and investigate indicators of compromise. We will examine APT29's major campaigns including the SolarWinds Compromise and Operation Ghost, analyze the tools in their arsenal such as the meek Tor plugin, and investigate their phishing infrastructure used in diplomatic-themed lure campaigns targeting European governments. By the end of this lab, participants will have developed foundational skills in using threat intelligence platforms to research adversaries, understand attack patterns, and extract actionable intelligence for defensive operations.