Dan Black

BEATDROP: Spy, Burn, Rebuild, Repeat

The Russian government’s Foreign Intelligence Agency (SVR) is responsible for conducting nation state espionage against diplomatic entities globally. In the lead up to Ukraine’s pivotal counteroffensive, Mandiant observed APT29 substantially increase its targeting of foreign embassies in Ukraine, with new campaigns now being identified on a weekly basis alongside its typical targeting of other diplomatic entities in Europe and further afield.

Coupled with this shift in targeting, we also observed a major shift in APT29’s tooling and tradecraft. This shift in tooling is resulting in major innovations in the delivery chain in addition to new bespoke malware families responsible for persistence, data collection and subsequent malware delivery.

This presentation aims to discuss these new APT29 waves Mandiant identified in 2023, taking a look at the technical details of the capability and discussing the defensive changes made by APT29 to remain undetected by the threat intelligence community.

Dan Black is a Principal Analyst on the Cyber Espionage team at Google’s Mandiant, where he specializes in analysis of Russia’s cyber program and the broader dynamics of competition and conflict in cyberspace. Dan was previously the Deputy Head and Principal Analyst in NATO’s Cyber Threat Analysis Branch. He is also a Millennium Fellow with the Atlantic Council. Dan holds master’s degrees in international relations from Harvard University and in forensic anthropology from the University of Toronto.