Luke Jenkins

BEATDROP: Spy, Burn, Rebuild, Repeat

The Foreign Intelligence Agency (SVR) is responsible for conducting nation state espionage against diplomatic entities globally. In the lead up to Ukraine’s pivotal counteroffensive, Mandiant has observed APT29 substantially increase its targeting of foreign embassies in Ukraine, with new campaigns now being identified on a weekly basis alongside its typical targeting of other diplomatic entities in Europe and further afield.

Coupled with this shift in targeting, we have also seen a major shift in APT29’s tooling and tradecraft. This shift in tooling is resulting in major innovations in the delivery chain in addition to new bespoke malware families responsible for persistence, data collection and subsequent malware delivery.

This talk aims to discuss these new APT29 waves Mandiant identified in 2023, taking a look at the technical details of the capability and discussing the defensive changes made by APT29 to remain undetected by the threat intelligence community.

Luke Jenkins is a Technical Principal Analyst on the Cyber Espionage team at Mandiant, now part of Google Cloud. He has worked as a reverse engineer for around 8 years, specializing in the analysis of windows malware.
Since early January 2022, Luke has been closely monitoring Russia backed threat groups targeting Ukraine with a specific focus on disruptive malware.