APT28 hackers deploy customized variant of Covenant open-source tool
Summary
The Russian state-sponsored APT28 threat group has been observed deploying a customized version of the open-source Covenant post-exploitation framework. This custom variant is being used for prolonged espionage activities, indicating a sophisticated and persistent approach by the attackers.
IFF Assessment
FOE
The use of a sophisticated, customized tool by a known advanced persistent threat group for espionage poses a significant risk to defenders.
Defender Context
Defenders should be aware of APT28's evolving tactics, specifically their adoption and customization of open-source tools like Covenant. Monitoring for unusual network activity and endpoint behaviors associated with post-exploitation frameworks is crucial for early detection and mitigation.