ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > APT 29, Cozy Bear, The Dukes

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 29, Cozy Bear, The Dukes

NamesAPT 29 (Mandiant)
Cozy Bear (CrowdStrike)
The Dukes (F-Secure)
Group 100 (Talos)
Yttrium (Microsoft)
Iron Hemlock (SecureWorks)
Minidionis (Palo Alto)
CloudLook (Kaspersky)
ATK 7 (Thales)
ITG11 (IBM)
Grizzly Steppe (US Government) together with Sofacy, APT 28, Fancy Bear, Sednit
UNC2452 (FireEye)
Dark Halo (Volexity)
SolarStorm (Palo Alto)
StellarParticle (CrowdStrike)
Nobelium (Microsoft)
Iron Ritual (SecureWorks)
CountryRussia Russia
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2008
Description(F-Secure) The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.

The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.

These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.

In addition to these large-scale campaigns, the Dukes continuously and concurrently engage in smaller, much more targeted campaigns, utilizing different toolsets. These targeted campaigns have been going on for at least 7 years. The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times.
ObservedSectors: Defense, Energy, Government, Law enforcement, Media, NGOs, Pharmaceutical, Telecommunications, Transportation, Think Tanks and Imagery.
Countries: Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chechnya, China, Cyprus, Czech, France, Georgia, Germany, Hungary, India, Ireland, Israel, Japan, Kazakhstan, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxembourg, Mexico, Montenegro, Netherlands, New Zealand, Poland, Portugal, Romania, Russia, Slovakia, Slovenia, Spain, South Korea, Turkey, Uganda, UK, Ukraine, USA, Uzbekistan, NATO.
Tools used7-Zip, AdFind, ATI-Agent, AtNow, BloodHound, CEELOADER, CloudDuke, Cobalt Strike, CosmicDuke, CozyDuke, FatDuke, FoggyWeb, GeminiDuke, GoldFinder, GoldMax, HammerDuke, LiteDuke, meek, Mimikatz, MiniDuke, OnionDuke, PinchDuke, PolyglotDuke, POSHSPY, PowerDuke, RAINDROP, RegDuke, Rubeus, SeaDuke, Sharp-SMBExec, SharpView, Sibot, SoreFang, SUNBURST, SUNSPOT, SUPERNOVA, TEARDROP, Tomiris, TrailBlazer, WellMail, WellMess, Living off the Land.
Operations performedFeb 2013Since the original announcement, we have observed several new attacks using the same exploit (CVE-2013-0640) which drop other malware. Between these, we’ve observed a couple of incidents which are so unusual in many ways that we-ve decided to analyse them in depth.
<https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/>
2013While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims. The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia.
<https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/>
2013Operation “Ghost”
We call these newly uncovered Dukes campaigns, collectively, Operation Ghost, and describe how the group has been busy compromising government targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of a European Union country, all without drawing attention to their activities.
<https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf>
Mar 2014Operation “Office monkeys”
In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed CozyDuke-infected systems to install MiniDuke onto a compromised network.
<https://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory>
Aug 2015Attack on the Pentagon in the USA
In August 2015 Cozy Bear was linked to a spear-phishing cyberattack against the Pentagon email system causing the shutdown of the entire Joint Staff unclassified email system and Internet access during the investigation.
<https://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html>
Jun 2016Breach of Democratic National Committee
In June 2016, Cozy Bear was implicated alongside the hacker group Sofacy, APT 28, Fancy Bear, Sednit had only been there a few weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.
<https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/>
Aug 2016Attacks on US think tanks and NGOs
After the United States presidential election, 2016, Cozy Bear was linked to a series of coordinated and well-planned spear-phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).
<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>
Jan 2017Attacks on the Norwegian Government
On February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spear-phish the email accounts of nine individuals in the Ministry of Defense, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed college.
<https://www.usatoday.com/story/news/2017/02/03/norway-russian-hackers-hit-spy-agency-defense-labour-party/97441782/>
Feb 2017Attack on Dutch ministries
In February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents.
<https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/>
Sep 2017Russian hackers breached Dutch police systems in 2017
<https://therecord.media/russian-hackers-breached-dutch-police-systems-in-2017/>
Nov 2018Phishing campaign in the USA
Target: Multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
Method: Phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
<https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html>
Aug 2019SolarWinds Orion Supply-chain Attack
<https://www.dropbox.com/s/yu5uwsfyo9q4oj2/Whitepaper%20SolarWinds%20Orion%20Supply-chain%20Attack.pdf?dl=0>
2020Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.
<https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf>
2020Suspected Russian Activity Targeting Government and Business Entities Around the Globe
<https://www.mandiant.com/resources/russian-targeting-gov-business>
Dec 2020DarkHalo after SolarWinds: the Tomiris connection
<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>
2021Operation “StellarParticle”
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
<https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/>
Feb 2021Russian cyberspies targeted the Slovak government for months
<https://therecord.media/russian-cyberspies-targeted-slovak-government-for-months/>
Feb 2021France warns of Nobelium cyberspies attacking French orgs
<https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/>
Apr 2021FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
<https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/>
May 2021Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>
Jun 2021New Nobelium activity
<https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/>
Mid 2021SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
<https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/>
Jun 2021Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
<https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/>
Jul 2021Russia ‘Cozy Bear’ Breached GOP as Ransomware Attack Hit
<https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee>
Jul 2021New activity from Russian actor Nobelium
<https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/>
Jul 2021In recent months, the Dukes launched several spearphishing campaigns targeting European diplomats, think tanks and international organizations. ESET researchers identified victims in more than 12 different European countries.
<https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf>
Oct 2021In October and November 2021, ESET detected additional spearphishing campaigns, again targeting European diplomatic missions and Ministries of Foreign Affairs.
<https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf>
Feb 2022Nobelium Returns to the Political World Stage
<https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage>
Counter operationsAug 2014Dutch agencies provide crucial intel about Russia’s interference in US-elections
<https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/>
Jul 2018Mueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms
<https://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805>
Apr 2021Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation
<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>
<https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/>
<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/a-letter-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/>
Jun 2021Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
<https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear>
Information<https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf>
<https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/>
<https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/>
<https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf>
<https://exchange.xforce.ibmcloud.com/threat-group/guid:6acdb86af596b31ca8d273eb5572904f>
<https://en.wikipedia.org/wiki/Cozy_Bear>
<https://us-cert.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Russian_SVR_Activities_Related_to_SolarWinds_Compromise_508C.pdf>
<https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf>
<https://www.mandiant.com/resources/unc2452-merged-into-apt29>
MITRE ATT&CK<https://attack.mitre.org/groups/G0016/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=cozyduke>

Last change to this card: 04 May 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]