aka: Group 100, COZY BEAR, The Dukes, Minidionis, SeaDuke, YTTRIUM, IRON HEMLOCK, Grizzly Steppe, G0016, ATK7, Cloaked Ursa, TA421, Blue Kitsune, ITG11, BlueBravo
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '
2023-07-27 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20230727:bluebravo:b456f7d,
author = {Insikt Group},
title = {{BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware}},
date = {2023-07-27},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf},
language = {English},
urldate = {2023-07-28}
}
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware GraphDrop GraphicalNeutrino QUARTERRIG |
2023-07-26 ⋅ Weixin ⋅ Anheng Threat Intelligence Center @online{center:20230726:apt29:dec5309,
author = {Anheng Threat Intelligence Center},
title = {{APT29 recently faked the German embassy and issued a malicious PDF file}},
date = {2023-07-26},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745},
language = {Chinese},
urldate = {2023-07-28}
}
APT29 recently faked the German embassy and issued a malicious PDF file BEATDROP Unidentified 107 (APT29) |
2023-06-02 ⋅ MSSP Lab ⋅ cocomelonc @online{cocomelonc:20230602:malware:6b0c57b,
author = {cocomelonc},
title = {{Malware analysis report: SNOWYAMBER (+APT29 related malwares)}},
date = {2023-06-02},
organization = {MSSP Lab},
url = {https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html},
language = {English},
urldate = {2023-06-05}
}
Malware analysis report: SNOWYAMBER (+APT29 related malwares) GraphicalNeutrino |
2023-04-13 ⋅ GOV.PL ⋅ Military Counterintelligence Service, CERT.PL @online{service:20230413:snowyamber:f5404f6,
author = {Military Counterintelligence Service and CERT.PL},
title = {{SNOWYAMBER - Malware Analysis Report}},
date = {2023-04-13},
organization = {GOV.PL},
url = {https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d},
language = {English},
urldate = {2023-06-01}
}
SNOWYAMBER - Malware Analysis Report GraphicalNeutrino |
2023-04-13 ⋅ GOV.PL ⋅ Military Counterintelligence Service, CERT.PL @online{service:20230413:halfrig:787dcfb,
author = {Military Counterintelligence Service and CERT.PL},
title = {{HALFRIG - Malware Analysis Report}},
date = {2023-04-13},
organization = {GOV.PL},
url = {https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb},
language = {English},
urldate = {2023-06-01}
}
HALFRIG - Malware Analysis Report HALFRIG |
2023-04-13 ⋅ CERT.PL ⋅ CERT.PL @online{certpl:20230413:cert:fbd2671,
author = {CERT.PL},
title = {{CERT Polska and SKW warn against the activities of Russian spies}},
date = {2023-04-13},
organization = {CERT.PL},
url = {https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/},
language = {Polish},
urldate = {2023-05-25}
}
CERT Polska and SKW warn against the activities of Russian spies BOOMBOX EnvyScout SUNBURST |
2023-04-13 ⋅ GOV.PL ⋅ Military Counterintelligence Service, CERT.PL @online{service:20230413:quarterrig:0435e72,
author = {Military Counterintelligence Service and CERT.PL},
title = {{QUARTERRIG - Malware Analysis Report}},
date = {2023-04-13},
organization = {GOV.PL},
url = {https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77},
language = {English},
urldate = {2023-06-01}
}
QUARTERRIG - Malware Analysis Report QUARTERRIG |
2023-03-27 ⋅ Google ⋅ Google Cybersecurity Action Team @techreport{team:20230327:threat:4aae33b,
author = {Google Cybersecurity Action Team},
title = {{Threat Horizons: April 2023 Threat Horizons Report}},
date = {2023-03-27},
institution = {Google},
url = {https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf},
language = {English},
urldate = {2023-04-22}
}
Threat Horizons: April 2023 Threat Horizons Report Gdrive APT41 |
2023-03-14 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20230314:nobelium:f35029b,
author = {BlackBerry Research & Intelligence Team},
title = {{NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine}},
date = {2023-03-14},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine},
language = {English},
urldate = {2023-03-14}
}
NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine EnvyScout GraphicalNeutrino |
2023-03-10 ⋅ Mrtiepolo ⋅ Gianluca Tiepolo @online{tiepolo:20230310:sophisticated:2892d3e,
author = {Gianluca Tiepolo},
title = {{Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission}},
date = {2023-03-10},
organization = {Mrtiepolo},
url = {https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58},
language = {English},
urldate = {2023-03-14}
}
Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage |
2023-01-26 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20230126:bluebravo:9d6aa62,
author = {Insikt Group},
title = {{BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware}},
date = {2023-01-26},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf},
language = {English},
urldate = {2023-02-02}
}
BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware GraphicalNeutrino APT29 |
2022-11-30 ⋅ Qianxin Threat Intelligence Center ⋅ Red Raindrop Team @online{team:20221130:analysis:aa1ce2e,
author = {Red Raindrop Team},
title = {{Analysis of APT29's attack activities against Italy}},
date = {2022-11-30},
organization = {Qianxin Threat Intelligence Center},
url = {https://ti.qianxin.com/blog/articles/analysis-of-apt29%27s-attack-activities-against-italy/},
language = {Chinese},
urldate = {2022-12-20}
}
Analysis of APT29's attack activities against Italy Unidentified 098 (APT29 Slack Downloader) |
2022-09-21 ⋅ Check Point ⋅ Jiří Vinopal @online{vinopal:20220921:native:e68056c,
author = {Jiří Vinopal},
title = {{Native function and Assembly Code Invocation}},
date = {2022-09-21},
organization = {Check Point},
url = {https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/},
language = {English},
urldate = {2022-09-26}
}
Native function and Assembly Code Invocation MiniDuke |
2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE @techreport{incibe:20220906:estudio:20f14b0,
author = {INCIBE},
title = {{Estudio del análisis de Nobelium}},
date = {2022-09-06},
institution = {INCIBE-CERT},
url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf},
language = {Spanish},
urldate = {2022-11-22}
}
Estudio del análisis de Nobelium BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage |
2022-08-29 ⋅ Cyfirma ⋅ cyfirma @online{cyfirma:20220829:cosmicduke:9cecbd7,
author = {cyfirma},
title = {{CosmicDuke Malware Analysis Report}},
date = {2022-08-29},
organization = {Cyfirma},
url = {https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/},
language = {English},
urldate = {2022-09-20}
}
CosmicDuke Malware Analysis Report CosmicDuke |
2022-07-20 ⋅ Freebuf ⋅ Qi Anxin Threat Intelligence Center @online{center:20220720:abused:27d014d,
author = {Qi Anxin Threat Intelligence Center},
title = {{Abused Slack Service: Analysis of APT29's Attack on Italy}},
date = {2022-07-20},
organization = {Freebuf},
url = {https://www.freebuf.com/articles/paper/339618.html},
language = {English},
urldate = {2022-10-19}
}
Abused Slack Service: Analysis of APT29's Attack on Italy Unidentified 098 (APT29 Slack Downloader) |
2022-07-19 ⋅ R136a1 ⋅ Dominik Reichel @online{reichel:20220719:look:84e1e01,
author = {Dominik Reichel},
title = {{A look into APT29's new early-stage Google Drive downloader}},
date = {2022-07-19},
organization = {R136a1},
url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/},
language = {English},
urldate = {2022-10-19}
}
A look into APT29's new early-stage Google Drive downloader BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader) |
2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals @online{harbison:20220719:russian:acbf388,
author = {Mike Harbison and Peter Renals},
title = {{Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive}},
date = {2022-07-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/},
language = {English},
urldate = {2022-07-19}
}
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Cobalt Strike EnvyScout Gdrive |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:cloaked:ae3f3ab,
author = {Unit 42},
title = {{Cloaked Ursa}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/},
language = {English},
urldate = {2022-07-29}
}
Cloaked Ursa APT29 |
2022-07-08 ⋅ Cert-AgID ⋅ Cert-AgID @online{certagid:20220708:il:c02e771,
author = {Cert-AgID},
title = {{Il malware EnvyScout (APT29) è stato veicolato anche in Italia}},
date = {2022-07-08},
organization = {Cert-AgID},
url = {https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/},
language = {Italian},
urldate = {2022-10-19}
}
Il malware EnvyScout (APT29) è stato veicolato anche in Italia EnvyScout Unidentified 098 (APT29 Slack Downloader) |
2022-05-16 ⋅ Github (Dump-GUY) ⋅ Jiří Vinopal @online{vinopal:20220516:malware:f716c6a,
author = {Jiří Vinopal},
title = {{Malware Analysis Report – APT29 C2-Client Dropbox Loader}},
date = {2022-05-16},
organization = {Github (Dump-GUY)},
url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md},
language = {English},
urldate = {2022-05-25}
}
Malware Analysis Report – APT29 C2-Client Dropbox Loader Unidentified 099 (APT29 Dropbox Loader) |
2022-04-29 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby @online{wolfram:20220429:trello:c078513,
author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby},
title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}},
date = {2022-04-29},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns},
language = {English},
urldate = {2022-10-19}
}
Trello From the Other Side: Tracking APT29 Phishing Campaigns BEATDROP VaporRage |
2022-04-20 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220420:malware:b20963e,
author = {cocomelonc},
title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}},
date = {2022-04-20},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky |
2021-09-29 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV @online{cybermasterv:20210929:how:b7fbf82,
author = {CyberMasterV},
title = {{How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear}},
date = {2021-09-29},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/},
language = {English},
urldate = {2021-10-14}
}
How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear MiniDuke |
2021-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC) @online{mstic:20210528:breaking:f55e372,
author = {Microsoft Threat Intelligence Center (MSTIC)},
title = {{Breaking down NOBELIUM’s latest early-stage toolset}},
date = {2021-05-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/},
language = {English},
urldate = {2022-05-17}
}
Breaking down NOBELIUM’s latest early-stage toolset BOOMBOX Cobalt Strike |
2020-07-14 ⋅ Telsy ⋅ Telsy @online{telsy:20200714:turla:ef6592e,
author = {Telsy},
title = {{Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene}},
date = {2020-07-14},
organization = {Telsy},
url = {https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/},
language = {English},
urldate = {2020-07-16}
}
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene NewPass Turla |
2020-07-14 ⋅ Cyborg Security ⋅ Austin Jackson @online{jackson:20200714:python:6b03611,
author = {Austin Jackson},
title = {{PYTHON MALWARE ON THE RISE}},
date = {2020-07-14},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/},
language = {English},
urldate = {2020-12-23}
}
PYTHON MALWARE ON THE RISE Poet RAT PyLocky SEADADDY |
2020-05-18 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20200518:looking:eaa7bde,
author = {Kevin Perlow},
title = {{Looking Back at LiteDuke}},
date = {2020-05-18},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/looking-back-at-liteduke/},
language = {English},
urldate = {2020-05-18}
}
Looking Back at LiteDuke LiteDuke |
2020-05-06 ⋅ F-Secure Labs ⋅ Melissa Michael, Artturi Lehtiö @online{michael:20200506:039:49d4744,
author = {Melissa Michael and Artturi Lehtiö},
title = {{039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29}},
date = {2020-05-06},
organization = {F-Secure Labs},
url = {https://blog.f-secure.com/podcast-dukes-apt29/},
language = {English},
urldate = {2020-07-06}
}
039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29 OnionDuke |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:iron:59396c7,
author = {SecureWorks},
title = {{IRON HEMLOCK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock},
language = {English},
urldate = {2020-05-23}
}
IRON HEMLOCK FatDuke MiniDuke OnionDuke PolyglotDuke APT29 |
2019-10-17 ⋅ ESET Research ⋅ ESET Research @online{research:20191017:operation:812f836,
author = {ESET Research},
title = {{Operation Ghost: The Dukes aren’t back – they never left}},
date = {2019-10-17},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/},
language = {English},
urldate = {2020-01-09}
}
Operation Ghost: The Dukes aren’t back – they never left PolyglotDuke |
2019-10-17 ⋅ ESET Research ⋅ Matthieu Faou, Mathieu Tartare, Thomas Dupuy @techreport{faou:20191017:operation:b695c9b,
author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy},
title = {{OPERATION GHOST The Dukes aren’t back — they never left}},
date = {2019-10-17},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf},
language = {English},
urldate = {2020-05-18}
}
OPERATION GHOST The Dukes aren’t back — they never left FatDuke |
2019-08-12 ⋅ Kindred Security ⋅ Kindred Security @online{security:20190812:overview:0726c0a,
author = {Kindred Security},
title = {{An Overview of Public Platform C2’s}},
date = {2019-08-12},
organization = {Kindred Security},
url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/},
language = {English},
urldate = {2021-07-20}
}
An Overview of Public Platform C2’s HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:dukes:3e4d497,
author = {Cyber Operations Tracker},
title = {{The Dukes}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/dukes},
language = {English},
urldate = {2019-12-20}
}
The Dukes APT29 |
2018-12-03 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team @online{team:20181203:analysis:828df29,
author = {Microsoft Defender ATP Research Team},
title = {{Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers}},
date = {2018-12-03},
organization = {Microsoft},
url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/},
language = {English},
urldate = {2020-01-09}
}
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers APT29 |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe @online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold? Cobalt Strike APT29 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:apt29:27ed60c,
author = {MITRE ATT&CK},
title = {{APT29}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0016},
language = {English},
urldate = {2022-07-13}
}
APT29 APT29 |
2017-04-03 ⋅ FireEye ⋅ Matthew Dunwoody @online{dunwoody:20170403:dissecting:65071e7,
author = {Matthew Dunwoody},
title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}},
date = {2017-04-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html},
language = {English},
urldate = {2019-12-20}
}
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) POSHSPY APT29 |
2017-02-20 ⋅ Contagio Dump ⋅ Mila Parkour @online{parkour:20170220:part:c54b5de,
author = {Mila Parkour},
title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}},
date = {2017-02-20},
organization = {Contagio Dump},
url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html},
language = {English},
urldate = {2019-11-26}
}
Part I. Russian APT - APT28 collection of samples including OSX XAgent X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel |
2017-02-10 ⋅ Department of Homeland Security ⋅ National Cybersecurity, Communications Integration Center @techreport{cybersecurity:20170210:ar1720045:43c91fd,
author = {National Cybersecurity and Communications Integration Center},
title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}},
date = {2017-02-10},
institution = {Department of Homeland Security},
url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf},
language = {English},
urldate = {2019-11-05}
}
AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity APT29 |
2016-06-15 ⋅ CrowdStrike ⋅ Dmitri Alperovitch @online{alperovitch:20160615:bears:604c1d9,
author = {Dmitri Alperovitch},
title = {{Bears in the Midst: Intrusion into the Democratic National Committee}},
date = {2016-06-15},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/},
language = {English},
urldate = {2022-03-14}
}
Bears in the Midst: Intrusion into the Democratic National Committee X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28 |
2015-09-28 ⋅ SecurityIntelligence ⋅ David Strom @online{strom:20150928:hammertoss:b643bfe,
author = {David Strom},
title = {{Hammertoss: What, Me Worry?}},
date = {2015-09-28},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/hammertoss-what-me-worry/},
language = {English},
urldate = {2021-02-10}
}
Hammertoss: What, Me Worry? tDiscoverer |
2015-09-17 ⋅ F-Secure ⋅ F-Secure Labs @online{labs:20150917:dukes:767fbef,
author = {F-Secure Labs},
title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}},
date = {2015-09-17},
organization = {F-Secure},
url = {https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/},
language = {English},
urldate = {2020-01-13}
}
The Dukes: 7 Years Of Russian Cyber-Espionage APT29 |
2015-09 ⋅ F-Secure ⋅ F-Secure Labs @techreport{labs:201509:dukes:035f864,
author = {F-Secure Labs},
title = {{The Dukes - 7 Years of Russian Cyberespionage}},
date = {2015-09},
institution = {F-Secure},
url = {https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf},
language = {English},
urldate = {2022-10-20}
}
The Dukes - 7 Years of Russian Cyberespionage PinchDuke |
2015-08-17 ⋅ F-Secure Labs ⋅ Noora Hyvärinen, F-Secure Threat Intelligence Team @techreport{hyvrinen:20150817:dukes:4a0e858,
author = {Noora Hyvärinen and F-Secure Threat Intelligence Team},
title = {{THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE}},
date = {2015-08-17},
institution = {F-Secure Labs},
url = {https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf},
language = {English},
urldate = {2022-11-15}
}
THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE COZYDUKE GeminiDuke |
2015-07-29 ⋅ Youtube (FireEye Inc.) ⋅ FireEye @online{fireeye:20150729:hammertoss:96456d6,
author = {FireEye},
title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}},
date = {2015-07-29},
organization = {Youtube (FireEye Inc.)},
url = {https://www.youtube.com/watch?v=UE9suwyuic8},
language = {English},
urldate = {2021-02-10}
}
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group tDiscoverer |
2015-07-22 ⋅ F-Secure ⋅ Artturi Lehtiö @online{lehti:20150722:duke:8f54e8b,
author = {Artturi Lehtiö},
title = {{Duke APT group's latest tools: cloud services and Linux support}},
date = {2015-07-22},
organization = {F-Secure},
url = {https://www.f-secure.com/weblog/archives/00002822.html},
language = {English},
urldate = {2019-10-15}
}
Duke APT group's latest tools: cloud services and Linux support CloudDuke |
2015-07-13 ⋅ Symantec ⋅ A L Johnson @online{johnson:20150713:forkmeiamfamous:64957d9,
author = {A L Johnson},
title = {{“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory}},
date = {2015-07-13},
organization = {Symantec},
url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments},
language = {English},
urldate = {2020-08-19}
}
“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory SEADADDY |
2015-07 ⋅ FireEye ⋅ FireEye Threat Intelligence @techreport{intelligence:201507:hammertoss:9275999,
author = {FireEye Threat Intelligence},
title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}},
date = {2015-07},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf},
language = {English},
urldate = {2019-10-23}
}
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group tDiscoverer APT29 |
2014-11-15 ⋅ Contagio Dump ⋅ Mila Parkour @online{parkour:20141115:onionduke:6c548c4,
author = {Mila Parkour},
title = {{OnionDuke samples}},
date = {2014-11-15},
organization = {Contagio Dump},
url = {http://contagiodump.blogspot.com/2014/11/onionduke-samples.html},
language = {English},
urldate = {2019-12-20}
}
OnionDuke samples OnionDuke |
2014-11-14 ⋅ F-Secure ⋅ F-Secure Labs @online{labs:20141114:onionduke:dc56d5c,
author = {F-Secure Labs},
title = {{OnionDuke: APT Attacks Via the Tor Network}},
date = {2014-11-14},
organization = {F-Secure},
url = {https://www.f-secure.com/weblog/archives/00002764.html},
language = {English},
urldate = {2020-01-09}
}
OnionDuke: APT Attacks Via the Tor Network OnionDuke |
2014-07-15 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig @online{grunzweig:20140715:unit:0cf98cb,
author = {Josh Grunzweig},
title = {{Unit 42 Technical Analysis: Seaduke}},
date = {2014-07-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/},
language = {English},
urldate = {2020-08-19}
}
Unit 42 Technical Analysis: Seaduke SEADADDY |
2014-07-03 ⋅ F-Secure ⋅ F-Secure Labs @techreport{labs:20140703:cosmicduke:dbbee08,
author = {F-Secure Labs},
title = {{COSMICDUKE: Cosmu with a twist of MiniDuke}},
date = {2014-07-03},
institution = {F-Secure},
url = {https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf},
language = {English},
urldate = {2022-09-20}
}
COSMICDUKE: Cosmu with a twist of MiniDuke CosmicDuke |
2013-05-30 ⋅ CIRCL ⋅ CIRCL @techreport{circl:20130530:analysis:e828e08,
author = {CIRCL},
title = {{Analysis of a stage 3 Miniduke sample}},
date = {2013-05-30},
institution = {CIRCL},
url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf},
language = {English},
urldate = {2020-01-08}
}
Analysis of a stage 3 Miniduke sample MiniDuke |
2013-02-28 ⋅ FireEye ⋅ James T. Bennett @online{bennett:20130228:its:1534b7e,
author = {James T. Bennett},
title = {{It's a Kind of Magic}},
date = {2013-02-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html},
language = {English},
urldate = {2020-04-24}
}
It's a Kind of Magic MiniDuke |