SYMBOLCOMMON_NAMEaka. SYNONYMS

APT29  (Back to overview)

aka: ATK7, Blue Kitsune, BlueBravo, COZY BEAR, Cloaked Ursa, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, NOBELIUM, SeaDuke, TA421, The Dukes, YTTRIUM

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '


Associated Families
win.cozyduke win.gdrive win.miniduke win.seadaddy win.tdiscoverer win.srdi win.cloud_duke win.cosmicduke win.fatduke win.graphical_neutrino win.halfrig win.liteduke win.newpass win.onionduke win.pinchduke win.polyglotduke win.quarterrig win.unidentified_098 win.graphdrop win.beatdrop win.boombox win.unidentified_099 win.vapor_rage win.wineloader

References
2024-03-02Twitter (@SinghSoodeep)Sudeep Singh
Tweet on WINELOADER targeting with German embassy themed lure
WINELOADER
2024-02-27Twitter (@greglesnewich)Greg Lesnewich
Tweet with context on TA421 / APT29 / Midnight Blizzard / BlueBravo / Cozy Bear
WINELOADER
2024-02-27ZscalerRoy Tay, Sudeep Singh
European diplomats targeted by SPIKEDWINE with WINELOADER
WINELOADER
2023-12-13FortinetAmey Gat, Angelo Cris Deveraturda, Hongkei Chan, Jared Betts, Jayesh Zala, John Simmons, Ken Evans, Mark Robson
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793
GraphDrop
2023-12-13CISACISA
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
GraphDrop
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-07-27Recorded FutureInsikt Group
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG
2023-07-26WeixinAnheng Threat Intelligence Center
APT29 recently faked the German embassy and issued a malicious PDF file
BEATDROP Unidentified 107 (APT29)
2023-07-25AvertiumAvertium
EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED
GraphDrop
2023-07-12Palo Alto Networks Unit 42Unit 42
Diplomats Beware: Cloaked Ursa Phishing With a Twist
GraphDrop
2023-06-02MSSP Labcocomelonc
Malware analysis report: SNOWYAMBER (+APT29 related malwares)
GraphicalNeutrino
2023-04-13GOV.PLCERT.PL, Military Counterintelligence Service
QUARTERRIG - Malware Analysis Report
QUARTERRIG
2023-04-13CERT.PLCERT.PL
CERT Polska and SKW warn against the activities of Russian spies
BOOMBOX EnvyScout SUNBURST
2023-04-13GOV.PLCERT.PL, Military Counterintelligence Service
SNOWYAMBER - Malware Analysis Report
GraphicalNeutrino
2023-04-13GOV.PLCERT.PL, Military Counterintelligence Service
HALFRIG - Malware Analysis Report
HALFRIG
2023-03-27GoogleGoogle Cybersecurity Action Team
Threat Horizons: April 2023 Threat Horizons Report
Gdrive APT41
2023-03-14BlackberryBlackBerry Research & Intelligence Team
NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
EnvyScout GraphicalNeutrino
2023-03-10MrtiepoloGianluca Tiepolo
Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission
BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage
2023-01-26Recorded FutureInsikt Group
BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware
GraphicalNeutrino APT29
2022-11-30Qianxin Threat Intelligence CenterRed Raindrop Team
Analysis of APT29's attack activities against Italy
Unidentified 098 (APT29 Slack Downloader)
2022-09-21Check PointJiří Vinopal
Native function and Assembly Code Invocation
MiniDuke
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
2022-09-06INCIBE-CERTINCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-08-29Cyfirmacyfirma
CosmicDuke Malware Analysis Report
CosmicDuke
2022-07-20FreebufQi Anxin Threat Intelligence Center
Abused Slack Service: Analysis of APT29's Attack on Italy
Unidentified 098 (APT29 Slack Downloader)
2022-07-19Palo Alto Networks Unit 42Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive
2022-07-19R136a1Dominik Reichel
A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-07-18Palo Alto Networks Unit 42Unit 42
Cloaked Ursa
APT29
2022-07-08Cert-AgIDCert-AgID
Il malware EnvyScout (APT29) è stato veicolato anche in Italia
EnvyScout Unidentified 098 (APT29 Slack Downloader)
2022-06-17Github (monoxgas)Nick Landers
sRDI - Shellcode Reflective DLL Injection
sRDI
2022-05-16Github (Dump-GUY)Jiří Vinopal
Malware Analysis Report – APT29 C2-Client Dropbox Loader
Unidentified 099 (APT29 Dropbox Loader)
2022-04-29MandiantAnders Vejlby, John Wolfram, Nick Simonian, Sarah Hawley, Tyler McLellan
Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
2022-04-20cocomelonccocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2021-09-29CYBER GEEKS All Things InfosecCyberMasterV
How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear
MiniDuke
2021-05-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
Breaking down NOBELIUM’s latest early-stage toolset
BOOMBOX Cobalt Strike
2020-07-14Cyborg SecurityAustin Jackson
PYTHON MALWARE ON THE RISE
Poet RAT PyLocky SEADADDY
2020-07-14TelsyTelsy
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla
2020-05-18One Night in NorfolkKevin Perlow
Looking Back at LiteDuke
LiteDuke
2020-05-06F-Secure LabsArtturi Lehtiö, Melissa Michael
039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29
OnionDuke
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchMathieu Tartare, Matthieu Faou, Thomas Dupuy
OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
2019-10-17ESET ResearchESET Research
Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
2019-08-12Kindred SecurityKindred Security
An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-01-01Council on Foreign RelationsCyber Operations Tracker
The Dukes
APT29
2018-12-03MicrosoftMicrosoft Defender ATP Research Team
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers
APT29
2018-11-18Stranded on Pylos BlogJoe
CozyBear – In from the Cold?
Cobalt Strike APT29
2017-05-31MITREMITRE ATT&CK
APT29
APT29
2017-04-03FireEyeMatthew Dunwoody
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)
POSHSPY APT29
2017-02-20Contagio DumpMila Parkour
Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2017-02-10Department of Homeland SecurityCommunications Integration Center, National Cybersecurity
AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity
APT29
2016-06-15CrowdStrikeDmitri Alperovitch
Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
2015-09-28SecurityIntelligenceDavid Strom
Hammertoss: What, Me Worry?
tDiscoverer
2015-09-17F-SecureF-Secure Labs
The Dukes: 7 Years Of Russian Cyber-Espionage
APT29
2015-09-01F-SecureF-Secure Labs
The Dukes - 7 Years of Russian Cyberespionage
PinchDuke
2015-08-17F-Secure LabsF-Secure Threat Intelligence Team, Noora Hyvärinen
THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE
COZYDUKE GeminiDuke
2015-07-29Youtube (FireEye Inc.)FireEye
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
tDiscoverer
2015-07-22F-SecureArtturi Lehtiö
Duke APT group's latest tools: cloud services and Linux support
CloudDuke
2015-07-13SymantecA L Johnson
“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory
SEADADDY
2015-07-01FireEyeFireEye Threat Intelligence
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
tDiscoverer APT29
2014-11-15Contagio DumpMila Parkour
OnionDuke samples
OnionDuke
2014-11-14F-SecureF-Secure Labs
OnionDuke: APT Attacks Via the Tor Network
OnionDuke
2014-07-15Palo Alto Networks Unit 42Josh Grunzweig
Unit 42 Technical Analysis: Seaduke
SEADADDY
2014-07-03F-SecureF-Secure Labs
COSMICDUKE: Cosmu with a twist of MiniDuke
CosmicDuke
2013-05-30CIRCLCIRCL
Analysis of a stage 3 Miniduke sample
MiniDuke
2013-02-28FireEyeJames T. Bennett
It's a Kind of Magic
MiniDuke

Credits: MISP Project