FlagThis

← All Threat Actors
Threat Actor Profile

APT29

ATK7 Blue Kitsune BlueBravo Cloaked Ursa COZY BEAR CozyDuke Dark Halo G0016 Grizzly Steppe Group 100 IRON HEMLOCK IRON RITUAL ITG11 Midnight Blizzard Minidionis Nobelium NobleBaron SeaDuke SolarStorm TA421 The Dukes UAC-0029 UNC2452 UNC3524 YTTRIUM
▲ High Threat
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of
Origin Russia
Sponsor Russian Federation
Motivation Espionage

Target Sectors

Government Private sector Think Tanks Government, Administration

Known TTPs

Multi-Factor Authentication Request Generation
Security Account Manager
Tool
Domain Fronting
Steal Application Access Token
Dynamic Resolution
Exploitation for Privilege Escalation
Windows Management Instrumentation Event Subscription
Registry Run Keys / Startup Folder
Cloud Account
Device Registration
Digital Certificates
Data from Local System
Ingress Tool Transfer
Cloud Administration Command
Spearphishing Attachment
Cloud Accounts
Scheduled Task
Internet Connection Discovery
Malware
Web Services
Multi-hop Proxy
Boot or Logon Initialization Scripts
HTML Smuggling
File Deletion
Exploitation for Client Execution
Pass the Ticket
Malicious Link
Match Legitimate Resource Name or Location
Password Spraying
Remote Email Collection
Binary Padding
Hybrid Identity
PowerShell
External Remote Services
RC Scripts
Cloud Services
Vulnerability Scanning
Spearphishing Link
Timestomp
Cloud Accounts
External Proxy
Encrypted Channel
Windows Management Instrumentation
Password Guessing
Trusted Relationship
Spearphishing via Service
Valid Accounts
Web Shell
Python
Hide Infrastructure
Mshta
LSA Secrets
Exploit Public-Facing Application
Mark-of-the-Web Bypass
Steal or Forge Authentication Certificates
Cloud Account
Additional Email Delegate Permissions
Local Accounts
Accessibility Features
Cloud API
Email Accounts
Malicious File
Disable or Modify Cloud Log
Bypass User Account Control
Software Packing

External Resources

MITRE ATT&CK Groups ↗ CISA Advisories ↗ Mandiant APT Groups ↗

Related Intelligence

Hacking the mainframe…
LINK COPIED TO CLIPBOARD