The Dukes

Threat Actor updated 23 days ago (2024-11-29T13:57:14.368Z)
Download STIX
Preview STIX
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in September 2015, the FBI alerted the DNC's IT director about suspicious activity linked to the Dukes. Despite repeated warnings from the FBI in October, November, and December of 2015, the Dukes continued their nefarious activities. They launched several waves of highly targeted spear-phishing attacks against U.S.-based think tanks and NGOs in August 2016. Post-election attacks launched by the Dukes on November 9 were similar to previous attacks seen in both 2015 and 2016. In addition to these activities, the Dukes have been involved in significant cybersecurity incidents. They were associated with the StellarParticle campaign, which was related to the SUNSPOT implant from the SolarWinds intrusion in December 2020. More recently, they have been involved in large-scale spear-phishing campaigns targeting over 1,000 users across more than 100 organizations for intelligence gathering. This includes an attack on TeamViewer's corporate network. Furthermore, the Dukes have targeted vulnerable Zimbra and JetBrains TeamCity servers as part of a mass scale campaign, as warned by U.S. and U.K. cyber agencies. Despite the various aliases, all these groups are considered part of the same threat cluster due to their shared tactics, techniques, and procedures (TTPs). However, some organizations, such as the French agency ANSSI, differentiate these groups into separate threat clusters. For instance, Dark Halo, another name associated with the Dukes, was responsible for the 2020 SolarWinds attack. In a recent alert, CERT-FR warned that Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, and The Dukes) has been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats. The targets have included various French government departments and embassies. The activities of the Dukes underline the persistent threat posed by state-sponsored cyber espionage groups.
Description last updated: 2024-10-30T21:02:52.678Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT29 is a possible alias for The Dukes. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw
5
Midnight Blizzard is a possible alias for The Dukes. Midnight Blizzard, also known as APT29 or Cozy Bear, is a Russia-linked threat actor associated with the country's Foreign Intelligence Service (SVR). Throughout 2024, the group has been implicated in several high-profile cyber-attacks, targeting global organizations and demonstrating sophisticated
5
NOBELIUM is a possible alias for The Dukes. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group also known as APT29, SVR Group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been identified as a significant cybersecurity threat. In 2024, Nobelium targeted French diplomatic entities, posing a major concern to the int
4
Cozy Bear is a possible alias for The Dukes. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy
4
Bluebravo is a possible alias for The Dukes. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Implant
Phishing
Spearphishing
Malware
France
Vulnerability
WinRAR
Russia
Exploit
Blizzard
Espionage
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Brute Ratel Malware is associated with The Dukes. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sednit Threat Actor is associated with The Dukes. Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. SednUnspecified
2
The APT28 Threat Actor is associated with The Dukes. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influUnspecified
2
The Sandworm Threat Actor is associated with The Dukes. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with The Dukes. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilTargets
2
Source Document References
Information about the The Dukes Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
18 hours ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
4 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
DARKReading
6 months ago
InfoSecurity-magazine
6 months ago
BankInfoSecurity
9 months ago
BankInfoSecurity
9 months ago
Securityaffairs
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
Securityaffairs
10 months ago
CERT-EU
10 months ago
Securityaffairs
a year ago