The Dukes

Threat Actor updated 16 days ago (2024-10-11T15:01:31.820Z)
Download STIX
Preview STIX
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor associated with the Russian government that has been active since at least 2008. Notably, this group was implicated in the 2015 attack on the American Democratic National Committee (DNC). The FBI alerted the DNC to suspicious network activity in September 2015, referencing the Dukes as the potential source. Despite repeated warnings from the FBI throughout late 2015, the Dukes continued their malicious activities, launching several waves of highly targeted spear phishing attacks against U.S.-based think tanks and NGOs in August 2016. The Dukes' activities have evolved over time, with notable operations including the StellarParticle campaign and the SolarWinds intrusion in December 2020. Both campaigns were tracked by cybersecurity firm CrowdStrike and were linked to the SUNSPOT implant. Post-election attacks launched by the Dukes on November 9 bore similarities to previous attacks seen from the group in both 2015 and 2016. More recently, TeamViewer discovered a breach in its corporate network attributed to the Dukes, highlighting the ongoing threat posed by this group. In addition to these operations, the Dukes have been involved in multiple cyberespionage campaigns targeting various governments, diplomatic entities, and political parties. Threat intelligence firms have warned that the Dukes have amplified their global cyberespionage operations as part of Moscow's ongoing war against Ukraine. This includes attempts to exfiltrate strategic intelligence from embassies and diplomats, with targets including the French Ministry of Culture, the National Agency for Territorial Cohesion, and the French Ministry of Foreign Affairs. Despite these escalating threats, agencies such as France's ANSSI differentiate these groups into separate threat clusters, indicating the complex and multifaceted nature of the threat landscape.
Description last updated: 2024-10-11T14:16:35.333Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT29 is a possible alias for The Dukes. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised
5
Midnight Blizzard is a possible alias for The Dukes. Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group also known as APT29, Cozy Bear, Nobelium, and The Dukes, has been actively involved in large-scale cyberespionage campaigns targeting organizations worldwide. This threat actor has demonstrated sophisticated capabilities to br
5
NOBELIUM is a possible alias for The Dukes. Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its persistent and sophisticated cyber-espionage campaigns. Known also by various other names such as APT29, Cozy Bear, Midnight Blizzard, and The Dukes, Nobelium is believed to be operating
4
Cozy Bear is a possible alias for The Dukes. Cozy Bear, also known as APT29 and associated with names like Midnight Blizzard, Nobelium, and The Dukes, is a threat actor believed to be linked with the Russian state. This group has been involved in numerous cyber espionage activities, demonstrating proficiency across multiple operating systems a
4
Bluebravo is a possible alias for The Dukes. BlueBravo, also known as APT29, Nobelium, Cozy Bear, Midnight Blizzard, and The Dukes, is a threat actor group linked to Russia that has been implicated in multiple high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with reports attributing the intrusion to
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Implant
Phishing
Spearphishing
Malware
France
Vulnerability
WinRAR
Russia
Exploit
Blizzard
Espionage
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Brute Ratel Malware is associated with The Dukes. Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sednit Threat Actor is associated with The Dukes. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, SeUnspecified
2
The APT28 Threat Actor is associated with The Dukes. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on thUnspecified
2
The Sandworm Threat Actor is associated with The Dukes. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with The Dukes. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilTargets
2
Source Document References
Information about the The Dukes Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
15 days ago
InfoSecurity-magazine
16 days ago
Securityaffairs
2 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
InfoSecurity-magazine
4 months ago
BankInfoSecurity
7 months ago
BankInfoSecurity
7 months ago
Securityaffairs
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
Securityaffairs
8 months ago
CERT-EU
8 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
CERT-EU
9 months ago