The Dukes

Threat Actor Profile Updated 23 days ago
Download STIX
Preview STIX
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, think tanks, diplomatic entities, and political parties. It gained notoriety for its involvement in the 2015 attack against the American Democratic National Committee (DNC), where it was first identified by an FBI agent who noticed suspicious activities emanating from the DNC network. The group's activities continued into 2016, launching several waves of targeted spear phishing attacks against U.S.-based think tanks and NGOs. The Dukes are also linked to the infamous 2020 SolarWinds attack, which exploited vulnerabilities in the Orion network and had a significant impact on U.S. government agencies and various private sector companies. This connection was established through the StellarParticle campaign, which was tracked by CrowdStrike and associated with the SUNSPOT implant from the SolarWinds intrusion. The group's post-election attacks launched on November 9 were very similar to previous attacks seen in both 2015 and 2016, suggesting a consistent modus operandi. Despite being linked to multiple cyberespionage groups like Nobelium and Dark Halo, the Dukes have been differentiated into separate threat clusters by ANSSI. Recently, CERT-FR warned that the Dukes, under the alias Midnight Blizzard, have been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats, in an activity cluster it calls "Diplomatic Orbiter." Threat intelligence firms have further emphasized that the group has amplified its global cyberespionage operations, particularly in relation to Moscow's ongoing war against Ukraine.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
5
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Midnight Blizzard
4
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity concern. The group is known for executing actions with malicious intent and has been linked to several high-profile cyber attacks on global organizations. Notably, it breached the sy
Cozy Bear
3
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
NOBELIUM
3
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Bluebravo
2
BlueBravo, also known as APT29 or Nobellium, is a threat actor group linked to Russia that has been implicated in several high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with some reports attributing the intrusion to this group. BlueBravo, along with oth
IRON HEMLOCK
1
Iron Hemlock, a threat actor also known as APT29, Cozy Bear, BlueBravo, Cloaked Ursa, The Dukes, and Midnight Blizzard, has been identified as a significant cybersecurity concern. This group, suspected to be associated with Russia and previously identified as Nobelium, is known for executing actions
SUNSPOT
1
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once insid
StellarParticle
1
StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has
Dark Halo
1
Dark Halo, a cyber threat actor identified by cybersecurity company Volexity, has been linked to several significant cyber attacks. This group initially gained notoriety for its exploitation of the SolarWinds Orion software in June and July 2020, which resulted in a major breach of the targeted orga
Blue Kitsune
1
Blue Kitsune, also known as APT29, Cozy Bear, and the Dukes, is a notable threat actor in the realm of cybersecurity. This group has been linked to several malicious activities, including the deployment of WellMess malware. While there is no definitive evidence tying WellMess exclusively to Blue Kit
CozyCar
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Implant
Blizzard
Espionage
Malware
Microsoft
France
Vulnerability
WinRAR
Russia
Spearphishing
Exploit
Eset
exploited
russian
Backdoor
Crowdstrike
State Sponso...
Volexity
Windows
Solarwinds
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Brute RatelUnspecified
2
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
WellMessUnspecified
1
The WellMess malware, first reported by LAC and JPCERT in mid-2018, is a malicious software that stores the Command and Control (C2) IP addresses it uses in the binary as plaintext URLs. The C2 has limited functionality to relay information between itself, the WellMess backdoor, and presumably a fur
PowerDukeUnspecified
1
PowerDuke is a sophisticated malware first observed in August 2016 and used extensively by APT28, an advanced persistent threat group. It is designed to create backdoors in compromised systems, which allows the attackers to maintain access and control over these systems. The malware infects systems
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
APT28Unspecified
2
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
SednitUnspecified
2
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed lig
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Targets
2
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the The Dukes Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
23 days ago
Russia-linked group APT29 likely breached TeamViewer
Securityaffairs
23 days ago
Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs
a month ago
Russia-linked APT Nobelium targets French diplomatic entities
DARKReading
a month ago
Russia's Midnight Blizzard Seeks to Snow French Diplomats
InfoSecurity-magazine
a month ago
French Diplomatic Entities Targeted by Russian-Aligned Nobelium
BankInfoSecurity
4 months ago
Phishing Attacks Targeting Political Parties, Germany Warns
BankInfoSecurity
4 months ago
Russian Nation-State Hacker Targets German Political Parties
Securityaffairs
5 months ago
Russia-linked Midnight Blizzard breached Microsoft systems again
CERT-EU
5 months ago
UK's NCSC Issues Warning as SVR Hackers Target Cloud Services
CERT-EU
5 months ago
APT29 Tactics Revealed: A Joint Advisory by Five Eyes Cybersecurity Agencies
CERT-EU
5 months ago
Russia-linked APT29 switched to targeting cloud services
CERT-EU
5 months ago
Five Eyes Agencies Expose APT29’s Evolving Cloud Attack Tactics
Securityaffairs
5 months ago
Russia-linked APT29 switched to targeting cloud services
CERT-EU
5 months ago
Attacks That Change the Course of History
Securityaffairs
6 months ago
Midnight Blizzard APT is targeting orgs worldwide, Microsoft warns
Securityaffairs
6 months ago
Russia-linked APT group Midnight Blizzard hacked HPE
CERT-EU
6 months ago
Russia-linked Midnight Blizzard APT hacked Microsoft corporate emails
Securityaffairs
6 months ago
Russia-linked Midnight Blizzard APT hacked Microsoft corporate emails
CERT-EU
6 months ago
Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack
CERT-EU
6 months ago
Multiple government agencies hacked by Russia-backed actors