APT 29

Into the mind of The Dukes hacking group AKA Cozy Bear and Apt29

The Dukes hacking group, which is also known as Cozy Bear and APT29, is a Russian-linked cyberespionage organization. It is said to be led by the Russian Foreign Intelligence Service (SVR).

The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.

The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as APT 29, CosmicDuke, OnionDuke, APT 29, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeAPT 29. In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.

These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.

In addition to these large-scale campaigns, the Dukes continuously and concurrently engage in smaller, much more targeted campaigns, utilizing different toolsets. These targeted campaigns have been going on for at least 7 years. The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times.

The State-sponsored APT 29 malware utilizes a backdoor and a dropper for information theft and espionage. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment. The backdoor components of APT 29's malware are updated over time with modifications to cryptography, Trojan functionality, and anti-detection. The speed at which APT 29 develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL.

Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people. The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke. CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers. Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator. APT 29 is suspected of being behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data.

Seaduke is a highly configurable, low-profile Trojan only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed APT 29.


Evidence suggests that APT 29's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014.

Office monkeys (2014)

In March 2014, a Washington, D.C.-based private research institute was found to have APT 29 (Trojan.Cozer) on their network. APT 29 then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed APT 29-infected systems to install APT 29 onto a compromised network.
In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated APT 29. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI's decision to open an investigation.

Pentagon (August 2015)

In August 2015 APT 29 was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shutdown of the entire Joint Staff unclassified email system and Internet access during the investigation.

Democratic National Committee (2016)

In June 2016, APT 29 was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber-attacks. While the two groups were both present in the Democratic National Committee's servers at the same time, they appeared to be unaware of the other, each independently stealing the same passwords and otherwise duplicating their efforts. While APT 29 had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks. APT 29's more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.

US think tanks and NGOs (2016)

After the 2016 United States presidential election, APT 29 was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).

Norwegian Government (2017)

On February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spear phish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to APT 29, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed college. Prime Minister Erna Solberg called the acts "a serious attack on our democratic institutions”. The attacks were reportedly conducted in January 2017.

Dutch ministries (2017)

In February 2017, it was revealed that APT 29 and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, the General Intelligence and Security Service of the Netherlands said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand.

SOURCE: https://en.wikipedia.org/wiki/Cozy_Bear