It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks, to stay completely under the radar for several years. Yet, in the last three years that is what APT group the Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the Democratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against the Norwegian government that dates back to January 2017

T1001 – Data ObfuscationT1005 – Data from Local SystemT1008 – Fallback ChannelsT1025 – Data from Removable MediaT1027 – Obfuscated Files or InformationT1035 – Service ExecutionT1039 – Data from Network Shared DriveT1041 – Exfiltration Over Command and Control ChannelT1045 – Software PackingT1049 – System Network Connections DiscoveryT1053 – Scheduled TaskT1057 – Process DiscoveryT1060 – Registry Run Keys / Startup FolderT1064 – ScriptingT1071 – Standard Application Layer ProtocolT1077 – Windows Admin SharesT1078 – Valid AccountsT1083 – File and Directory DiscoveryT1084 – Windows Management Instrumentation Event SubscriptionT1085 – Rundll32T1086 – PowerShellT1090 – Connection ProxyT1102 – Web ServiceT1106 – Execution through APIT1107 – File DeletionT1112 – Modify RegistryT1129 – Execution through Module LoadT1135 – Network Share DiscoveryT1140 – Deobfuscate/Decode Files or InformationT1193 – Spearphishing Attachment