It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks, to stay completely under the radar for several years. Yet, in the last three years that is what APT group the Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the Democratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against the Norwegian government that dates back to January 2017
https://govanguard.com/threat-center/wp-content/uploads/sites/3/2018/07/banner_816x250_threat_color2.png 242 816 GoVanguard http://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png GoVanguard2019-10-24 10:32:582019-10-24 10:32:58The Dukes aren’t back — they never left
T1001 – Data Obfuscation, T1005 – Data from Local System, T1008 – Fallback Channels, T1025 – Data from Removable Media, T1027 – Obfuscated Files or Information, T1035 – Service Execution, T1039 – Data from Network Shared Drive, T1041 – Exfiltration Over Command and Control Channel, T1045 – Software Packing, T1049 – System Network Connections Discovery, T1053 – Scheduled Task, T1057 – Process Discovery, T1060 – Registry Run Keys / Startup Folder, T1064 – Scripting, T1071 – Standard Application Layer Protocol, T1077 – Windows Admin Shares, T1078 – Valid Accounts, T1083 – File and Directory Discovery, T1084 – Windows Management Instrumentation Event Subscription, T1085 – Rundll32, T1086 – PowerShell, T1090 – Connection Proxy, T1102 – Web Service, T1106 – Execution through API, T1107 – File Deletion, T1112 – Modify Registry, T1129 – Execution through Module Load, T1135 – Network Share Discovery, T1140 – Deobfuscate/Decode Files or Information, T1193 – Spearphishing Attachment
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org