APT 29, Cozy Bear, The Dukes Archived: 2026-04-05 13:55:18 UTC Home > List all groups > APT 29, Cozy Bear, The Dukes APT group: APT 29, Cozy Bear, The Dukes Names APT 29 (Mandiant) Cozy Bear (CrowdStrike) The Dukes (F-Secure) Group 100 (Talos) Yttrium (Microsoft) Iron Hemlock (SecureWorks) Minidionis (Palo Alto) CloudLook (Kaspersky) ATK 7 (Thales) ITG11 (IBM) Grizzly Steppe (US Government) together with Sofacy, APT 28, Fancy Bear, Sednit UNC2452 (FireEye) Dark Halo (Volexity) SolarStorm (Palo Alto) StellarParticle (CrowdStrike) SilverFish (Prodaft) Nobelium (Microsoft) Iron Ritual (SecureWorks) Cloaked Ursa (Palo Alto) BlueBravo (Recorded Future) Midnight Blizzard (Microsoft) UNC3524 (Mandiant) Cranefly (Symantec) TEMP.Monkeys (FireEye) Blue Dev 5 (PWC) NobleBaron (SentinelOne) Solar Phoenix (Palo Alto) Earth Koshchei (Trend Micro) G0016 (MITRE) Country Russia Sponsor State-sponsored Motivation Information theft and espionage First seen 2008 Description (F-Secure) The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, po and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of In Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionD CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and a organizations. These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used stealthier tactics focused on persistent compromise and long-term intelligence gathering. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=93ba9804-335e-4782-855d-40af22b93201 Page 1 of 6 In addition to these large-scale campaigns, the Dukes continuously and concurrently engage in smaller, much more targeted utilizing different toolsets. These targeted campaigns have been going on for at least 7 years. The targets and timing of these to align with the known foreign and security policy interests of the Russian Federation at those times. Observed Sectors: Aerospace, Defense, Education, Embassies, Energy, Financial, Government, Healthcare, Law enforcement, Media, Pharmaceutical, Telecommunications, Transportation, Think Tanks and Imagery. Countries: Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chechnya, Chile, China, Cyprus, Czech, Den Georgia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Kazakhstan, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxem Montenegro, Netherlands, New Zealand, Poland, Portugal, Romania, Russia, Singapore, Slovakia, Slovenia, Spain, South K Thailand, Turkey, Uganda, UAE, UK, Ukraine, USA, Uzbekistan, NATO. Tools used 7-Zip, AdFind, ATI-Agent, AtNow, BEATDROP, BloodHound, CEELOADER, CloudDuke, Cobalt Strike, CosmicDuke, C EnvyScout, FatDuke, FoggyWeb, GeminiDuke, Geppei, GoldFinder, GoldMax, GraphicalNeutrino, GraphicalProton, Hamm MagicWeb, meek, Mimikatz, MiniDuke, OnionDuke, PinchDuke, PolyglotDuke, POSHSPY, PowerDuke, QUIETEXIT, RA RegDuke, reGeorg, Rubeus, SeaDuke, Sharp-SMBExec, SharpView, Sibot, SoreFang, SUNBURST, SUNSPOT, SUPERNO TrailBlazer, WellMail, WellMess, WINELOADER, Living off the Land. Operations performed Feb 2013 Since the original announcement, we have observed several new attacks using the same exploit (CVE-2013-0 other malware. Between these, we’ve observed a couple of incidents which are so unusual in many ways that analyse them in depth. 2013 Operation “Ghost” We call these newly uncovered Dukes campaigns, collectively, Operation Ghost, and describe how the group compromising government targets, including three European Ministries of Foreign Affairs and the Washingto European Union country, all without drawing attention to their activities. Mar 2014 Operation “Office monkeys” In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Co network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video that would also include malicious executables. By July the group had compromised government networks an CozyDuke-infected systems to install MiniDuke onto a compromised network. Aug 2015 Attack on the Pentagon in the USA In August 2015 Cozy Bear was linked to a spear-phishing cyberattack against the Pentagon email system cau of the entire Joint Staff unclassified email system and Internet access during the investigation. Jun 2016 Breach of Democratic National Committee In June 2016, Cozy Bear was implicated alongside the hacker group Sofacy, APT 28, Fancy Bear, Sednit had few weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggest originates from a separate Russian intelligence agency. Aug 2016 Attacks on US think tanks and NGOs After the United States presidential election, 2016, Cozy Bear was linked to a series of coordinated and well-phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs). Jan 2017 Attacks on the Norwegian Government On February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to email accounts of nine individuals in the Ministry of Defense, Ministry of Foreign Affairs, and the Labour Pa attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section c Haugstøyl, and an unnamed college. Feb 2017 Attack on Dutch ministries In February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fan Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, ove months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried t secret government documents. Nov 2018 Phishing campaign in the USA Target: Multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportat national government, and defense contracting. Method: Phishing email appearing to be from the U.S. Department of State with links to zip files containing shortcuts that delivered Cobalt Strike Beacon. Aug 2019 SolarWinds Orion Supply-chain Attack 2020 Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in States and the United Kingdom, highly likely with the intention of stealing information and intellectual prope development and testing of COVID-19 vaccines. 2020 Suspected Russian Activity Targeting Government and Business Entities Around the Globe 2021 Operation “StellarParticle” Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign Feb 2021 Russian cyberspies targeted the Slovak government for months Feb 2021 France warns of Nobelium cyberspies attacking French orgs Apr 2021 FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor Mid 2021 SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Jul 2021 Russia ‘Cozy Bear’ Breached GOP as Ransomware Attack Hit Jul 2021 Solarwind Attackers at It Again in Back-to-Back Campaigns Jul 2021 In recent months, the Dukes launched several spearphishing campaigns targeting European diplomats, think t international organizations. ESET researchers identified victims in more than 12 different European countrie Oct 2021 In October and November 2021, ESET detected additional spearphishing campaigns, again targeting Europea missions and Ministries of Foreign Affairs. Feb 2022 Nobelium Returns to the Political World Stage May 2022 Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Aug 2022 You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 Aug 2022 MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone Feb 2023 Diplomats Beware: Cloaked Ursa Phishing With a Twist Oct 2022 BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware Mar 2023 NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine May 2023 Midnight Blizzard conducts targeted social engineering over Microsoft Teams May 2023 HPE: Russian hackers breached its security team’s email accounts Aug 2023 German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs Sep 2023 Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally Nov 2023 State-backed attackers and commercial surveillance vendors repeatedly use the same exploits Jan 2024 Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard Feb 2024 APT29 Uses WINELOADER to Target German Political Parties Jun 2024 TeamViewer's corporate network was breached in alleged APT hack Oct 2024 Amazon identified internet domains abused by APT29 Oct 2024 Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files Oct 2024 Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks Jan 2025 Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy Counter operations Aug 2014 Dutch agencies provide crucial intel about Russia’s interference in US-elections Jul 2018 Mueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms Apr 2021 Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Governm Federation Jun 2021 Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-P Posing as U.S. Agency for International Development MITRE ATT&CK Playbook Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format https://apt.etda.or.th/cgi-bin/showcard.cgi?u=93ba9804-335e-4782-855d-40af22b93201 Page 5 of 6 Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=93ba9804-335e-4782-855d-40af22b93201 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=93ba9804-335e-4782-855d-40af22b93201 Page 6 of 6