The Dukes, or Cozy Bear, is a heavily financed, deeply dedicated, and efficiently coordinated cyber espionage organization. Upon our analysis, it has been working in the interests of the Russian Federation since at least 2008. The primary objective is to collect intelligence that aids in shaping foreign policy and security decisions. Their preferred targets include Western governments and organizations related to critical infrastructure, plus government ministries, political think tanks, and their subcontractors.

Swachchhanda Shrawan Poudel
Swachchhanda Shrawan Poudel

Security Research

Fast Facts

  • First, a public service announcement: The Dukes has many aliases, from this moment forward we will use them interchangeably through the blog and report. It should be noted, that they are the same.
  • The Dukes, aka APT-29, Cozy Bear, or Nobelium, is a prominent cyber espionage group likely associated with Russia's Foreign Intelligence Service (SVR).
  • The Dukes are famous for cyber espionage activities against governments, non-governmental organizations, businesses, think tanks, and other high-profile targets through spearphishing campaigns.
  • The Dukes commonly use HTML Smuggling techniques and malicious ISO images to deliver their malware while evading security measures.
  • APT-29 has a history of targeting political entities. It gained notoriety for hacking the Democratic National Committee during the 2016 U.S. presidential election.
  • APT-29 garnered significant attention for its involvement in the 2020 SolarWinds supply-chain attack, which compromised numerous sectors of the U.S. government, demonstrating its capabilities and sophistication.

Who are the Dukes?

The Dukes are known for utilizing a wide range of malware toolsets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, they've been conducting large-scale spear-phishing campaigns, targeting hundreds, if not thousands, of recipients associated with governmental institutions and affiliated organizations. If The Dukes discover that a compromised target holds significant value, they swiftly transition to more covert tactics, emphasizing persistent compromise and long-term intelligence gathering.

It's widely believed Cozy Bear is responsible for the 2015 breach of unclassified networks at institutions such as the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. In relation to this, it gained notoriety for hacking the Democratic National Committee during the 2016 U.S. presidential election. SolarWinds Supply Chain Compromise is also attributed to their name.

Responding to The Dukes

Logpoint Converged SIEM platform is a cutting-edge platform for automating intrusion detection, analysis, and response to threats like The Dukes. With an end-to-end security operations platform, organizations have all the tools to combat adversary activities (like the ones from Cozy Bear aka APT-29) and disrupt their cyber-kill chain. Logpoint's SIEM function collects and analyzes log data from multiple sources, allowing for real-time monitoring and detection of suspicious activities and behavioral irregularities associated with threats. SOAR integration enhances security by automating response steps such as isolating affected endpoints and blocking malicious IP addresses. This increases incident response time and decreases the effect of threat attacks. Logpoint’s native endpoint agent, AgentX, provides endpoint detection and response (EDR) capabilities in conjunction with SIEM and SOAR. AgentX enables increased threat hunting and forensic investigations using Osquery by providing extensive visibility into endpoint processes. AgentX detects and contains infected systems quickly by continuously monitoring endpoints for signs of compromise and dangerous APT-29 operations.

For more information about APT-29, its genesis, history, how it operates, its evolved malware distribution techniques, mitigation, and detection possibility through Logpoint Converged SIEM Platform, Please view the report attached.