APT 29, Cozy Bear, The Dukes

[2013-02] since The Original Announcement, We Have Observed Several New Attacks Using The Same Exploit (cve-2013-0640) Which Drop Other Malware. Between These, We�ve Observed A Couple Of Incidents Which Are So Unusual In Many Ways That We-ve Decided To Analyse Them In Depth. (https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/)

[2013] while The Old Style Miniduke Implants Were Used To Target Mostly Government Victims, The New Style Cosmicduke Implants Have A Somehow Different Typology Of Victims. The Most Unusual Is The Targeting Of Individuals That Appear To Be Involved In The Traffic And Reselling Of Controlled And Illegal Substances, Such As Steroids And Hormones. These Victims In The Nitro Project Have Been Observed Only In Russia. (https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/)

[2013] operation �ghost� (we Call These Newly Uncovered Dukes Campaigns, Collectively, Operation Ghost, And Describe How The Group Has Been Busy Compromising Government Targets, Including Three European Ministries Of Foreign Affairs And The Washington Dc Embassy Of A European Union Country, All Without Drawing Attention To Their Activities. (https://www.welivesecurity.com/wp-content/uploads/2019/10/eset_operation_ghost_dukes.pdf)

[2014-03] operation �office Monkeys� (in March 2014, A Washington, D.c.-based Private Research Institute Was Found To Have Cozyduke (trojan.cozer) On Their Network. Cozy Bear Then Started An Email Campaign Attempting To Lure Victims Into Clicking On A Flash Video Of Office Monkeys That Would Also Include Malicious Executables. By July The Group Had Compromised Government Networks And Directed Cozyduke-infected Systems To Install Miniduke Onto A Compromised Network. (https://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory)

[2015-08] attack On The Pentagon In The Usa (in August 2015 Cozy Bear Was Linked To A Spear-phishing Cyberattack Against The Pentagon Email System Causing The Shutdown Of The Entire Joint Staff Unclassified Email System And Internet Access During The Investigation. (https://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html)

[2016-06] breach Of Democratic National Committee (in June 2016, Cozy Bear Was Implicated Alongside The Hacker Group sofacy, Apt 28, Fancy Bear, Sednit Had Only Been There A Few Weeks. Cozy Bear�s More Sophisticated Tradecraft And Interest In Traditional Long-term Espionage Suggest That The Group Originates From A Separate Russian Intelligence Agency. (https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)

[2016-08] attacks On Us Think Tanks And Ngos (after The United States Presidential Election, 2016, Cozy Bear Was Linked To A Series Of Coordinated And Well-planned Spear-phishing Campaigns Against U.s.-based Think Tanks And Non-governmental Organizations (ngos). (https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/)

[2017-01] attacks On The Norwegian Government (on February 3, 2017, The Norwegian Police Security Service (pst) Reported That Attempts Had Been Made To Spear-phish The Email Accounts Of Nine Individuals In The Ministry Of Defense, Ministry Of Foreign Affairs, And The Labour Party. The Acts Were Attributed To Cozy Bear, Whose Targets Included The Norwegian Radiation Protection Authority, Pst Section Chief Arne Christian Haugst�yl, And An Unnamed College. (https://www.usatoday.com/story/news/2017/02/03/norway-russian-hackers-hit-spy-agency-defense-labour-party/97441782/)

[2017-02] attack On Dutch Ministries (in February 2017, The General Intelligence And Security Service (aivd) Of The Netherlands Revealed That Fancy Bear And Cozy Bear Had Made Several Attempts To Hack Into Dutch Ministries, Including The Ministry Of General Affairs, Over The Previous Six Months. Rob Bertholee, Head Of The Aivd, Said On Eenvandaag That The Hackers Were Russian And Had Tried To Gain Access To Secret Government Documents. (https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries, B77ff391/)

[2017-09] russian Hackers Breached Dutch Police Systems In 2017 (https://therecord.media/russian-hackers-breached-dutch-police-systems-in-2017/)

[2018-11] phishing Campaign In The Usa (target: Multiple Industries, Including Think Tank, Law Enforcement, Media, U.s. Military, Imagery, Transportation, Pharmaceutical, National Government, And Defense Contracting. (method: Phishing Email Appearing To Be From The U.s. Department Of State With Links To Zip Files Containing Malicious Windows Shortcuts That Delivered Cobalt Strike Beacon. (https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html)

[2019-08] solarwinds Orion Supply-chain Attack (https://www.dropbox.com/s/yu5uwsfyo9q4oj2/whitepaper%20solarwinds%20orion%20supply-chain%20attack.pdf?dl=0)

[2020] throughout 2020, Apt29 Has Targeted Various Organisations Involved In Covid-19 Vaccine Development In Canada, The United States And The United Kingdom, Highly Likely With The Intention Of Stealing Information And Intellectual Property Relating To The Development And Testing Of Covid-19 Vaccines. (https://www.ncsc.gov.uk/files/advisory-apt29-targets-covid-19-vaccine-development.pdf)

[2020] suspected Russian Activity Targeting Government And Business Entities Around The Globe (https://www.mandiant.com/resources/russian-targeting-gov-business)

[2021] operation �stellarparticle� (early Bird Catches The Wormhole: Observations From The Stellarparticle Campaign (https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/)

[2021-02] russian Cyberspies Targeted The Slovak Government For Months (https://therecord.media/russian-cyberspies-targeted-slovak-government-for-months/)

[2021-02] france Warns Of Nobelium Cyberspies Attacking French Orgs (https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/)

[2021 Early] trello From The Other Side: Tracking Apt29 Phishing Campaigns (https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns)

[2021-04] foggyweb: Targeted Nobelium Malware Leads To Persistent Backdoor (https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/)

[2021-05] suspected Apt29 Operation Launches Election Fraud Themed Phishing Campaigns (https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/)

[2021-06] new Nobelium Activity (https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/)

[2021 Mid] solardeflection C2 Infrastructure Used By Nobelium In Company Brand Misuse (https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/)

[2021-06] bear Tracks: Infrastructure Patterns Lead To More Than 30 Active Apt29 C2 Servers (https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/)

[2021-07] russia �cozy Bear� Breached Gop As Ransomware Attack Hit (https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee)

[2021-07] new Activity From Russian Actor Nobelium (https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/)

[2021-07] solarwind Attackers At It Again In Back-to-back Campaigns (https://cybersecurityworks.com/blog/vulnerabilities/solarwind-attackers-at-it-again-in-back-to-back-campaigns.html>)

[2021-07] in Recent Months, The Dukes Launched Several Spearphishing Campaigns Targeting European Diplomats, Think Tanks And International Organizations. Eset Researchers Identified Victims In More Than 12 Different European Countries. (https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf)

[2021-10] in October And November 2021, Eset Detected Additional Spearphishing Campaigns, Again Targeting European Diplomatic Missions And Ministries Of Foreign Affairs. (https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf)

[2022-02] nobelium Returns To The Political World Stage (https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage)

[2022-05] russian Apt29 Hackers Use Online Storage Services, Dropbox And Google Drive (https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/)

[2022-08] you Can�t Audit Me: Apt29 Continues Targeting Microsoft 365 (https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft)

[2022-08] magicweb: Nobelium�s Post-compromise Trick To Authenticate As Anyone (https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/)

[2022-10] bluebravo Uses Ambassador Lure To Deploy Graphicalneutrino Malware (https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf)

[2023-03] "nobelium Uses Polands Ambassador�s Visit To The U.s. To Target Eu Governments Assisting Ukraine (https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine"