APT29 – The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations.
Name: Cozy Bear (CrowdStrike), The Dukes (F-Secure), Group 100 (Talos), Yttrium (Microsoft), Iron Hemlock (SecureWorks), Minidionis (Palo Alto), CloudLook (Kaspersky), ATK 7 (Thales), ITG11 (IBM )UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto), StellarParticle (CrowdStrike), Nobelium (Microsoft), Iron Ritual (SecureWorks)
Location: Russia
Suspected attribution: Russia’s Foreign Intelligence Service (SVR)
Date of initial activity: 2008
Targets: Government networks in Europe and NATO member countries, research institutes, and think tanks.
Motivation: Information theft and espionage
Associated tools: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Attack vectors: The group primarily uses campaigns ranging from widespread emails crafted to look like high-volume spam messages, to targeted spear phishing emails addressed to only a few individuals that contain malicious attachments with customized content.
How they work: In some incidents, IRON HEMLOCK appears to have used compromised third-party networks to conduct attacks; for example, reports linked IRON HEMLOCK to the April 2015 breach of an unclassified White House network, and some sources claimed that the initial phishing emails were distributed from U.S. State Department email servers. IRON HEMLOCK also compromised the U.S. Democratic National Committee’s network in 2016.
IRON HEMLOCK (also known as The Dukes or APT29) is a cyber-espionage group that has been operating since at least 2008. In 2018, media reports detailing a Dutch counterintelligence operation against IRON HEMLOCK strongly suggested that the group is a component of the SVR, Russia’s foreign intelligence agency. This evidence, combined with observations of the threat group’s activities and targeting, led CTU researchers to assess with high confidence that IRON HEMLOCK is operated by the one of the Russian intelligence services and with moderate confidence specifically the SVR. The group has targeted government, foreign policy, and security-related organizations in former Soviet countries (Russia’s ‘near-abroad’) and NATO member countries. CTU analysis suggests that it is tasked with stealing information to support strategic foreign policy and political decision-making. Given the SVR’s remit, IRON HEMLOCK is likely used to support traditional SVR espionage operations overseas. IRON HEMLOCK has evolved a range of intrusion methods and capabilities that have enabled the group to retain its effectiveness despite multiple public disclosures.
IRON HEMLOCK operations observed by CTU researchers since 2016 have been stealthy and targeted, using multiple layers of encryption within malware and to protect communications between malware and C2 servers. The group seems to be adept at developing and deploying custom PowerShell malware and may even develop PowerShell-based tools specific to a single operation. Third party reporting in 2019 also suggests heavy use of steganography to disguise its malware. IRON HEMLOCK’s activities appear to be limited to strategic targets or perhaps to support broader SVR operations, so the volume of activity is likely far lower than other Russian government groups.