Contents
General description
CozyDuke primarily targets the public sector and hunts for confidential information. CozyDuke has an impressive arsenal of self-produced malware and often uses alternative execution methods in its attacks, such as through PowerShell and WMI.
Group's objectives
- Espionage
Tools
- CloudDuke
- Cobalt Strike
- CosmicDuke
- CozyCar
- CozyDuke
- FatDuke
- GeminiDuke
- HammerToss/HammerDuke
- LiteDuke
- meek
- MiniDuke
- Net
- OnionDuke
- PinchDuke
- PolyglotDuke
- PoshSpy
- PowerDuke
- RegDuke
- SeaDuke
- SoreFang
- WellMail
- WellMess
Target sectors
- State sector
- Education
- Industrial sector
- Pharmaceuticals
- Telecom
- NGOs
- Defense industry
- Research companies
Target countries
- Australia
- Azerbaijan
- Belarus
- Belgium
- Bulgaria
- Brazil
- United Kingdom
- Hungary
- Germany
- Georgia
- Israel
- India
- Ireland
- Spain
- Kazakhstan
- Canada
- Cyprus
- China
- Kyrgyzstan
- Latvia
- Lebanon
- Lithuania
- Luxemburg
- Mexico
- Netherlands
- New Zealand
- Poland
- Portugal
- Russia
- Romania
- Slovenia
- USA
- Turkey
- Uganda
- Uzbekistan
- Ukraine
- France
- Montenegro
- Czech Republic
- South Korea
- Japan
Alternative group names
- APT 29
- The Dukes
- Group 100
- Yttrium
- Iron Hemlock
- Minidionis
Reports by Positive Technologies and other researchers
- https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
- https://www.carbonblack.com/blog/the-dukes-of-moscow/
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
- https://securelist.com/the-cozyduke-apt/69731/
- https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/
- https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/
- http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016
- http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory
- https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
- https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
- https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
- https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1566.001 | Spearphishing Attachment | CozyDuke sent phishing emails with malicious attachments containing exploits. |
T1566.002 | Spearphishing Link | CozyDuke sent phishing emails with malicious links leading to an archive with malicious content. |
T1078.002 | Valid Accounts: Domain Accounts | CozyDuke used the stolen user credentials to return to the compromised network after some time. |
T1190 | Exploit Public-Facing Application | CozyDuke exploited vulnerabilities CVE-2019-19781 in Citrix, CVE-2019-11510 in Pulse Secure VPN, CVE-2018-13379 in FortiGate VPN, and CVE-2019-9670 in Zimbra. |
Resource Development | ||
T1583.006 | Web Services | CozyDuke used Twitter as a C2 server for the HAMMERTOSS malware. |
T1587.003 | Digital Certificates | CozyDuke used a self-signed certificate to provide an mTLS connection to the C2 server. |
Execution | ||
T1129 | Shared Modules | CozyDuke used malware, which uploaded modules via the API function LoadLibrary. |
T1106 | Native API | CozyDuke used the API functions CreateProcess and LoadLibrary to run executable files. |
T1203 | Exploitation for Client Execution | CozyDuke used exploits for popular software, such as Microsoft Word or Adobe Reader. |
T1059.001 | PowerShell | CozyDuke used encoded PowerShell scripts to upload and install SeaDuke. |
T1204.002 | Malicious File | CozyDuke sent out phishing emails with malicious documents. |
T1047 | Windows Management Instrumentation | CozyDuke used WMI to steal accounts and run malware. |
T1053.005 | Scheduled Task | CozyDuke used the task scheduler to gain persistence. |
T1569.002 | System Services: Service Execution | CozyDuke used PsExec to remotely launch malware. |
T1059.006 | Python | CozyDuke used malware written in Python. |
Persistence | ||
T1546.003 | Windows Management Instrumentation Event Subscription | CozyDuke used WMI to gain persistence on the computer. |
T1547.001 | Registry Run Keys / Startup Folder | CozyDuke used the autostart key in the Windows registry to gain persistence. |
T1547.009 | Shortcut Modification | CozyDuke used a malicious .lnk file. |
Privilege Escalation | ||
T1546.008 | Accessibility Features | CozyDuke used sticky keys to obtain system privileges. |
T1548.002 | Bypass User Account Control | CozyDuke used UAC bypass techniques. |
Defense Evasion | ||
T1112 | Modify Registry | CozyDuke used malware that could only be decrypted using a key stored in the registry. |
T1140 | Deobfuscate/Decode Files or Information | CozyDuke used malware with built-in encrypted payloads. |
T1027.002 | Software Packing | CozyDuke used UPX to package files. |
T1550.003 | Pass the Ticket | CozyDuke used a Kerberos ticket to move inside the network. |
T1070.004 | File Deletion | CozyDuke used the SDELETE utility to remove artifacts of its activity from infected computers. |
T1218.011 | Rundll32 | CozyDuke used rundll32. exr to run malware. |
T1027 | Obfuscated Files or Information | CozyDuke used PowerShell to decode Base64 data. |
T1078.002 | Domain Accounts | CozyDuke used legitimate accounts to move inside the compromised network, including administrator accounts. |
Discovery | ||
T1083 | File and Directory Discovery | CozyDuke interacted with files and folders on infected computers. |
T1135 | Network Share Discovery | CozyDuke collected a list of network folders. |
T1057 | Process Discovery | CozyDuke collected a list of running processes. |
T1049 | System Network Connections Discovery | CozyDuke executed the net use command to collect information about network connections. |
Collection | ||
T1025 | Data from Removable Media | CozyDuke collected files from connected external devices. |
T1039 | Data from Network Shared Drive | CozyDuke collected files from network folders. |
T1005 | Data from Local System | CozyDuke used backdoors that collect files by extension mask. |
Command And Control | ||
T1090.001 | Proxy: Internal Proxy | CozyDuke used a proxy to steal files from infected systems. The group also used named pipes to interact with machines that do not have Internet access. |
T1090.003 | Multi-hop Proxy | CozyDuke used a backdoor that created a hidden service to redirect traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB). |
T1008 | Fallback Channels | CozyDuke used an alternative C2 server if the main one was not available. |
T1095 | Non-Application Layer Protocol | CozyDuke used TCP to communicate with the C2. |
T1043 | Commonly Used Port | CozyDuke used port 443 for the C2. |
T1001.002 | Steganography | CozyDuke used steganography to store the C2 address in an image. |
T1102.002 | Bidirectional Communication | CozyDuke used social media platforms to hide the connection to the C2. |