Pulse Detail — Threat Intelligence

PULSE NAME

The Dukes aren’t back — they never left

WHITE Dukes AlienVault 2019-10-17 Modified: 2019-10-17

IOCs

HIGH VOLUME

It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks, to stay completely under the radar for several years. Yet, in the last three years that is what APT group the Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the Democratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against the Norwegian government that dates back to January 2017

Dukes

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1001 T1005 T1008 T1025 T1027 T1035 T1039 T1041 T1045 T1049 T1053 T1057 T1060 T1064 T1071 T1077 T1078 T1083 T1084 T1085 T1086 T1090 T1102 T1106 T1107 T1112 T1129 T1135 T1140 T1193

MALWARE FAMILIES

MiniDuke

Indicators of Compromise (94)

All domain FileHash-SHA256 URL hostname FileHash-MD5 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	fairfieldsch.org	—	2019-10-17
domain	coachandcook.at	—	2019-10-17
domain	fisioterapiabb.it	—	2019-10-17
domain	sistemikan.com	—	2019-10-17
domain	acciaio.com.br	—	2019-10-17
domain	ecolesndmessines.org	—	2019-10-17
domain	lorriratzlaff.com	—	2019-10-17
domain	salesappliances.com	—	2019-10-17
domain	publiccouncil.org	—	2019-10-17
domain	ministernetwork.org	—	2019-10-17
domain	varuhusmc.org	—	2019-10-17
domain	rulourialuminiu.co.uk	—	2019-10-17
domain	busseylawoffice.com	—	2019-10-17
domain	bandabonga.fr	—	2019-10-17
domain	skagenyoga.com	—	2019-10-17
domain	westmedicalgroup.net	—	2019-10-17
domain	ceycarb.com	—	2019-10-17
domain	motherlodebulldogclub.com	—	2019-10-17
domain	powerpolymerindustry.com	—	2019-10-17
FileHash-SHA256	153d19bf9fd09973df56a32a534122a3f7735dbeaecff7b294a93c01707b3bfa	—	2019-10-17
FileHash-SHA256	a8c966b211b7f674af5a1541b65b45e52b15f772927c71160741e656519dde36	—	2019-10-17
FileHash-SHA256	9b33ec7f5e615a6556f147b611425d3ca4a8879ce746d4a8cb62adf4c7f76029	—	2019-10-17
FileHash-SHA256	0be57d1244fefc679feb7aa9996e539481be7b8f4c9246817f81caa8c2f61a57	—	2019-10-17
FileHash-SHA256	9da31189cd6b4ca840ba84cc5c9d01a89c69e04cdaeb55b77d4588f993f76bfc	—	2019-10-17
FileHash-SHA256	ba48e087c070c711b25d1d86b354b559081cb4059c4e992dd1835861b5dbed1a	—	2019-10-17
FileHash-SHA256	a8f8e93a3426f76260d10e168dc587ed82a90e773cd750dad58a6be29031fd8b	—	2019-10-17
FileHash-SHA256	40632efe4d505cad53746150ee3f7e356f67f6e79079ed73a0d31311912037f1	—	2019-10-17
FileHash-SHA256	4f2e0453bc7505affb517b78c7c3804a79affe74d5fa947c1762d8631cc6a155	—	2019-10-17
FileHash-SHA256	f9d338ed8fc57b36275efaff4387d2450c4eac57f4d2d8367111ed7d9f2b168d	—	2019-10-17
FileHash-SHA256	57ce5b1dd5666a075f0491f864087dc00f5cde45e7d23db1fcc4ba8fd0e91ac0	—	2019-10-17
FileHash-SHA256	5b8467a9a89d83d721d28fb45fbe0ce53a9ee284b7aad93bff178ed6ea26247a	—	2019-10-17
FileHash-SHA256	b53a3d03e86bb17b58a5b2be337b4da821816524659befa966df67b3b9017943	—	2019-10-17
FileHash-SHA256	ba08468d8847c9c62325dd266491e8da917caa8e710cf5b662debfc6fa8ca1c2	—	2019-10-17
FileHash-SHA256	a95449f7c7c1ea5359bd76f25f57b89802d94f649ba059b910d8e46d9a914fcf	—	2019-10-17
FileHash-SHA256	9fed53548c8b517134797f760729ff23dfc0c645bc46833ff414b7bc68aca8f0	—	2019-10-17
FileHash-SHA256	6057b19975818ff4487ee62d5341834c53ab80a507949a52422ab37c7c46b7a1	—	2019-10-17
FileHash-SHA256	f5a66707f51c21f0acf18243245a4902d4df62a9506bcf69938433bb1e0d4517	—	2019-10-17
URL	http://www.fotolog.com/vq21p34	—	2019-10-17
URL	http://jack998899jack.imgbb.com	—	2019-10-17
URL	http://www.fotolog.com/uq44y4j19m8	—	2019-10-17
URL	http://www.kiwibox.com/AfricanRugby/info/	—	2019-10-17
URL	http://www.fotolog.com/rypnil03sl6	—	2019-10-17
URL	http://www.fotolog.com/joannevil/121000000000030009/	—	2019-10-17
URL	http://simp.ly/publish/pBn8Jt	—	2019-10-17
URL	http://www.fotolog.com/zu2of5vyfl6	—	2019-10-17
URL	http://www.fotolog.com/g1h4wuiz6	—	2019-10-17
URL	http://www.kiwibox.com/GaryPhotographe/info/	—	2019-10-17
URL	http://thinkery.me/billywilliams/5a0170161cb602262f000d2c	—	2019-10-17
URL	http://www.fotolog.com/o2rh2s2x7pu	—	2019-10-17
URL	http://www.fotolog.com/shx8hypubt	—	2019-10-17
URL	http://www.fotolog.com/i4ntff47xfw	—	2019-10-17
URL	http://www.fotolog.com/gf3z425rr0	—	2019-10-17
URL	http://www.fotolog.com/vz1g3wmwu	—	2019-10-17
URL	http://www.fotolog.com/u99aliw5g	—	2019-10-17
URL	http://www.fotolog.com/q4tusizx9xb	—	2019-10-17
hostname	mavin21c.dothome.co.kr	—	2019-10-17
hostname	jack998899jack.imgbb.com	—	2019-10-17
FileHash-MD5	e4d31bd6bb58cbeafa57f1d2a78cd249	—	2019-10-17
FileHash-MD5	98b2087f9b842320c39ab041c08fefce	—	2019-10-17
FileHash-MD5	fc7fbe66c820f17c30147235e95d31b8	—	2019-10-17
FileHash-MD5	92d2204691f8ac9274b2943f88958552	—	2019-10-17
FileHash-MD5	1559be5e8b96312f3fbe383c8d810053	—	2019-10-17
FileHash-MD5	a66a3948fe8fbce7ce8ba88eb9daa0ba	—	2019-10-17
FileHash-MD5	ffdadc7a09832c7ddf310a07ca65f816	—	2019-10-17
FileHash-MD5	e2935caf2dd982c918366549fad168ca	—	2019-10-17
FileHash-MD5	378ae22bbb1ef4b1ac031dccb3094931	—	2019-10-17
FileHash-MD5	16981cc83348c6f4e6786726eea12054	—	2019-10-17
FileHash-MD5	79b3bc9f67444f6dee1d8127a0e300ab	—	2019-10-17
FileHash-MD5	805f4fb534f8665abc74ff00741dd721	—	2019-10-17
FileHash-MD5	5e08b729bb708530d36b5d3bd1aa08fd	—	2019-10-17
FileHash-MD5	a6b1ae7b778a9f8994617d4babd7ee85	—	2019-10-17
FileHash-MD5	d96491796c402a1aebb30b00b20ac8c2	—	2019-10-17
FileHash-MD5	c8e6cab481e023001ef10dd278ff83c2	—	2019-10-17
FileHash-MD5	1e599b7cae957c2ce87f95822b9f560a	—	2019-10-17
FileHash-MD5	cc216e41ad4291d0cc4c77d88c234f6d	—	2019-10-17
FileHash-MD5	8173ccb6b3936f72bb8701025d92ff7e	—	2019-10-17
FileHash-SHA1	cf14ac569a63df214128f375c12d90e535770395	—	2019-10-17
FileHash-SHA1	9e96b00e9f7eb94a944269108b9e02d97142eedc	—	2019-10-17
FileHash-SHA1	6acc0b1230303f8cf46152697d3036d69ea5a849	—	2019-10-17
FileHash-SHA1	5905c55189c683bc37258aec28e916c41948cd1c	—	2019-10-17
FileHash-SHA1	170be45669026f3c1fc5ba2d48817dbf950da3f6	—	2019-10-17
FileHash-SHA1	a88da2dd033775f7abc8d6fb3ad5dd48efbeade1	—	2019-10-17
FileHash-SHA1	af2b46d4371ce632e2669fea1959ee8af4ec39ce	—	2019-10-17
FileHash-SHA1	718c2ce6170d6ca505297b41de072d8d3b873456	—	2019-10-17
FileHash-SHA1	b05caba461000c6ebd8b237f318577e9bccd6047	—	2019-10-17
FileHash-SHA1	0e25ee58b119dd48b7c9931879294ac3fc433f50	—	2019-10-17
FileHash-SHA1	0a5a7dd4ad0f2e50f3577f8d43a4c55ddc1d80cf	—	2019-10-17
FileHash-SHA1	d625c7ce9dc7e56a29ec9a81650280edc6189616	—	2019-10-17
FileHash-SHA1	539d021cd17d901539a5e1132ecaab7164ed5db5	—	2019-10-17
FileHash-SHA1	f7fd63c0534d2f717fd5325d4397597c9ee4065f	—	2019-10-17
FileHash-SHA1	194d8e2ae4c723ce5fe11c4d9cfefbba32dcf766	—	2019-10-17
FileHash-SHA1	4ba559c403ff3f5cc2571ae0961eaff6cf0a50f6	—	2019-10-17
FileHash-SHA1	64d6c11fff2c2aadaacee01b294afcc751316176	—	2019-10-17
FileHash-SHA1	db19171b239ef6de8e83b2926eadc652e74a5afa	—	2019-10-17

References (1)

↗ https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf