Cozy Bear/APT29/Dukes (Russia): Known as the Dukes, Russian threat actor Cozy Bear has apparently been quiet since their involvement in the hack of the Democratic National Convention in 2016, except for one spear-phishing campaign that was seen in November of 2018. Now researchers at ESET have found three malware families resurfacing that can be linked back to the group. Being linked together in what researchers call Operation Ghost, malware families PolyglotDuke, RegDuke and FatDuke have been found in the wild. Based on research done by ESET, the group was out of the public eye for many years, but they did not stop working on operation Ghost. The ongoing campaign has been responsible for compromising many government entities in Europe, as well as the European Union embassy in Washington, D.C. The group is very persistent; they steal credentials and use them to move laterally on networks. Administrative credentials have been used by the group to compromise machines from the same local network.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is