APT 29 - Put up your Dukes

May 17, 2018 | Anomali Labs

Have you ever heard the phrase “put up your dukes” and wondered how on Earth that could equate to putting up your fists for a fight? You wouldn’t be alone in wondering. Etymologists studying this phrase have concluded that this expression, like many others that are seemingly inexplicable, likely came from rhyming slang. “Dukes of York” was slang for fork, and fork was slang for “hand” or “fist”. So the evolution of the phrase would have looked something like this:

“Put up your forks” --> “Put up your dukes of York” --> “Put up your dukes”

So why the language lesson? Looking at the evolution of that phrase over time helped us to answer some key questions. That same principle can be applied to nearly any discipline. In the case of cybersecurity, advanced threat actor groups are continuously changing their tactics, often very quickly, so that it can sometimes seem impossible to keep up and develop effective defensive strategies. However, analyzing the evolution of threat group attacks can help us to glean some important insights into their motivations, strategies, targets, and potentially their future campaigns.

Anomali recently published a timeline of malicious activity that covers a number of “dukes” put up by the Advanced Persistent Threat (APT) group “APT29,” which is one of the most sophisticated APT groups documented in the cybersecurity community. Thought to be a Russian state-sponsored group, APT29 has conducted numerous campaigns with various tactics that distribute advanced, custom malware to targets located around the globe.

Mirroring the complexity and abundance of their toolsets, APT29 is connected with a number of names. Traces of APT29 date back to 2008, but Kaspersky Labs first began attributing malicious activity to the group behind the malware dubbed “MiniDuke.” Researchers have continued to include “-duke” as a suffix for newly discovered tools, such as “PinchDuke,” “CosmicDuke,” and “OnionDuke,” leading APT29 to be commonly referred to as “the Dukes.”

APT29 has been observed to attack the same targets, including the 2016 hack of the Democratic National Committee, as other Russian state-sponsored actors. The timeline of malicious activity for APT28, the other group involved in this notorious hack, was identified and documented by Anomali.

Documentation of these high-profile APT groups presents a sobering reality – the tactics and landscape of war and conflicts are evolving at an unprecedented rate. As APT groups sponsored from countries around the world continue to be documented, these groups will continue to change their methods, tactics, and tools they use to gain entry to their targets. Therefore, it is crucial to be aware of what groups target which industries to assist in identifying the tactics and indicators associated to the group. Such knowledge gives cyber defenders the chance to put up some “dukes” of their own.

Read the full APT29 timeline and analysis on the Anomali Forum

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.