IRON HEMLOCK
Objectives
Aliases
Tools
SUMMARY
IRON HEMLOCK (also known as The Dukes or APT29) is a cyber-espionage group that has been operating since at least 2008. In 2018, media reports detailing a Dutch counterintelligence operation against IRON HEMLOCK strongly suggested that the group is a component of the SVR, Russia's foreign intelligence agency. This evidence, combined with observations of the threat group’s activities and targeting, led CTU researchers to assess with high confidence that IRON HEMLOCK is operated by the one of the Russian intelligence services and with moderate confidence specifically the SVR.
The group has targeted government, foreign policy, and security-related organizations in former Soviet countries (Russia’s ‘near-abroad’) and NATO member countries. CTU analysis suggests that it is tasked with stealing information to support strategic foreign policy and political decision-making. Given the SVR’s remit, IRON HEMLOCK is likely used to support traditional SVR espionage operations overseas.
IRON HEMLOCK has evolved a range of intrusion methods and capabilities that have enabled the group to retain its effectiveness despite multiple public disclosures. The group primarily uses campaigns ranging from widespread emails crafted to look like high-volume spam messages, to targeted spearphishing emails addressed to only a few individuals that contain malicious attachments with customized content. In some incidents, IRON HEMLOCK appears to have used compromised third-party networks to conduct attacks; for example, reports linked IRON HEMLOCK to the April 2015 breach of an unclassified White House network, and some sources claimed that the initial phishing emails were distributed from U.S. State Department email servers. IRON HEMLOCK also compromised the U.S. Democratic National Committee's network in 2016.
IRON HEMLOCK operations observed by CTU researchers since 2016 have been stealthy and targeted, using multiple layers of encryption within malware and to protect communications between malware and C2 servers. The group seems to be adept at developing and deploying custom PowerShell malware and may even develop PowerShell-based tools specific to a single operation. Third party reporting in 2019 also suggests heavy use of steganography to disguise its malware. IRON HEMLOCK’s activities appear to be limited to strategic targets or perhaps to support broader SVR operations, so the volume of activity is likely far lower than other Russian government groups.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.