Hunting Hidden Bears – Duke Cybersecurity Master’s Students and CrowdStrike Researched Russian Cyber Threats to U.S. Infrastructure 

A Duke–CrowdStrike research collaboration looked at how Russian state-sponsored hackers operate—and came up with recommendations for how U.S. organizations can stop them before damage is done. 

The study, led by students in Duke’s Master of Engineering in Cybersecurity program and guided by their professor Michael Roman, focused on some of the most notorious Russian Advanced Persistent Threat (APT) groups, including APT28 (Fancy Bear), APT29 (Cozy Bear), and APT44 (Voodoo Bear). These groups have repeatedly targeted U.S. government services, energy providers, and the defense industrial base through tactics such as spear phishing, supply chain compromises, and the covert use of legitimate software. 

“Modern organizations lack effective methods to identify and mitigate risks from evolving nation-state behavior,” said Roman, who supervised the project. “This work set out to change that—illuminating how the biggest Russian APT threats evolve their tactics, what sectors face the greatest risk, and what organizations can actually do to detect these threats in their networks.” 

The research does more than catalog adversaries. Drawing on CrowdStrike’s frontline intelligence, the team evaluated advanced threat-hunting techniques, including telemetry-driven detection, hypothesis-based and cross-domain hunts, and the growing role of AI and machine learning in cybersecurity operations. The result is what the authors describe as a “practical blueprint” for defenders, emphasizing endpoint detection and response, zero trust architecture, multi-factor authentication, and better integration between IT and operational technology security. 

For Hrishi Deshmukh, an online student in Duke’s MEng in Cybersecurity program and the paper’s first author, the project was a chance to bridge theory and practice early in his academic journey. “Working directly with CrowdStrike on nation-state threat intelligence was incredibly motivating,” Deshmukh said. “This project gave me the rare chance to operate at the intersection of academic research and real-world security operations, and to produce work with practical impact on protecting U.S. critical infrastructure.” 

Deshmukh added that the experience reshaped how he sees the field—and his future in it. “I learned how rapidly adversaries evolve and how essential it is for defenders to stay proactive, not reactive,” he said. “This research solidified my commitment to transitioning into cybersecurity full-time, especially in roles that protect people, organizations, and national-level systems.” 

Another student contributor, Jenson Goh, served as project lead, coordinating team efforts, managing timelines, and helping refine the report’s language and recommendations. He said the collaboration highlighted how complex and people-driven cybersecurity work can be. 

“Taking on a project manager role for the first time gave me a much clearer understanding of what the field truly requires,” Goh said. “It’s not just about technical skill—it’s about coordinating people, adapting to uncertainty, and building trust, especially when working with industry partners and sensitive information.” 

CrowdStrike’s role was central to grounding the research in operational reality. According to the company, its analysts, threat hunters, and incident response teams contributed insights drawn from field operations along with data from millions of sensors deployed globally through the CrowdStrike Falcon platform. 

Led by Tom Etheridge (Chief Global Professional Services Officer) and Adam Meyers (Senior VP of Counter Adversary Operations), CrowdStrike facilitated information-sharing with the Duke research team while protecting operational data. “CrowdStrike leaders Tom Etheridge and Adam Meyers were critical to the success of this research project by providing vision and support. The Duke Cybersecurity master’s program is exceptionally grateful for their participation,” said Professor Art Ehuan, Executive Director of the Duke program. 

During the research presentation at October’s Cybersecurity at Duke conference, Tom Etheridge elaborated on CrowdStrike’s APT hunting methodology, while Colin Blowers (Incident Response Readiness Consultant, CrowdStrike Services) offered lessons from the front lines on how to prepare for APT attacks. 

“By sharing real-world intelligence while protecting operational data, we helped ensure the recommendations were empirically grounded and actionable,” Colin Blowers stated. 

CrowdStrike also emphasized the broader industry impact of the project, noting that many organizations responsible for critical infrastructure and public services lack the resources for top-tier threat intelligence. “This research sought to make actionable security insights widely accessible to organizations working for the public good,” the company said in a statement. Colin Blowers, of CrowdStrike’s incident response readiness team, emphasized another important goal: “Partnering with high-caliber cyber programs like Duke’s allows us to contribute to their development, identify opportunities for promising talent, and enrich academic research with our industry insights and operational experience. “ 

Professor Michael Roman said the collaboration exemplifies the value of industry–academic partnerships. “Duke’s cybersecurity program sits at the nexus of academia and industry,” he said. “Projects like this demonstrate how student-driven research, combined with industry expertise, can generate insights that directly serve the public good.” 

Beyond the paper itself, the work has already sparked new initiatives at Duke, including follow- on research in the Applied AI-Cyber Lab to build AI systems capable of detecting and modeling emerging APT tactics—putting the study’s recommendations into practice at the university. 

For the students involved, the experience reinforced a shared sense of purpose. As Deshmukh put it, “I genuinely believe the students and faculty at Duke can change the world—and this project showed me how cybersecurity research can be part of that change.”