A Russian cyber espionage operation which was one of the groups which hacked into Democratic National Committee in the run-up to the 2016 US Presidential election has been busy with attacks against government departments across Europe and beyond.
The Cozy Bear hacking group – also known as APT29 – is believed to be associated with the Russian intelligence service and, alongside Russian military hacking group Fancy Bear, was involved in a number of high profile attacks between 2014 and 2017.
In the time since then, Cozy Bear appeared to go quiet, but now cyber security analysts at ESET have detailed how the group – which they refer to as Dukes – have continued their activity while attempting to staying under the radar.
The newly uncovered campaign – dubbed Operation Ghost by researchers – started in 2013 and continued into 2019, meaning the group never stopped its espionage activity.
In attacks using four new families of malware, Cozy Bear has targeted at ministries of foreign affairs in at least three different countries in Europe, as well as the US embassy of a European Union country in Washington DC.
Researchers have attributed Operation Ghost to Cozy Bear because the attacks use backdoor malware associated with previous activity by the group – MiniDuke – although this version appears to have been updated. The group also appears to mostly active during working hours in Russia, with occasional activity at night-time.
Like other campaigns by Cozy Bear, attacks begin with targeted spear-phishing emails designed to lure victims into clicking a malicious link or downloading malware via an attachment – however the initial compromise emails haven't yet been identified.
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
From there, the attackers, steal login details to roam across networks, often exploiting admin credentials to do so.
The campaigns also use three new families of malware to help conduct operations on compromised systems, which researchers have named PolyglotDuke, RegDuke and FatDuke.
PolyglotDuke uses Twitter, Reddit, Imgur and other websites to link to their command and control (C&C) infrastructure, enabling the attackers to avoid storing this information in the malware – something which can be helpful for avoiding detection.
"Automated systems will less likely flag an executable as malicious if it only contains URLs of legitimate websites. Moreover, if the malware is executed in a sandbox, without internet access, it won't perform any malicious activity as it cannot reach the C&C server," Matthieu Faou, ESET malware researcher and the author of the research told ZDNet.
"Finally, it allows attackers to easily update the C&C URL as they just need to replace the message," he added.
Meanwhile, RegDuke contains the main payload and stores it on the Windows registry while also applying stenography to stay hidden. The third new malware family is FatDuke, something which researchers describe as a sophisticated backdoor with the ability to steal login credentials and other private data associated with espionage activities – especially against high ranking government departments.
"These organizations typically deal with highly-sensitive documents about national or worldwide policy. Thus, from an espionage perspective, they are very valuable targets," said Faou.
The ESET report states that researchers will continue to monitor activity by Dukes and a list of Indicators of Compromise has been posted to GitHub to help potential victims detect attacks.
Researchers also warn that just because an APT threat group appears to have gone dark, it doesn't mean they've stopped espionage activity – indeed, the very nature of spying means they're doing all they can to avoid detection. And while groups like Cozy Bear might occasionally pause activity, it's ultimately their job to conduct espionage at all times – so the group will return again in future.
"We can expect them to develop new tools to be able to re-start their attacks in the next weeks or months," said Faou.
READ MORE ON CYBER SECURITY