Cozy Bear Continues Cyberattacks on European Foreign Ministries
The Russian-speaking hacker group Cozy Bear (also known as APT29 and Dukes) was highly active from 2014 to 2017. During that period, the group was accused of hacking the Democratic National Committee (DNC) ahead of the 2016 U.S. elections, as well as carrying out numerous attacks on government agencies in Europe and beyond. According to cybersecurity experts, Cozy Bear is believed to work with the FSB and has also been linked to attacks on the White House email system, the U.S. Department of State, and the Joint Chiefs of Staff.
In recent years, there was little news about Cozy Bear, except for a single incident in November 2018 involving a phishing campaign targeting several American organizations. This led some cybersecurity experts to believe the group might have ceased operations. However, ESET specialists have now discovered that this is not the case.
Researchers have identified three new malware families created by Cozy Bear: PolyglotDuke, RegDuke, and FatDuke, as well as an updated version of the previously documented MiniDuke backdoor. These tools have been used by the hackers until very recently, with the latest observed sample deployed in June 2019. The researchers have dubbed this series of activities “Operation Ghost.”
Operation Ghost: Ongoing Since 2013
ESET experts believe that Operation Ghost began as early as 2013 and continues to this day. During this time, the group has attacked at least three European foreign ministries, as well as the embassy of an unnamed EU country in Washington, D.C.
To control their malware, Cozy Bear used various online services, including Twitter, Imgur, and Reddit, and also employed steganography. In one example described by researchers, the malware payload was hidden within the metadata of an almost unaltered PNG file.
Attribution and Technical Details
Analysts note that it is not entirely possible to rule out the chance that someone else is conducting these operations under a false flag. However, several factors point to APT29’s involvement, particularly the fact that this malicious campaign was launched simultaneously with other group attacks and began at a time when only a small part of the hackers’ arsenal was known to researchers.
A list of indicators of compromise has already been published on GitHub, and researchers have prepared a detailed report describing all the technical aspects of Cozy Bear’s new tools.