Cyber-espionage group Cozy Bear has been busy conducting attacks against high-value government targets while successfully staying undetected for the past three years, security researchers from ESET have found.
The group, also known as APT29 and the Dukes, briefly stole the spotlight after suspected involvement in the breach of the Democratic National Committee in 2016, but then seemingly disappeared from cyber-espionage scene. However, according to ESET, the hackers actually continued an operation, which the firm refers to as Operation Ghost, that has been ongoing since at least 2013, but remained undetected due to stealthy communication techniques and implementation of a new malware.
The researchers have found three previously unknown malware families they associated with Cozy Bear - PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019, suggesting that the hackers have been quite active since 2016, developing new tools and compromising targets of interest. According to ESET, the campaign impacted the Ministries of Foreign Affairs in at least three different countries in Europe, as well as the Washington DC embassy of a European Union country.
The researchers analysed the new malware implants used by Cozy Bear in the different stages of attack.
PolyglotDuke - first-stage downloader that uses Twitter or other websites such as Reddit and Imgur to get its C&C URL and drops the previously documented MiniDuke backdoor
RegDuke - a first-stage backdoor used as a backup when attackers lose control of other implants on a compromised machine. Its purpose is to stay undetected as long as possible to help make sure the operators never lose complete control of any compromised machine.
FatDuke - backdoor used in the third stage of an attack, deployed only on the most valuable machines and dropped by MiniDuke or through the PsExec utility in Windows.
During their investigation, ESET’s researchers also discovered LiteDuke, a previously unknown and apparently retired third-stage backdoor. They also noticed that the hackers avoid using the same C&C network infrastructure between different victims.
The attribution of Operation Ghost to the Cozy Bear group is based on strong code similarities with documented malware samples the threat actor used in previous campaigns. However, ESET doesn’t exclude the possibility of a false-flag operation.
“We cannot discount the possibility of a false flag operation; however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now,” ESET says.
An in-depth technical analysis of the newly discovered Cozy Bear’s malware tools is provided in ESET whitepaper here.