18 October 2019

Cozy Bear flows silently under radars, keeps targeting government entities

Cozy Bear flows silently under radars, keeps targeting government entities

Cyber-espionage group Cozy Bear has been busy conducting attacks against high-value government targets while successfully staying undetected for the past three years, security researchers from ESET have found.

The group, also known as APT29 and the Dukes, briefly stole the spotlight after suspected involvement in the breach of the Democratic National Committee in 2016, but then seemingly disappeared from cyber-espionage scene. However, according to ESET, the hackers actually continued an operation, which the firm refers to as Operation Ghost, that has been ongoing since at least 2013, but remained undetected due to stealthy communication techniques and implementation of a new malware.

The researchers have found three previously unknown malware families they associated with Cozy Bear - PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019, suggesting that the hackers have been quite active since 2016, developing new tools and compromising targets of interest. According to ESET, the campaign impacted the Ministries of Foreign Affairs in at least three different countries in Europe, as well as the Washington DC embassy of a European Union country.

The researchers analysed the new malware implants used by Cozy Bear in the different stages of attack.

  • PolyglotDuke - first-stage downloader that uses Twitter or other websites such as Reddit and Imgur to get its C&C URL and drops the previously documented MiniDuke backdoor

  • RegDuke - a first-stage backdoor used as a backup when attackers lose control of other implants on a compromised machine. Its purpose is to stay undetected as long as possible to help make sure the operators never lose complete control of any compromised machine.

  • FatDuke - backdoor used in the third stage of an attack, deployed only on the most valuable machines and dropped by MiniDuke or through the PsExec utility in Windows.

During their investigation, ESET’s researchers also discovered LiteDuke, a previously unknown and apparently retired third-stage backdoor. They also noticed that the hackers avoid using the same C&C network infrastructure between different victims.

The attribution of Operation Ghost to the Cozy Bear group is based on strong code similarities with documented malware samples the threat actor used in previous campaigns. However, ESET doesn’t exclude the possibility of a false-flag operation.

“We cannot discount the possibility of a false flag operation; however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now,” ESET says.

An in-depth technical analysis of the newly discovered Cozy Bear’s malware tools is provided in ESET whitepaper here.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019