Skip to Content
Election 2020

The Russian hackers who hit the 2016 election have been very busy since

New tools, tactics, and techniques show Russian hackers famous for targeting Americans have been active around the world.
The Kremlin
The Kremlin
The KremlinPhoto: The Kremlin by Mariano Mantel CC BY NC 2.0

Ever since they were one of the groups involved in the infamous hack of the Democratic National Committee in 2016, the trail has largely gone cold on the Russian intelligence hackers known as Cozy Bear.

New research, however, shows Cozy Bear (also known as the Dukes) never went away at all. Although they managed to stay out of the spotlight for over two years, the group has been actively engaged in a six-year-long spying campaign targeting the ministries of foreign affairs in at least three European countries and a Washington, DC, embassy of a European Union nation, according to new work by the Slovakian cybersecurity company ESET.

Two other advanced hacking groups from Russia, bearing the code names Fancy Bear and Turla, were found on some of the same breached computers. Russian hacking groups from different arms of the government—in this case the military and the intelligence agencies—are known to aggressively compete with each other when going after high-value targets.

Cozy Bear’s persistent and meticulous campaign against a range of European political targets uses new malware and tactics in what the researchers call Operation Ghost, a campaign with roots as far back as 2013 and extending at least to June 2019. 

Get in through the back door: The hackers typically start their attack with spear-phishing emails—messages carefully designed to trick very specific targets into clicking malicious links, starting a process to download dangerous software that gives Cozy Bear control of key machines and accounts. The details of how the hackers accomplish that goal show they are among the world’s best at what they do.

The campaign, carried out largely during working hours in the Moscow time zone, involved multiple new malware families discovered in use during this operation.

A novel malware family known as FatDuke is built specifically by this group to provide hidden and quiet backdoor access to a victim’s machine by impersonating the target’s browser down to specific details like using the same user-agent as the browser installed on the system. 

Here’s how researchers hypothesize one kind of attack from Operation Ghost could unfold: A target, say a European diplomat, would receive an email crafted specifically to get her to download a malicious document. That document would contain PolyglotDuke malware whose goal is to surreptitiously install other malware on the machine. To do that, the malware looks at predetermined messages on popular sites like Reddit, which look like normal internet traffic. An image is downloaded that uses a tactic called steganography, which subtly changes an image file to hide encoded data including additional payloads. Suddenly, normal-looking photos contain malicious and nearly invisible code.

They’ll install the MiniDuke backdoor and then, as stage three of the playbook for the most interesting and important targets, they move to FatDuke. A successful deployment of FatDuke, called “the current flagship backdoor” used by the Dukes, means that battle is over.

Lying low: What’s also exceptional about this group and this campaign is the way the operation’s network infrastructure was built anew for each victim.

“This kind of compartmentalization is generally only seen by the most meticulous attackers,” ESET researchers Matthieu Faou, Mathieu Tartare, and Thomas Dupuy said in the new report. "It prevents the entire operation from being burned when a single victim discovers the infection and shares the related network [indicators of compromise] with the security community.”

Cozy Bear has been active for over a decade. 

“Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” the researchers wrote. Cozy Bear “were able to fly under the radar for many years while compromising high-value targets, as before.”

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.