Ever since they were one of the groups involved in the infamous hack of the Democratic National Committee in 2016, the trail has largely gone cold on the Russian intelligence hackers known as Cozy Bear.
New research, however, shows Cozy Bear (also known as the Dukes) never went away at all. Although they managed to stay out of the spotlight for over two years, the group has been actively engaged in a six-year-long spying campaign targeting the ministries of foreign affairs in at least three European countries and a Washington, DC, embassy of a European Union nation, according to new work by the Slovakian cybersecurity company ESET.
Two other advanced hacking groups from Russia, bearing the code names Fancy Bear and Turla, were found on some of the same breached computers. Russian hacking groups from different arms of the government—in this case the military and the intelligence agencies—are known to aggressively compete with each other when going after high-value targets.
Cozy Bear’s persistent and meticulous campaign against a range of European political targets uses new malware and tactics in what the researchers call Operation Ghost, a campaign with roots as far back as 2013 and extending at least to June 2019.
Get in through the back door: The hackers typically start their attack with spear-phishing emails—messages carefully designed to trick very specific targets into clicking malicious links, starting a process to download dangerous software that gives Cozy Bear control of key machines and accounts. The details of how the hackers accomplish that goal show they are among the world’s best at what they do.
The campaign, carried out largely during working hours in the Moscow time zone, involved multiple new malware families discovered in use during this operation.
A novel malware family known as FatDuke is built specifically by this group to provide hidden and quiet backdoor access to a victim’s machine by impersonating the target’s browser down to specific details like using the same user-agent as the browser installed on the system.
Here’s how researchers hypothesize one kind of attack from Operation Ghost could unfold: A target, say a European diplomat, would receive an email crafted specifically to get her to download a malicious document. That document would contain PolyglotDuke malware whose goal is to surreptitiously install other malware on the machine. To do that, the malware looks at predetermined messages on popular sites like Reddit, which look like normal internet traffic. An image is downloaded that uses a tactic called steganography, which subtly changes an image file to hide encoded data including additional payloads. Suddenly, normal-looking photos contain malicious and nearly invisible code.
They’ll install the MiniDuke backdoor and then, as stage three of the playbook for the most interesting and important targets, they move to FatDuke. A successful deployment of FatDuke, called “the current flagship backdoor” used by the Dukes, means that battle is over.
Lying low: What’s also exceptional about this group and this campaign is the way the operation’s network infrastructure was built anew for each victim.
“This kind of compartmentalization is generally only seen by the most meticulous attackers,” ESET researchers Matthieu Faou, Mathieu Tartare, and Thomas Dupuy said in the new report. "It prevents the entire operation from being burned when a single victim discovers the infection and shares the related network [indicators of compromise] with the security community.”
Cozy Bear has been active for over a decade.
“Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” the researchers wrote. Cozy Bear “were able to fly under the radar for many years while compromising high-value targets, as before.”