Russia-Linked Cyber Espionage Group APT29 Remains ActiveResearchers Tie 'Operation Ghost' Activity to The Dukes, aka Cozy Bear and APT29
The Russian-linked hacking group known as The Dukes, which appears to have gone quiet over the last three years, has actually been targeting European embassies and ministries in a long-running stealth campaign that researchers at security firm ESET call "Operation Ghost."
The Dukes hacking group, which is also known as Cozy Bear and APT29, is one of two suspected Russian-linked cyberespionage organizations that targeted the Democratic National Committee in the run-up to the 2016 U.S. presidential election. Now, ESET researchers say the group's hackers also appear to have been targeting embassies during a stealth campaign that might date to 2013, despite their seemingly being inactive over the past three years.
In research published Thursday, ESET analysts have linked four new malware families to suspected attacks targeting several different ministries of foreign affairs in Europe, as well as at least one EU member state's embassy in the U.S.
The Dukes group has managed to hide these activities since at least 2013, and the Operation Ghost campaign was still active as of June, says Matthieu Faou, a malware researcher at ESET.
It's not clear at this time what type of information The Dukes group was targeting, but Faou says hackers have long targeted European embassies and ministries.
"We didn't have access to the stolen information. However, the Dukes have been interested by ministries of foreign affairs for a very long time," Faou tells Information Security Media Group. "These organizations typically deal with highly sensitive documents about national or worldwide policy. Thus, from an espionage perspective, they are very valuable targets. We might expect that they stole documents and emails about ongoing diplomatic discussions."
As part of its research, ESET's team found that The Dukes group has been using four different malware families to target these embassies and ministries as part of Operation Ghost. The analysts have named these samples PolyglotDuke, RegDuke, FatDuke and LiteDuke.
As with other types of attacks, ESET researchers believe that The Duke group uses spear-phishing emails to target embassy employees. These contain a malicious link that starts the attack and begins to plant the four malware families, researchers say.
Each strain malware appears to have a slightly different purpose.
With PolyglotDuke, the malware leverages social media platforms such as Twitter, Imgur and Reddit to act as the primary command-and-control channels, which means data is stored outside the malware itself. This helps bypass security tools and avoid detection, Faou says.
"For example, automated systems will be less likely to flag an executable as malicious if it only contains URLs of legitimate websites. Moreover, if the malware is executed in a sandbox, without internet access, it won't perform any malicious activity as it cannot reach the command and control server," Faou tells ISMG.
The ESET researchers note that The Dukes group has used social media previously to hide command-and-control servers, which is one way analysts linked this attack to other activities conducted by these hackers.
The second malware family, RegDuke, is the main payload for these attacks and it usually stores its encryption key within the main Windows registry of an infected device. The group uses steganography to hide the malware within an image file, the researchers say.
MiniDuke is part of the second stage of the attack and acts as a simple backdoor into an infected network, the researchers say. This malware also resembles similar samples that Kaspersky researchers uncovered in 2014.
Then there's FatDuke, which is the third and final stage of this particular attack. This malware is a much more sophisticated backdoor, with a much greater range of functionality, the research finds. In addition, the hackers not only obfuscate the code, but they also re-compile it frequently to help avoid detection, ESET researchers say.
Fancy and Cozy Bears
Although The Dukes or Cozy Bear has gone silent over the last three years, the ESET research indicates that the group has continued with its cyber espionage activity and has been successful is flying under the radar.
Over the years, security researchers have linked The Dukes group to the Russian government and military as well as a second, much more well-known cyber espionage organization called APT28 - aka Sofacy, Strontium and Fancy Bear - which was also involved in the U.S. election interference in 2016 (see: Russia-Backed APT Groups Compete With Each Other: Report).
In September, ESET published another report that said Fancy Bear had also been targeting ministries of foreign affairs and embassies in Eastern Europe and Central Asia with revamped, malicious tools (see: 'Fancy Bear' Hacking Group Adds New Capabilities, Targets).