After being away from the public eye for the past three years, cybersecurity experts have once again spotted the notorious Cozy Bear hackers in the wild; this time, they have rebuilt their arsenal and are spearheading a massive and sophisticated espionage campaign using new tricks that are up to their sleeves.
ESET, a cybersecurity firm based in Slovakia, has released new findings revealing a sophisticated master-class campaign by a group of Russian-linked hackers, which they referred to as Dukes.
Interestingly, the Dukes are the same hacking group that has been referred to by the name of Cozy Bear and APT29. The discovery of the new wave of attacks from the hacking group is significant in terms of global cybersecurity — as the hackers have been linked to Russia’s Foreign Intelligence Service (SVR).
The Kremlin-linked hacking group has been found by ESET to be launching multifaceted attacks to penetrate at least three target networks. The first two of these networks involved the ministries of foreign affairs of two Eastern European countries, and the third is a European Union Nation. Targeted systems include infrastructures of the EU country’s embassy in Washington, D.C.
Aside from these broad descriptions, ESET researchers refused to provide more information about their discoveries, as well as to reveal the identities of the aforementioned victims. They noted that there is a massive possibility that there could be more victims in the wild that they have not yet discovered.
Researchers from ESET said that the Dukes have been running an espionage campaign since 2014 — two years before the state-sponsored hackers have been linked to the attack against the Democratic National Committee, which leaked confidential documents and emails in efforts to influence the results of the 2016 elections in the United States –- up until June of this year. In fact, at least one of the intrusions could be traced back to 2013.
“They rebuilt their arsenal,” says ESET researcher Matthieu Faou, who presented the new findings earlier this week at ESET’s research conference in Bratislava. “They never stopped their espionage activity.”
The researchers added that the hacking group had equipped themselves with an entirely new collection of malware tools, some of which deployed creative tricks to avoid detection.
The new attacks, which ESET referred to as “Ghost Hunt,” was able to penetrate systems and managed to plant at least three new espionage tools inside the networks of their targets. Specifically, it exploited a previously known backdoor called MiniDuke. The use of the backdoor helped the researchers follow the malware’s trails back to the Kremlin-commissioned hacking organization.
“They went dark, and we didn’t have a lot of information,” says Faou. “But over the last year and a half, we analyzed several pieces of malware, families that were initially not linked. A few months ago, we realized it was the Dukes.”
The Dukes have become more creative with their tricks to avoid detection, ESET said. The newly revealed espionage attacks also included another backdoor — FatDuke — a malware that fills an unusual 13 megabytes due to about 12MB of obfuscating code designed to help it avoid detection and is used to impersonate a victim’s’ browser.