Russia’s Cozy Bear Hackers Resurface With Clever New Tricks

In the notorious 2016 breach of the Democratic National Committee, the group of Russian hackers known as Fancy Bear stole the show, leaking the emails and documents they had obtained in a brazen campaign to sway the results of the US presidential election. But another, far quieter band of Kremlin hackers was inside DNC networks as well. In the three years since, that second group has largely gone dark—until security researchers spotted them in the midst of another spy campaign, one that continued undetected for as long as six years.

Researchers at the Slovakian cybersecurity firm ESET today released new findings that reveal a years-long espionage campaign by a group of Kremlin-sponsored hackers that ESET refers to as the Dukes. They’re also known known by the names Cozy Bear and APT29, and have been linked to Russia’s Foreign Intelligence Service, or SVR. ESET found that the Dukes had penetrated the networks of at least three targets: The ministries of foreign affairs at two Eastern European countries and one European Union nation, including the network of that EU country’s Washington, DC embassy. ESET declined to reveal the identities of those victims in more detail, and note that there may well be more targets than those they’ve uncovered.

The researchers found that the spying campaign extend both years before the DNC hack and years after—until as recently as June of this year—and used an entirely new collection of malware tools, some of which deployed novel tricks to avoid detection. “They rebuilt their arsenal,” says ESET researcher Matthieu Faou, who presented the new findings earlier this week at ESET’s research conference in Bratislava. “They never stopped their espionage activity.”

Ghost Hunters

The Dukes haven’t been entirely off the radar since they were spotted inside the DNC in June of 2016. Later that year and in 2017, phishing emails believed to have been sent by to the group hit a collection of US think tanks and non-governmental organizations as well as the Norwegian and Dutch governments. It’s not clear if any of those probes resulted in successful penetrations. And around a year ago, security firm FireEye attributed another widespread wave of phishing attacks to the Dukes, though ESET points out those emails delivered only publicly available malware, making any definitive link to the group tough to prove.

By contrast, the newly revealed set of intrusions—which ESET has named Ghost Hunt—managed to plant at least three new espionage tools inside target networks. It also leveraged a previously known backdoor, called MiniDuke, that helped ESET link the broader spy campaign with the Dukes despite the group’s recent disappearance. “They went dark and we didn’t have a lot of information,” says Faou. “But over the last year and a half, we analyzed several pieces of malware, families that were initially not linked. A few months ago, we realized it was the Dukes.”

In fact, one of the intrusions that included MiniDuke began in 2013, before the malware had been publicly identified—a strong indicator that the Dukes perpetrated the breach rather than someone else who picked up the malware from another source.

Trick Shots

The Dukes’ new tools use clever tricks to hide themselves and their communications inside a victim’s network. They include a backdoor called FatDuke, named for its size: The malware fills an unusual 13 megabytes, thanks to about 12MB of obfuscating code designed to help it avoid detection. To conceal its communications with a command-and-control server, FatDuke impersonates the user’s browser, even mimicking the user agent for the browser that it finds on the victim’s system.

The new tools also include lighter-weight implant malware ESET has named PolyglotDuke and RegDuke, each of which serves as a first-stage program capable of installing other software on a target system. Both tools have unusual means of hiding their tracks. PolyglotDuke fetches the domain of its command-and-control server from its controller’s posts on Twitter, Reddit, Imgur, and other social media. And those posts can encode the domain in any of three types of written characters—hence the malware’s name—Japanese Katakana characters, Cherokee script, or the Kangxi radicals that serve as components of Chinese characters.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top