A Russian cyberespionage operation which was one of the groups which hacked into Democratic National Committee in the run-up to the 2016 US Presidential election has been busy with attacks against government departments across Europe and beyond. The Cozy Bear hacking group – also known as APT29 – is believed to be associated with the Russian intelligence service and, alongside Russian military hacking group Fancy Bear, was involved in a number of high profile attacks between 2014 and 2017. In the time since then, Cozy Bear appeared to go quiet, but now cybersecurity analysts at ESET have detailed how the group – which they refer to as Dukes – have continued their activity while attempting to staying under the radar. The newly uncovered campaign – dubbed Operation Ghost by researchers – started in 2013 and continued into 2019, meaning the group never stopped its espionage activity, ZDNet reported.  Read Less

There can be a misunderstanding in the security intelligence world that once a threat actor or group has been attributed that they halt their activities. APT groups mission statements and goals rarely change because they’ve been caught. A more realistic response are these APT groups destroy their infrastructure and malicious code that was exposed. Often times the techniques they used can no longer be used, such as using Reddit as a C2 server for the PolyglotDuke malware from Cozy Bear. Operation Ghost is the newest activity pattern from the Cozy Bear group that has gone back to 2013.One strategy to attributing a piece of malware used in an attack and APT groups are identifying code reuse. In the case of the PolyglotDuke malware and the OnionDuke malware, there is evidence showing identical encryption code functions. This says with reasonably high confidence that the two malware executables are from the same malware author. One of the most interesting techniques used by the Cozy Bear APT group is their use of legitimate and often whitelisted web services to communicate with their victims. Twitter, Reddit, Dropbox and Imgur all being very commonly used platforms and always associated with legitimate activity. To a security investigator looking at network traffic, CozyBear C2 communication would be almost impossible to detect. Stenography is heavily used by Cozy Bear. Stenography in this use case is embedding malicious commands inside of a picture file that gets downloaded, interpreted and then executed by the victim malware. To a security investigator the behaviour here looks like a user went to Reddit and looked at a picture of a cat, for example. Combine using legitimate web platforms for communication with stenography techniques make CozyBear’s techniques extremely sophisticated and deserving of the APT title. Just because APT groups get exposed doesn’t mean they stop advancing with their goals or mission.  Read Less