Security researchers have uncovered new activity from the notorious Kremlin-backed APT29, or Cozy Bear, group, in an information-stealing campaign targeting foreign governments.
APT29 was pegged for the infamous cyber-attacks on the Democratic National Committee (DNC) in the run-up to the 2016 US Presidential election, which many believe helped to install Donald Trump in the White House.
However, up until now there had been little other evidence of activity from the group except from a phishing campaign in November last year.
Now ESET researchers claim to have uncovered a new operation from the group dating back to 2013, after it discovered three new malware families: PolyglotDuke, RegDuke and FatDuke.
Targets for Operation Ghost include foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country.
The vendor claimed to have discovered multiple attack techniques often used by the group, including use of Twitter and other social sites to host C&C URLs; steganography in images to hide payloads/C&C comms; and use of WMI for persistence.
In addition, the researchers found that some machines infected with PolyglotDuke and MiniDuke had been infected with CozyDuke just months earlier.
“We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known,” explained ESET.
“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.”
The group’s MO is to steal credentials and move laterally through networks, sometimes using admin credentials to compromise machines. PolyglotDuke uses social sites for C&C as well as steganography; RegDuke uses Dropbox as a C&C server; MiniDuke is a second stage backdoor; and FatDuke represents the third stage, featuring functionality to steal logins and data.