Russia-linked threat actor APT29 has been successfully avoiding detection for the past three years while compromising multiple government targets, ESET’s security researchers report.
Also known as the Dukes, CozyDuke, and Cozy Bear, the state-sponsored group has been active for over a decade and is believed to have been involved in the 2016 attacks against the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party.
The hackers are believed to have attempted another infiltration into DNC computers in November 2018. The attack employed spear-phishing messages that CrowdStrike and FireEye previously attributed to APT29.
APT29 was named in numerous reports on the hacking ahead of the 2016 U.S. presidential election and the group apparently went silent in early 2017.
According to ESET, however, the hackers actually continued an operation they likely started around six years ago, and which affected the Ministry of Foreign Affairs in at least three different countries in Europe.
In a report published today, ESET’s security researchers detail a sophisticated campaign attributed to the hacking group, which they refer to as Operation Ghost. The attacks have been ongoing since at least 2013, but remained undetected due to stealthy communication techniques and retooling.
As part of the campaign, the hackers used new malware families, namely PolyglotDuke, RegDuke, FatDuke, and LiteDuke, as well as a previously documented backdoor, MiniDuke.
The first-stage malware employed online services such as Twitter, Imgur and Reddit as command and control (C&C) channels, while the use of techniques such ..