Lost Russian Cyber Spies Return

Uploaded on 2019-10-21 in INTELLIGENCE--International, FREE TO VIEW

The hackers, also known as Cozy Bear, who are linked to Russian intelligence, have been using Twitter and Reddit forums to send coded messages. The clandestine Russian cyber espionage ring known as The Dukes which disappeared for almost 3 years has come back into the cyber security agenda. 

The Dukes was probably testing and operating in different directions and now a cryptic Reddit post suggests that they are back as Russian hackers. Also called Cozy Bear and APT29, the Dukes have been linked to Russia’s Foreign Intelligence Service. 

Like other Russian hackers in the DNC’s network, the Dukes were ones who lurked quietly, undetected by the Democrats, for nearly a year before the GRU’s hackers barged in to carry out Putin’s 2016 election interference plan. In January 2017, as global concern about Russia’s state-sponsored hacking increased and the Dukes vanished. A phishing campaign against the government of Norway was the last hack attack strongly linked to the group. 

A year later a Dutch newspaper detailed a remarkable years-long counter-hack against the Dukes in the years before they went dark. 

The Dutch intelligence agency AIVD broke into the Dukes network in 2014 and spent years watching the Russians, at one point literally eyeballing them through the security cameras in the Moscow university the Dukes were operating from.  From their privileged perch, the Dutch relayed information to US officials in real time to help thwart the Dukes’ breach of US State Department systems and then tipped off the US again when the Dukes hit the DNC in 2015. 

The FBI later passed the warning to the DNC, which didn’t initially take it seriously. Experts speculated the Dukes had been shut down or were busy regrouping in the wake of unwanted publicity and the embarrassing Dutch counter-hack.

But a recent report by researchers at the European security firm ESET concludes that the Dukes never went away at all, they just retooled, developing new harder-to-spot versions of their custom malware. 

Based on code similarities, a common custom encryption algorithm and other indicators, ESET said it’s linked the Dukes to a continuous chain of hacks dating back to 2013, and still going on as of last June. 

“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” reads the report by ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy. 

The Russians’ targets include three unnamed European foreign affairs ministries and an unnamed European embassy in Washington all typical targets for cyber espionage.

The Dukes’ creative opsec is one reason they’ve stayed invisible for so long. The hackers often use coded messages broadcast on Twitter or dropped on Dropbox to communicate with their hacked machines secretly in plain sight, even posting Stegano-graphically-coded photos on public image boards.

ESET’s research adds Reddit to the list of sites co-opted into cyber espionage. The researchers identified two accounts dating to 2014 that were created for the sole purpose of posting coded messages on some subreddits, including the r/funny humor board. 

The hackers’ malware would check for new posts and decrypt a seemingly-nonsensical word in the comment to get the website address of one of the Dukes’ command-and-control servers. ESET conclude that for state-sponsored hackers “going dark for several years does not mean they have stopped spying. They might pause for a while and re-appear in another form, but they still need to spy.”

Daily Beast:       We Live Security:     F-Secure:

You Might Also Read:

Spy vs Spy - Cozy Bear Hackers Hacked:

 

 

« Cyber Security Service Supplier Directory
Cybersecurity And The EU's Regime For 5G Networks »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

StickyMinds

StickyMinds

StickyMinds is the web's first interactive testing community exclusively engaged in improving software quality throughout the software development lifecycle.

Egerie

Egerie

EGERIE's RiskManager solution provides a Global, Centralized, and Updated view of risk maps and security measures for your company.

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF) is a business and labour market lobbying organization that promotes the competitiveness and business conditions of Finland’s most crucial export industry.

Online Business Systems

Online Business Systems

Online Business Systems is an information technology and business consultancy. We design improved business processes enabled with robust and secure information systems.

Boldon James

Boldon James

Boldon James are market leaders in data classification and secure messaging software.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Randori

Randori

Randori is an attack platform that provides "red-teaming" as a service - basically, staging simulated hack attacks to test for vulnerabilities and gaps in the security response.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

Liminal

Liminal

Liminal is a boutique strategy advisory firm serving digital identity, fintech, and cybersecurity clients, and the private equity / venture capital community.

CatchProbe Intelligence Technologies

CatchProbe Intelligence Technologies

CatchProbe provides actionable web intelligence, OSINT, deception systems, threat intelligence, and digital crime analytics solutions and products through an AI-Driven intelligence platform.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.

CirrusHQ

CirrusHQ

CirrusHQ are a Specialist AWS Advanced Consulting Partner with a focus on Cloud Management, DevOps, Migration and Consulting Services for the private and public sectors.

SecuRedact

SecuRedact

SecuRedact is an AI-powered tool to detect and pseudonymize personal data in text and images. Fast, local, secure, and free to try.