Lost Russian Cyber Spies Return

The hackers, also known as Cozy Bear, who are linked to Russian intelligence, have been using Twitter and Reddit forums to send coded messages. The clandestine Russian cyber espionage ring known as The Dukes which disappeared for almost 3 years has come back into the cyber security agenda. 

The Dukes was probably testing and operating in different directions and now a cryptic Reddit post suggests that they are back as Russian hackers. Also called Cozy Bear and APT29, the Dukes have been linked to Russia’s Foreign Intelligence Service. 

Like other Russian hackers in the DNC’s network, the Dukes were ones who lurked quietly, undetected by the Democrats, for nearly a year before the GRU’s hackers barged in to carry out Putin’s 2016 election interference plan. In January 2017, as global concern about Russia’s state-sponsored hacking increased and the Dukes vanished. A phishing campaign against the government of Norway was the last hack attack strongly linked to the group. 

A year later a Dutch newspaper detailed a remarkable years-long counter-hack against the Dukes in the years before they went dark. 

The Dutch intelligence agency AIVD broke into the Dukes network in 2014 and spent years watching the Russians, at one point literally eyeballing them through the security cameras in the Moscow university the Dukes were operating from.  From their privileged perch, the Dutch relayed information to US officials in real time to help thwart the Dukes’ breach of US State Department systems and then tipped off the US again when the Dukes hit the DNC in 2015. 

The FBI later passed the warning to the DNC, which didn’t initially take it seriously. Experts speculated the Dukes had been shut down or were busy regrouping in the wake of unwanted publicity and the embarrassing Dutch counter-hack.

But a recent report by researchers at the European security firm ESET concludes that the Dukes never went away at all, they just retooled, developing new harder-to-spot versions of their custom malware. 

Based on code similarities, a common custom encryption algorithm and other indicators, ESET said it’s linked the Dukes to a continuous chain of hacks dating back to 2013, and still going on as of last June. 

“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” reads the report by ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy. 

The Russians’ targets include three unnamed European foreign affairs ministries and an unnamed European embassy in Washington all typical targets for cyber espionage.

The Dukes’ creative opsec is one reason they’ve stayed invisible for so long. The hackers often use coded messages broadcast on Twitter or dropped on Dropbox to communicate with their hacked machines secretly in plain sight, even posting Stegano-graphically-coded photos on public image boards.

ESET’s research adds Reddit to the list of sites co-opted into cyber espionage. The researchers identified two accounts dating to 2014 that were created for the sole purpose of posting coded messages on some subreddits, including the r/funny humor board. 

The hackers’ malware would check for new posts and decrypt a seemingly-nonsensical word in the comment to get the website address of one of the Dukes’ command-and-control servers. ESET conclude that for state-sponsored hackers “going dark for several years does not mean they have stopped spying. They might pause for a while and re-appear in another form, but they still need to spy.”

Daily Beast:       We Live Security:     F-Secure:

You Might Also Read:

Spy vs Spy - Cozy Bear Hackers Hacked:

 

 

« Cyber Security Service Supplier Directory
Cybersecurity And The EU's Regime For 5G Networks »

Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Free Access: Cyber Security Supplier Directory listing 5,000+ specialist service providers.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Lima Networks

Lima Networks

LIMA design and deliver IT Infrastructure solutions and services including managed Security Monitoring services.

TrustedSec

TrustedSec

TrustedSec is the leader in information security consulting services, providing tailored solutions and services for small, mid, and large businesses.

AnchorID

AnchorID

AnchorID is a digital identity company that allows consumers to use a universal username, combined with smartphone authentication, to access sites and apps.

National Defence Radio Establishment (FRA)

National Defence Radio Establishment (FRA)

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

Red Alert Labs

Red Alert Labs

Red Alert Labs is an IoT security provider. We created an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.

EVOLEO Technologies

EVOLEO Technologies

EVOLEO provides engineering services covering a wide range of needs in the electronics design, embedded and systems engineering.

Technology Law Alliance (TLA)

Technology Law Alliance (TLA)

Technology Law Alliance is a specialist IT law firm focussed on the fields of technology, outsourcing and e-commerce.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

Soliton

Soliton

Soliton is a leading Japanese technology company and a pioneer in IT security solutions for protecting company resources and data from external IT security threats.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

ENSCO

ENSCO

The ENSCO group of companies provides engineering, science and advanced technology solutions that guarantee mission success, safety and security to governments and private industries worldwide.