Lost Russian Cyber Spies Return

Uploaded on 2019-10-21 in INTELLIGENCE--International, FREE TO VIEW

The hackers, also known as Cozy Bear, who are linked to Russian intelligence, have been using Twitter and Reddit forums to send coded messages. The clandestine Russian cyber espionage ring known as The Dukes which disappeared for almost 3 years has come back into the cyber security agenda. 

The Dukes was probably testing and operating in different directions and now a cryptic Reddit post suggests that they are back as Russian hackers. Also called Cozy Bear and APT29, the Dukes have been linked to Russia’s Foreign Intelligence Service. 

Like other Russian hackers in the DNC’s network, the Dukes were ones who lurked quietly, undetected by the Democrats, for nearly a year before the GRU’s hackers barged in to carry out Putin’s 2016 election interference plan. In January 2017, as global concern about Russia’s state-sponsored hacking increased and the Dukes vanished. A phishing campaign against the government of Norway was the last hack attack strongly linked to the group. 

A year later a Dutch newspaper detailed a remarkable years-long counter-hack against the Dukes in the years before they went dark. 

The Dutch intelligence agency AIVD broke into the Dukes network in 2014 and spent years watching the Russians, at one point literally eyeballing them through the security cameras in the Moscow university the Dukes were operating from.  From their privileged perch, the Dutch relayed information to US officials in real time to help thwart the Dukes’ breach of US State Department systems and then tipped off the US again when the Dukes hit the DNC in 2015. 

The FBI later passed the warning to the DNC, which didn’t initially take it seriously. Experts speculated the Dukes had been shut down or were busy regrouping in the wake of unwanted publicity and the embarrassing Dutch counter-hack.

But a recent report by researchers at the European security firm ESET concludes that the Dukes never went away at all, they just retooled, developing new harder-to-spot versions of their custom malware. 

Based on code similarities, a common custom encryption algorithm and other indicators, ESET said it’s linked the Dukes to a continuous chain of hacks dating back to 2013, and still going on as of last June. 

“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” reads the report by ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy. 

The Russians’ targets include three unnamed European foreign affairs ministries and an unnamed European embassy in Washington all typical targets for cyber espionage.

The Dukes’ creative opsec is one reason they’ve stayed invisible for so long. The hackers often use coded messages broadcast on Twitter or dropped on Dropbox to communicate with their hacked machines secretly in plain sight, even posting Stegano-graphically-coded photos on public image boards.

ESET’s research adds Reddit to the list of sites co-opted into cyber espionage. The researchers identified two accounts dating to 2014 that were created for the sole purpose of posting coded messages on some subreddits, including the r/funny humor board. 

The hackers’ malware would check for new posts and decrypt a seemingly-nonsensical word in the comment to get the website address of one of the Dukes’ command-and-control servers. ESET conclude that for state-sponsored hackers “going dark for several years does not mean they have stopped spying. They might pause for a while and re-appear in another form, but they still need to spy.”

Daily Beast:       We Live Security:     F-Secure:

You Might Also Read:

Spy vs Spy - Cozy Bear Hackers Hacked:

 

 

« Cyber Security Service Supplier Directory
Cybersecurity And The EU's Regime For 5G Networks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Q-CERT

Q-CERT

Q-CERT is the National Computer Security Emergency Team of Qatar.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

C3i Hub

C3i Hub

C3i Hub aims to address the issue of cyber security of cyber physical systems in its entirety, from analysing security vulnerabilities to developing tools and technologies.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

blueAllianceIT

blueAllianceIT

blueAlliance IT is an investment and growth platform that unites local MSP and IT companies around the nation, helping them to grow and operate competitively.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

Island

Island

Island puts the enterprise in complete control of the browser, delivering a level of governance, visibility, and productivity that simply weren’t possible before.

Cybastion

Cybastion

Cybastion develops robust world-class cybersecurity solutions tailored to suit the needs of different businesses, governments and public sector entities.

Keyrus

Keyrus

Keyrus is a global consultancy that develops data and digital solutions for performance management.

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.

CardinalOps

CardinalOps

The CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing detection stack so you can easily implement a threat-informed defense.