Advanced persistent threat (APT) group Cozy Bear became internationally infamous in 2016 for hacking the Pentagon, the Democratic National Committee and a number of United States NGOs. The Russian hackers seemed to disappear after that, with no news of them attacking high-profile targets.
It turns out that Cozy Bear never went away; the group just went dark for an extended period. Researchers at Slovak cybersecurity company ESET have been tracking the group since 2013, and they have recently identified at least three European nations that appear to have been hit by the group since it went underground in 2016.
The story of Cozy Bear
Analysis of unique malware that the Russian hackers use indicates that Cozy Bear has been active since at least 2008, and has targeted governments since 2010. The group’s standard practice is to execute a targeted spear phishing attack, luring victims into installing malware that gives the group a low-profile backdoor into target networks.
The group gained the alternate name “Office Monkeys” thanks to their first high-profile attack on the United States government in 2014. Cozy Bear used email phishing to attack a private research institute in Washington DC, passing malware via a comedic Flash video of monkeys working in an office.
Cozy Bear is also sometimes referred to as “The Dukes” or “CozyDuke” due to the MiniDuke malware package that the group appears to have developed and has been known to use since 2010.
The secretive hacking group was infiltrated by the Dutch intelligence service in 2014, and they believe that Cozy Bear works as part of Russia’s Foreign Intelligence Service (SVR). Research by security firm Crowdstrike indicates that the group may also work with Russia’s Federal Security Service counterintelligence unit.
The Russian hackers return
The first indication that Cozy Bear had made a comeback was in late 2018. In November of that year, California-based cybersecurity firm FireEye reported that a series of phishing attempts had been made on customers that work with United States government agencies. These attempts were consistent with the attack methods used by Cozy Bear in 2016. Though over 20 FireEye clients were targeted, the attacks were largely unsuccessful; only one hospital and one corporate consultant were compromised.
ESET has more recently uncovered activity that they believe to be connected to “Operation Ghost,” an ongoing campaign by the Russian hackers against high-value government targets that has been ongoing since 2013.
Cozy Bear has updated their tactics to become less noticeable and harder to track. The group now uses unique command and control (C2) servers for each target, making it much more difficult to trace connections between attacks. The most advanced malware families used by the group can mimic a valid user’s browser while communicating with the C2 server as a means of avoiding detection.
The malware fetches the location of the server from encoded social media posts, or from images in a Dropbox or OneDrive account that hide the address using steganography techniques. This defeats a number of common automated detection techniques. The malware does not contain any of the odd URLs that will trip detection systems, and it will not attempt malicious activity when run in a local sandbox as it cannot retrieve the C2 server locations.
ESET believes that Cozy Bear has been focusing on the Ministries of Foreign Affairs of European nations since their 2016 election meddling. The Russian hackers appear to have compromised at least three such agencies. ESET has not named the nations involved, but did state that one Washington DC embassy was breached as part of the ongoing espionage activity.
Cozy Bear’s new toys
The Russian hackers are still using MiniDuke as their primary attack method, but they have added at least three new tools to their arsenal. They have a new downloader called PolyglotDuke, a backup backdoor called RegDuke that keeps an access path open when other elements of MiniDuke are detected and shut down, and a specialized backdoor called FatDuke deployed exclusively for compromising high value targets running Windows.
This larger array of implants gives Cozy Bear a much stronger foothold in the networks that they penetrate. All of the elements must be found and removed, or the remaining elements can be used to re-establish a presence.
What’s in the future?
The reemergence of Cozy Bear demonstrates that these state-backed hacking groups never really disappear. If a known espionage group stops being visible for an extended period, it’s probably just an indication that they have refined their tactics and become harder to detect.
All of Russia’s cyber espionage assets are likely gearing up to interfere in the 2020 United States presidential election in whatever ways are available to them, given the interest that Russia took in the 2016 proceedings. In addition to their propaganda campaigns and email hacking, a mid-2019 report by the Senate Intelligence Committee found that Russian hackers attempted to break into the election infrastructure of all 50 states.
There may be greater incentive to directly manipulate election results as social media companies ramp up efforts to remove misinformation and attempts to influence elections from their platforms. These efforts have not necessarily been effective, however, as Democratic primary candidate Elizabeth Warren demonstrated recently with an intentionally false Facebook ad that made it appear that Mark Zuckerberg had endorsed Donald Trump for a second term.
The MO of Cozy Bear (and counterparts Fancy Bear) is phishing and hacking campaigns rather than disinformation, and there is reason to believe the group may play a more active role in this election cycle. While there is no evidence that vote totals were altered in any state in 2016, cybersecurity experts believe the Russian hackers were mapping out the topology of the networks for a possible future operation.
The US has struggled to implement increased election security measures due to political strife, creating numerous openings for a threat actor. A June report from the Stanford Cyber Policy Center indicates that three states are still using an all-digital voting system, an additional 10 have precincts that do not produce paper verification of votes, and over 20 states do not have post-election audit processes in place. Voting machine suppliers are still largely unregulated, and 45 states still have voting machines in certain precincts that are no longer manufactured or officially supported by the vendor. In 40 states, there are machines that are more than 10 years old still in service.