Posted on
October 18, 2019 at
4:22 PM

A new report published by researchers from ESET indicates that a hacking group which was previously linked to Russia managed to compromise numerous of the Russian government’s targets over the course of the past three years. Not only that, but the group managed to remain undetected while doing it.

The group, known as APT29, CozyDuke, the
Dukes, as well as Cozy Bear, is a well-known state-sponsored hacking group that
works for the Russian government. Security researchers from around the world
have been studying the group and its methods for a long time, estimating that
its existence goes back for at least a decade, likely even longer.

They also linked the group to a number of high-profile hacking attacks, such as the 2016 attack on the DNC (Democratic National Committee), which was the US Democratic Party’s formal governing body. Another case that these hackers are believed to have ties to was an attempt at the infiltration of DNC computers a year ago, on November 2018.

This attack used the spear-phishing method,
meaning that the group targeted specific individuals in hopes of tricking them
and getting access to their computers. However, these attacks are only the most
public ones, while many others have also been attributed to APT29. For example,
the group was responsible for a large number of hacking incidents before the US
presidential elections of 2016, which made it all the more curious when they
suddenly disappeared from the scene in early 2017.

Or did they?

The retired group was secretly
active all along

According to ESET’s recent report, the group
was not disbanded, nor did it stop operating. Instead, they simply continued
their operations while doing everything in their power not to attract
attention. They also seemingly continued an operation that was started about
six years ago, which allowed them to compromise the Ministry of Foreign
in several European countries.

ESET’s researchers have described the hacking campaign as a very sophisticated one, and they named it ‘Operation Ghost.’ The Operation started in 2013, as mentioned, but hackers managed to remain under the radar during this entire period, until now. During their efforts, hackers used a number of new and old families, such as PolyglotDuke, FatDuke, MiniDuke, LiteDuke, RegDuke, and more.

The report also says that the first-stage
malware made use of a number of online services — including Reddit, Twitter,
and Imgur — which served as C&C channels, while the communication itself
was hidden by stenography. Researchers also pointed out the hackers’ victims,
stating that there are at least three of them, including all European
Ministries of Foreign Affairs, as well as the Washington DC embassy of the EU.
Researchers also believe that the hackers’ last activity took place in June of
this year.

All of the targets that the researchers were
able to identify fit the APT29 profile, as well as the tools that the attackers
used, and the employed tactics, such as the use of websites for hosting
C&C, the use of stenography, and alike. Of course, there is a possibility
that someone is copying APT29 for the purpose of hiding their own identity, but
researchers believe that this is not the case. Not only did the attacks start
back when the group was quite active, but they only used the tools and tactics
that the group became known for — before it became known for using them.

The investigation of the campaign also uncovered a number of new details about the group’s method of operation, such as the fact that they use different C&C network infrastructure for each attack, as well as the existence of LiteDuke — a third-stage backdoor that was previously unknown. Finally, researchers also uncovered that two of the group’s victims had their systems breached by the same actor back in 2015. This indicates that hackers may have had access to their systems for the last four years.

How do the attacks work?

According to the report, the attack would
start with the use of PolyglotDuke, which infects the devices and acts as a
downloader that further infects the system with MiniDuke backdoor. If hackers
start losing control of their other tools on the infected device, they deploy
RegDuke, which is a first-stage implant. It can remain undetected for long
periods, and make sure that hackers can maintain access and control of the
infected system.

RegDuke also has a loader, as well as a
payload, which resides in memory only. By using RegDuke, hackers can bring a
number of different file types, such as DLLs, PowerShell scripts,
executables, and alike.

Meanwhile, MiniDuke acts as a second-stage
backdoor, and it is written in x86 assembly, with 38 different functions, in
total. This includes downloads and uploads of various files, retrieval of
system information, process creation, obtaining the list of local drives,
identifying the drive type, reading and writing in the named pipe, and more.

Finally, there is FatDuke, which is the group’s main backdoor, as well as a third-stage malware. FatDuke is mostly used on devices and systems that hold the greatest importance to the hackers, and it is usually installed through MiniDuke. However, it may also be delivered by other tools, like PsExec. Hackers are also known for repacking it on a regular basis, which allows them to remain undetected.

FatDuke is quite an advanced tool, with
hardcoded configuration, and it allows hackers to control it remotely.
LiteDuke, on the other hand, is another third-stage backdoor that hackers used
back in 2014 and 2015. In other words, it might not have an active role in
Operation Ghost, although it was found on some of the MiniDuke-compromised
devices. And, since it uses the same dropper as PolyglotDuke (SQLite),
researchers believe that it is another tool used by the group to this day.

Of all these tools, only the loader ends up written
on the disk. Meanwhile, the backdoor code exists in memory alone. There are
seven functions in total that are exported by the backdoor DLL, including
LoadFromCC, GetDBHandle, GetCCFieldLn, SendBin, Save ToCC, GetCCFieldSize, as
well as DllEntryPoint.

As for the malware itself, it supports around 41
commands, including the ability to download and upload files, but also to
delete them, update the database, obtain system info, create processes, and


Russian Hacking Group Spent Years Silently Compromising Government-Marked Targets  - wAAACwAAAAAAQABAEACAkQBADs  - Russian Hacking Group Spent Years Silently Compromising Government-Marked Targets

Article Name

Russian Hacking Group Spent Years Silently Compromising Government-Marked Targets


A new report published by security researchers from ESET indicates that a hacking group which was previously linked to Russia managed to compromise numerous of the Russian government’s targets over the course of the past three years.


Ali Raza

Publisher Name


Publisher Logo

Source link

No tags for this post.


Please enter your comment!
Please enter your name here