Cozy Bear kept moving after 2016 election, ESET says

The group, also known as APT29 and the Dukes, was "able to fly under the radar for many years while compromising high-value targets, as before," according to ESET.
Russia flag digital code, Fancy Bear, Cozy Bear, APT28, APT29
(Getty Images)

One of the Kremlin-linked hacking groups that breached the Democratic National Committee in 2016 has remained active in the years that followed, even if it’s been less visible.

Cozy Bear, also known as APT29 and the Dukes, began using different malicious software and new hacking techniques after 2016, according to findings published Thursday by the Slovakian security firm ESET. There wasn’t much public evidence of the group’s activity, but researchers say it did not go quiet after interfering in the U.S. presidential election.

The hackers targeted U.S. think tanks in 2017, defense contractors in 2018 and three European countries’ ministries of foreign affairs. (The U.S. security firm FireEye suggested in November that Cozy Bear was showing signs of activity.)

“Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” ESET said in its report. “The Dukes were able to fly under the radar for many years while compromising high-value targets, as before.”


Cozy Bear operates on behalf of either the Russian spy service SVR, as Dutch intelligence has suggested, the FSB, which is charged with counterintelligence work, according to CrowdStrike, or both. Fancy Bear, another Russian hacking unit that breached the DNC, is tied to Russia’s military intelligence agency, the GRU, based on reports from FireEye and an indictment from former U.S. Special Counsel Robert Mueller.

ESET calls the campaign detailed Thursday “Operation Ghost.”

The effort relies on four malware families aimed at the unnamed ministries of foreign affairs and U.S. targets. Attacks typically begin like other campaigns by advanced persistent threat (APT): with a specific phishing email that tricks recipients into clicking a malicious link or downloading an attachment. That gives attackers access to the larger network, where they then collect sensitive information while avoiding detection (ESET’s report contains the specific technical information.)

While researchers said they observed Operation Ghost using known Cozy Bear code, ESET also cautioned that it does not discount the possibility that another group is carrying out these attacks while posing as Russian intelligence. ESET also found evidence of two other Russian groups, Turla and Fancy Bear (also known as APT28), on “some of the same computers.”

Russian hacking groups are known to take adversarial approaches against one another, competing to steal information that help them gain political favor at home.

Latest Podcasts