Annette Riedl/DPA via ZUMA Press
The group of Russian hackers that hacked the Democratic National Committee ahead of the 2016 US presidential election “has been busy compromising government targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of a European Union county, all without drawing attention to their activities,” according to a report released Thursday by ESET, a European cybersecurity firm.
The research shows the Russian government’s apparent hacking of foreign government targets remains robust and active, and that the attackers have found ways to conduct operations even after the high profile attacks on the US presidential election brought unprecedented public attention to their efforts.
The report, titled “Operation Ghost: The Dukes aren’t back—they never left,” details how the group known variously as Cozy Bear, APT29, or the Dukes—which was one of two Russian-intelligence linked groups found to have hacked the DNC—has used a variety of methods to remain active even as they were under the eyes of the world’s major intelligence services. According to the report, the group has been targeting foreign ministries in at “least three different countries in Europe” and European diplomats in the United States; additional victims are likely, the authors note, but because the hackers used unique setups for each attack they were not able to identify them.
“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” the authors wrote, explaining a difficult research process based on analyzing code, shared infrastructure, malware operations, and overlaps with previous attacks. The report details the group’s harnessing of some previously unseen tools combined with tactics and methods from previous known attacks, including the use of Twitter and Reddit to host URLs related to the operations, Dropbox, and steganography—hiding data within other data, in this case concealing information enabling the attacks in innocuous-looking photos.
Two photos used as part of Russian operations described in the report.
“Operation Ghost shows that the Dukes never stopped their espionage activities,” the authors wrote. “They might pause for a while and re-appear in another form, but they still need to spy to fulfill their mandates.”
