APT29 Has Not Retired, But Instead, Was Flying Under The Radar

  • APT29 never left the hacking scene, but instead focused more on high-profile targets.
  • Researchers found three new malware samples that they can attribute to the group with certainty.
  • The group is using Twitter, Imgur, and Fotolog to host steganographic images that hide code inside them.

As reported by ESET researchers, the Russian espionage hacking group known as “APT29” (or Cozy Bear, or The Dukes) has been lurking in the darkest sides of the net, even though they managed to stay away from the media’s attention in the recent years. The group has been active since 2013 and peaked in 2016, but other than a suspected comeback on November 2018, there has been nothing leading to their trail. Some thought that APT29 might have retired, but the latest report by ESET shows that this was never the case.

apt29_malware
Source: WeLiveSecurity

In the recent months, the team of researchers discovered three new malware families called “PolyglotDuke”, “RegDuke”, and “FatDuke”, all of which are attributed to APT29. The new malware tools were deployed within 2019, starting with FatDuke in June. Some of the elements that gave the group away are the use of Twitter to host C2 operations, the use of steganography to hide payloads in images, and the extensive use of WWI (Windows Management Instrumentation) for persistence. The targeting is also characteristic of APT29, with the targets including Ministries of Foreign Affairs and various organizations which were known to have been compromised before.

As for the malware tools themselves, the researchers noticed similarities in the custom encryption algorithm that is used by PolyglotDuke and OnionDuke (from 2013). Similarly, the most recent samples of MiniDuke feature the same backdoor that samples from five years ago deployed. All of this is indicative and not definitive, as another group might have gotten their hands onto the code of the old samples, and used it on newer iterations. However, this is unlikely to be the case considering how many pieces of the puzzle are in place.

apt29 malware similarities
Source: WeLiveSecurity

The ESET team has compiled a detailed list with the indicators of compromise, and you may check it out on GitHub. If you do, you’ll notice how many Twitter profiles are used for the hosting of steganographied images which contain the malware samples. Other channels of infection include Kiwibox, Reddit, Fotolog, Evernote, and Imgur. For more details on the findings of ESET and the tracking of the whole “Ghost Operation” as they call APT29 activity, check out the whitepaper that underpins the report.

malicious_tweet
Source: ESET Whitepaper

Were you among those who thought that APT29 went dormant, or did you think they are still out there doing their thing? Let us know where you stood in the comments down below, or on our socials, on Facebook and Twitter.

Latest
How to Watch Stars on Mars Online from Anywhere
The red planet is beckoning, and an ensemble of stars is going where no man has gone before. In the new unscripted...
How to Watch Cruel Summer Season 2 Online from Anywhere
While fans of the original series may not see Kate and Jeanette from the previous season, Cruel Summer Season 2 still promises...
How to Watch The Age of Influence Online: Stream the Docuseries from Anywhere
The Age of Influence is a new documentary series examining the dark side of influencer culture, and you’ll be able to stream it...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari