Posted on October 18, 2019 at 4:22 PM
A new report published by security researchers from ESET indicates that a hacking group which was previously linked to Russia managed to compromise numerous of the Russian government’s targets over the course of the past three years. Not only that, but the group managed to remain undetected while doing it.
The group, known as APT29, CozyDuke, the Dukes, as well as Cozy Bear, is a well-known state-sponsored hacking group that works for the Russian government. Security researchers from around the world have been studying the group and its methods for a long time, estimating that its existence goes back for at least a decade, likely even longer.
They also linked the group to a number of high-profile hacking attacks, such as the 2016 attack on the DNC (Democratic National Committee), which was the US Democratic Party’s formal governing body. Another case that these hackers are believed to have ties to was an attempt at the infiltration of DNC computers a year ago, on November 2018.
This attack used the spear-phishing method, meaning that the group targeted specific individuals in hopes of tricking them and getting access to their computers. However, these attacks are only the most public ones, while many others have also been attributed to APT29. For example, the group was responsible for a large number of hacking incidents before the US presidential elections of 2016, which made it all the more curious when they suddenly disappeared from the scene in early 2017.
Or did they?
The retired group was secretly active all along
According to ESET’s recent report, the group was not disbanded, nor did it stop operating. Instead, they simply continued their operations while doing everything in their power not to attract attention. They also seemingly continued an operation that was started about six years ago, which allowed them to compromise the Ministry of Foreign Affairs in several European countries.
ESET’s researchers have described the hacking campaign as a very sophisticated one, and they named it ‘Operation Ghost.’ The Operation started in 2013, as mentioned, but hackers managed to remain under the radar during this entire period, until now. During their efforts, hackers used a number of new and old malware families, such as PolyglotDuke, FatDuke, MiniDuke, LiteDuke, RegDuke, and more.
The report also says that the first-stage malware made use of a number of online services — including Reddit, Twitter, and Imgur — which served as C&C channels, while the communication itself was hidden by stenography. Researchers also pointed out the hackers’ victims, stating that there are at least three of them, including all European Ministries of Foreign Affairs, as well as the Washington DC embassy of the EU. Researchers also believe that the hackers’ last activity took place in June of this year.
All of the targets that the researchers were able to identify fit the APT29 profile, as well as the tools that the attackers used, and the employed tactics, such as the use of websites for hosting C&C, the use of stenography, and alike. Of course, there is a possibility that someone is copying APT29 for the purpose of hiding their own identity, but researchers believe that this is not the case. Not only did the attacks start back when the group was quite active, but they only used the tools and tactics that the group became known for — before it became known for using them.
The investigation of the campaign also uncovered a number of new details about the group’s method of operation, such as the fact that they use different C&C network infrastructure for each attack, as well as the existence of LiteDuke — a third-stage backdoor that was previously unknown. Finally, researchers also uncovered that two of the group’s victims had their systems breached by the same threat actor back in 2015. This indicates that hackers may have had access to their systems for the last four years.
How do the attacks work?
According to the report, the attack would start with the use of PolyglotDuke, which infects the devices and acts as a downloader that further infects the system with MiniDuke backdoor. If hackers start losing control of their other tools on the infected device, they deploy RegDuke, which is a first-stage implant. It can remain undetected for long periods, and make sure that hackers can maintain access and control of the infected system.
RegDuke also has a loader, as well as a payload, which resides in memory only. By using RegDuke, hackers can bring a number of different file types, such as DLLs, PowerShell scripts, Windows executables, and alike.
Meanwhile, MiniDuke acts as a second-stage backdoor, and it is written in x86 assembly, with 38 different functions, in total. This includes downloads and uploads of various files, retrieval of system information, process creation, obtaining the list of local drives, identifying the drive type, reading and writing in the named pipe, and more.
Finally, there is FatDuke, which is the group’s main backdoor, as well as a third-stage malware. FatDuke is mostly used on devices and systems that hold the greatest importance to the hackers, and it is usually installed through MiniDuke. However, it may also be delivered by other tools, like PsExec. Hackers are also known for repacking it on a regular basis, which allows them to remain undetected.
FatDuke is quite an advanced tool, with hardcoded configuration, and it allows hackers to control it remotely. LiteDuke, on the other hand, is another third-stage backdoor that hackers used back in 2014 and 2015. In other words, it might not have an active role in Operation Ghost, although it was found on some of the MiniDuke-compromised devices. And, since it uses the same dropper as PolyglotDuke (SQLite), researchers believe that it is another tool used by the group to this day.
Of all these tools, only the loader ends up written on the disk. Meanwhile, the backdoor code exists in memory alone. There are seven functions in total that are exported by the backdoor DLL, including LoadFromCC, GetDBHandle, GetCCFieldLn, SendBin, Save ToCC, GetCCFieldSize, as well as DllEntryPoint. As for the malware itself, it supports around 41 commands, including the ability to download and upload files, but also to delete them, update the database, obtain system info, create processes, and more.