The Russian-speaking hack band Cozy Bear (aka APT29 and Dukes) was very active from 2014 to 2017. Then, hackers were accused of hacking the National Committee of the Democratic Party of the United States in anticipation of the 2016 elections, as well as of numerous attacks by various government departments in Europe and beyond. According to information security experts, this group allegedly works with the FSB and was also involved in attacks on the U.S. White House postal system, the US Department of Foreign Affairs and the Joint Chiefs of Staff.
However, in recent years, almost nothing has been heard about Cozy Bear, apart from a one-time incident in November 2018 related to a phishing campaign aimed at several American organizations. Because of this, information security experts believed that the group may have ceased to exist, but now ESET specialists discovered, it is not so.
Researchers immediately identified three new families of malvari created by Cozy Bear: PolyglotDuke, RegDuke and FatDuke, as well as the previously documented MiniDuke backdoor, which has been updated. Until recently, these tools were used by cybercriminals, and the last sample observed by experts was deployed in June 2019. The combination of these actions of the hack group, the researchers called "Operation Ghost" (Operation Ghost).
ESET experts believe that the "Operation Ghost" began in 2013 and continues to this day. During this time, the group attacked at least three European foreign ministries, as well as the US embassy of an unnamed EU country in Washington.
Cozy Bear used a variety of online services to manage their malware, including Twitter, Imgur and Reddit, and also resorted to steganography. So, in one of the examples described by the researchers, the payload of the malware was hidden among the metadata of the practically unchanged PNG file.
Analysts write that it is impossible to completely exclude the possibility that this activity is not Cozy Bear, but someone else is conducting operations under a false flag. However, the involvement of APT29, in particular, is indicated by the fact that this malicious campaign was launched simultaneously with other attacks of the group and began at a time when only a small part of the arsenal of hackers was known to researchers.