'The Dukes' (aka APT29, Cozy Bear) threat group resurfaces with three new malware families

The cyber gang has largely remained in dark since breaching the systems of Democratic National Committee in 2016

Infamous espionage group 'The Dukes' is back in business with new tactics, as security researchers attribute three new malware families to the gang.

The Dukes, also known as APT 29 or Cozy Bear, came to light in 2016 as the main suspect behind the notorious breach of Democratic National Committee during the run-up to the 2016 US presidential election.

However, since that time, the cyber gang has largely remained in dark, leaving security researchers to believe that the group had stopped its activities.

But recently security researchers at ESET noticed the hallmarks of APT29 in a spying campaign, which they believe have managed to run undetected for the past six years.

According to researchers, three new malware samples, dubbed FatDuke, RegDuke and PolyglotDuke, linked to a cyber campaign most likely run by APT29. The most recent deployment of these new malwares was tracked in June 2019.

The ESET researchers have named all activities of Apt29 (past and present) collectively as Operation Ghost. This cyber campaign has been running since 2013 and has successfully targeted the Ministries of Foreign Affairs in at least three European countries.

The researchers compared the techniques and tactics used by APT29 in its recent attacks to those used in group's older attacks. They found many similarities in these campaigns, including the use of Windows Management Instrumentation for persistence, use of steganography in images to hide communications with Command and Control (C2) servers, and use of social media, such as Reddit and Twitter, to host C2 URLs.

The researchers also found similarities in the targets hit during the newer and older attacks - ministries of foreign affairs.

ESET researchers say they found two other APT threat actors, Sednit and Turla, on some of machines on which APT29 malware was discovered, suggesting that an attribution "based only on the presence of known Dukes tools on the same machines should be taken with a grain of salt."

Earlier in 2015, a report from FireEye claimed that APT29 used Twitter, GitHub and cloud storage services to extract data from compromised networks.

Last year, it was reported that Dutch intelligence officials had actually hacked APT29 group's systems more than a year before they cracked the Democratic National Committee in 2016. The Dutch agency pinpointed APT29's location to a university in Red Square, Moscow, and also warned the US intelligence about their intentions.