A stealthy Russian cyber espionage ring known as “The Dukes” is back on security experts’ radar nearly three years after vanishing without a trace. One clue that they were operating came in the form of a cryptic Reddit post that turned out to be a secret signaling mechanism for the spies’ malware.
Also called “Cozy Bear” and “APT29,” the Dukes have been linked to Russia’s Foreign Intelligence Service, the SVR. They’re stealthy, sophisticated operators best known as the other Russian hackers in the DNC’s network—the ones who lurked quietly, undetected by the Democrats, for nearly a year before the GRU’s hackers barged in to carry out Putin’s 2016 election interference plan.
In January 2017, as global concern about Russia’s state-sponsored hacking swelled, the Dukes vanished. A phishing campaign that month against the government of Norway became the last hack attack strongly linked to the group.
A year later, a Dutch newspaper detailed a remarkable years-long counter-hack against the Dukes in the years before they went dark. The Dutch intelligence agency AIVD broke into the Dukes’ network in 2014, and spent years watching the Russians, at one point literally eyeballing them through the security cameras in the Moscow university the Dukes were operating from. From their privileged perch, the Dutch relayed information to U.S. officials in real time to help thwart the Dukes’ breach of U.S. State Department systems, and then tipped off the U.S. again when the Dukes hit the DNC in 2015. (The FBI later passed the warning to the DNC, which didn’t initially take it seriously). Experts speculated the Dukes had been shut down or were busy regrouping in the wake of unwanted publicity and the embarrassing Dutch counter-hack.
But a report Thursday by researchers at the European security firm ESET concludes that the Dukes never went away at all—they just retooled, developing new harder-to-spot versions of their custom malware. Based on code similarities, a common custom encryption algorithm and other indicators, ESET said it’s linked the Dukes to a continuous chain of hacks dating back to 2013, and still going on as of last June.
“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” reads the report by ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy. The Russians’ targets, according to the report, include three unnamed European foreign affairs ministries and an unnamed European embassy in Washington, D.C.—all typical targets for cyber espionage.
The Dukes’ creative opsec is one reason they’ve stayed invisible for so long. The hackers often use coded messages broadcast on Twitter or dropped on Dropbox to communicate with their hacked machines secretly in plain sight, even posting steganographically-coded photos on public image boards.
ESET’s research adds Reddit to the list of sites co-opted into cyber espionage. The researchers identified two accounts dating to 2014 that were created for the sole purpose of posting coded messages on subreddits, including the r/funny humor board. The hackers’ malware would check for new posts and decrypt a seemingly-nonsensical word in the comment to get the website address of one of the Dukes’ command-and-control servers.
The takeaway, ESET said, is that state-sponsored hackers “going dark for several years does not mean they have stopped spying. They might pause for a while and re-appear in another form, but they still need to spy.”