Remember the Democratic National Committee email leak? Same hackers now targeting EU countries, say malware boffins

Researchers reckon they've cracked a Washington embassy and more

The hacker crew behind the US Democratic National Committee breach are still at it and have infiltrated an EU country's embassy in Washington DC, according to infosec biz ESET.

The Dukes, aka APT29 or Cozy Bear, were widely fingered as having been behind the infamous hack on the DNC, the governing body of the US opposition political party. Though the group seemed to have faded back into digital obscurity, ESET said today that they're still operating against EU countries.

ESET has identified three new malware families associated with the hacking crew, which it has named PolyglotDuke, RegDuke and FatDuke.

"One of the first public traces of this campaign can be found on Reddit in July 2014," said researcher Matthieu Faou. "We can confirm with high confidence that the same group is behind Operation Ghost Hunt and the DNC attack," he added.

ESET declined to name which countries had been infected, though it said that these were three EU countries and the US embassy of one of those nations.

APT29 has, so ESET says, used Twitter and Reddit to host its command-and-control URLs and also employs steganographic techniques. In Bratislava earlier this week the firm briefed El Reg on its findings, which are set out in full here, along with a white paper accessible from the link.

Concealed weapon

One intriguing technique seen by ESET was the use of steganography in images. In one example shown to us, a malware payload was hidden within image attribute metadata fields of an otherwise unaltered PNG file.

"We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes' arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now," said the company in a statement.

Linked to Russian intelligence by just about everyone (except ESET, oddly), APT29 cracked the DNC's servers by using a SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor.

That was then deployed through a variety of remote access tools – and less sophisticated methods, as former US presidential hopeful Hilary Clinton's campaign manager, John Podesta, found out to his cost. ®

Sponsored: What next after Netezza?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019