Cozy Bear/APT29/Dukes (Russia): Known as the Dukes, Russian threat actor Cozy Bear has apparently been quiet since their involvement in the hack of the Democratic National Convention in 2016, except for one spear-phishing campaign that was seen in November of 2018. Now researchers at ESET have found three malware families resurfacing that can be linked back to the group. Being linked together in what researchers call Operation Ghost, malware families PolyglotDuke, RegDuke and FatDuke have been found in the wild. Based on research done by ESET, the group was out of the public eye for many years, but they did not stop working on operation Ghost. The ongoing campaign has been responsible for compromising many government entities in Europe, as well as the European Union embassy in Washington, D.C. The group is very persistent; they steal credentials and use them to move laterally on networks. Administrative credentials have been used by the group to compromise machines from the same local network.
When responding to a compromise by this group, it is important to remove every backdoor remote access tool that has been planted on the compromised machines. The group has been known in the past to leave multiple backdoor access tools on a machine so that they could re-compromise computers of victims who fail to remove all of the implants. This group seems to have mastered the art of being undetected. Only appearing every few years, but still maintaining a foothold into systems and not making a lot of waves. By doing this, the group can remain persistent on a network and collect information for a long time before being caught because they have made themselves so hard to be detected.
Binary Defense recommends that organizations targeted by well-funded and persistent threat actors, including large organized crime groups and state-backed attackers, should implement advanced detection techniques. Examples of best practices in advanced detection of adversaries include active defense and attacker deception, such as deploying decoy administrator accounts, servers, and services listening on ports that trigger silent alarms when accessed by attackers. Other examples of active defense include decoy documents that are positioned to be attractive targets for attackers to steal but include tracing techniques that will alert the security team when the documents are stolen and opened on a computer outside the corporate network. Binary Defense’s Endpoint Detection and Response (EDR) product, Vision, includes deception and active defense techniques. The Security Operations Center (SOC) is a group of security professionals who monitor alarms 24 hours a day, 7 days a week on behalf of our clients to detect advanced attackers in the early stages of an intrusion.