Russian Hackers Break Into European Embassy In Washington

The hackers who infamously breached the Democratic National Committee have continued to cause havoc, according to research released Thursday.

The so-called Cozy Bear hackers, who were revealed in 2016 to have infiltrated the DNC along with a group called Fancy Bear as part of a Russian-government sponsored attack on American democracy, have hacked the Washington, D.C., embassy of a European member state, said cybersecurity researchers from ESET. The hackers also broke into computers at the ministries of foreign affairs of three European countries.

Neither the embassy nor the government departments are being identified by ESET. But the research represents a rare sighting of Cozy Bear and a resurgence of a Russian intelligence operation heading into a turbulent geopolitical period, with Britain’s exit from the European Union and the 2020 U.S. election on the horizon. Three new malware types were also discovered, showing the unit continues to build its digital arsenal as it tries to spy on diplomats.

Matthieu Faou, who led the ESET research, said the latest attacks show Cozy Bear is still very active even as they avoided public scrutiny for many years. “There was this phishing campaign last year, but in terms of malware, we didn’t hear anything since the end of 2016, beginning of 2017,” he told Forbes.

Faou believes it was likely Cozy Bear was trying to steal documents and emails, given the nature of the victims, though he did not have access to the purloined data.

Cheekily, the Russian hackers are using famous American tech company infrastructure as part of their attacks. When the hackers need to know what website to use to control infected computers, the domains would be sent by those hacked PCs to various services, including Twitter, Evernote and Reddit. 

“Also they use steganography [digital cryptography] to hide communications to the [command and control] server. So payloads and commands are actually in the pixel of pictures,” said Faou.

What remains unclear is just how Cozy Bear is finding its way onto diplomats’ PCs. No initial infection method was detected by ESET. The researchers' investigations have also been complicated by the fact that the attacks may have started several months or years ago.

“We only have a partial view on this campaign, so I guess there are more victims,” Faou said.

">

The hackers who infamously breached the Democratic National Committee have continued to cause havoc, according to research released Thursday.

The so-called Cozy Bear hackers, who were revealed in 2016 to have infiltrated the DNC along with a group called Fancy Bear as part of a Russian-government sponsored attack on American democracy, have hacked the Washington, D.C., embassy of a European member state, said cybersecurity researchers from ESET. The hackers also broke into computers at the ministries of foreign affairs of three European countries.

Neither the embassy nor the government departments are being identified by ESET. But the research represents a rare sighting of Cozy Bear and a resurgence of a Russian intelligence operation heading into a turbulent geopolitical period, with Britain’s exit from the European Union and the 2020 U.S. election on the horizon. Three new malware types were also discovered, showing the unit continues to build its digital arsenal as it tries to spy on diplomats.

Matthieu Faou, who led the ESET research, said the latest attacks show Cozy Bear is still very active even as they avoided public scrutiny for many years. “There was this phishing campaign last year, but in terms of malware, we didn’t hear anything since the end of 2016, beginning of 2017,” he told Forbes.

Faou believes it was likely Cozy Bear was trying to steal documents and emails, given the nature of the victims, though he did not have access to the purloined data.

Cheekily, the Russian hackers are using famous American tech company infrastructure as part of their attacks. When the hackers need to know what website to use to control infected computers, the domains would be sent by those hacked PCs to various services, including Twitter, Evernote and Reddit. 

“Also they use steganography [digital cryptography] to hide communications to the [command and control] server. So payloads and commands are actually in the pixel of pictures,” said Faou.

What remains unclear is just how Cozy Bear is finding its way onto diplomats’ PCs. No initial infection method was detected by ESET. The researchers' investigations have also been complicated by the fact that the attacks may have started several months or years ago.

“We only have a partial view on this campaign, so I guess there are more victims,” Faou said.

Comments are closed.