Cozy Bear didn't hibernate as previously thought

Background: Cozy Bear, also called APT29 and The Dukes, has been associated with the Russian Federal Security Service and the Foreign Intelligence Service. Fancy Bear, its more famous cousin, is connected to the Main Directorate of the General Staff of the Armed Forces.

• Russia runs a competitive model, wherein separate intelligence agencies are encouraged to breach the same targets.
• Unlike other Russian groups, Cozy Bear's attacks are not associated with sabotage efforts.

Cozy Bear didn't disappear completely after 2016, but its attacks appeared to dramatically decline. There were flurries of breaches linked to the group in 2017 against U.S. think tanks, as well as several attacks around the 2018 elections against defense contractors, media and other verticals.

• Even with the new campaign, Cozy Bear still does not appear to be as active as it was in 2016.

What's happening: ESET found evidence that the group maintained some of its anonymity since 2018 by using four previously undocumented strains of malware.

• Some of that malware has been detected as early as 2013. Others appear to be new as of last year.
• The new malware was found in organizations known to have been breached by Cozy Bear — sometimes as recently as three months before the new strains appeared in their systems.
• ESET is calling this campaign "Operation Ghost."

As with previous Cozy Bear malware, the new strains used publicly available internet services like Reddit, Twitter and OneDrive to communicate and take instruction from operatives running the campaign.

• The new malware also hid payloads in image files to disguise network traffic.