A wooden sculpture made of linden representing Russian President Vladimir Putin riding a bear at a souvenir shop in Saint Petersburg. Photo: Mladen Antonov/AFP via Getty Images

Cozy Bear, the less-discussed of the two Russian hacker groups that breached the Democratic National Committee in 2016, had been thought to be scaling back operations since that election, but a new report finds the group instead became more covert.

The big picture: The report, from cybersecurity firm ESET, shows that Cozy Bear switched to a different toolkit after 2016, continuing to target the ministries of foreign affairs in at least three European countries and the Washington, D.C., embassy of a European country.

Background: Cozy Bear, also called APT29 and The Dukes, has been associated with the Russian Federal Security Service and the Foreign Intelligence Service. Fancy Bear, its more famous cousin, is connected to the Main Directorate of the General Staff of the Armed Forces.

  • Russia runs a competitive model, wherein separate intelligence agencies are encouraged to breach the same targets.
  • Unlike other Russian groups, Cozy Bear's attacks are not associated with sabotage efforts.

Cozy Bear didn't disappear completely after 2016, but its attacks appeared to dramatically decline. There were flurries of breaches linked to the group in 2017 against U.S. think tanks, as well as several attacks around the 2018 elections against defense contractors, media and other verticals.

  • Even with the new campaign, Cozy Bear still does not appear to be as active as it was in 2016.

What's happening: ESET found evidence that the group maintained some of its anonymity since 2018 by using four previously undocumented strains of malware.

  • Some of that malware has been detected as early as 2013. Others appear to be new as of last year.
  • The new malware was found in organizations known to have been breached by Cozy Bear — sometimes as recently as three months before the new strains appeared in their systems.
  • ESET is calling this campaign "Operation Ghost."

As with previous Cozy Bear malware, the new strains used publicly available internet services like Reddit, Twitter and OneDrive to communicate and take instruction from operatives running the campaign.

  • The new malware also hid payloads in image files to disguise network traffic.

Go deeper

Updated 7 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 2 p.m. ET: 18,147,574 — Total deaths: 690,573 — Total recoveries — 10,753,815Map.
  2. U.S.: Total confirmed cases as of 2 p.m. ET: 4,687,828 — Total deaths: 155,062 — Total recoveries: 1,468,689 — Total tests: 56,812,162Map.
  3. Politics: White House will require staff to undergo randomized coronavirus testing — Pelosi says Birx "enabled" Trump on misinformation.
  4. Business: Virtual school is another setback for retail — The pandemic hasn't hampered health care.
  5. Public health: Former FDA chief says MLB outbreaks should be warning sign for schools.

Filing suggests Manhattan DA is investigating Trump for possible fraud

Photo: Brendan Smialowski/AFP

The Manhattan District Attorney's office suggested for the first time Monday that it's investigating President Trump and his company for "alleged bank and insurance fraud," the New York Times first reported.

The state of play: The disclosure was made in a filing in federal court that seeks to force accounting firm Mazars USA to comply with a subpoena for eight years of Trump's personal and corporate tax returns.

House Democrats subpoena top Pompeo aides in probe of IG firing

Mike Pompeo. Photo: Jim Lo Scalzo-Pool/Getty Images

The Democratic chairs of the House Oversight and House Foreign Affairs committees announced subpoenas Monday for four State Department officials as part of their investigation into the firing of former Inspector General Steve Linick.

Why it matters: The two committees, in addition to Democrats on the Senate Foreign Relations Committee, are investigating whether Linick was fired because he was probing Secretary of State Mike Pompeo and the State Department's attempts to bypass Congress to sell weapons to Saudi Arabia and the United Arab Emirates.