Cozy Bear wasn't hibernating after all.
Cozy Bear, also called "APT29" or "the Dukes," has been very active since it was discovered in the DNC's networks 2016, ESET has found. ESET calls the group's newly discovered activities "Operation Ghost." The activities began in 2013 and have continued to the present day, using three previously undiscovered malware families: PolyglotDuke, RegDuke and FatDuke. The group uses social media sites like Twitter and Reddit to host its command-and-control URLs, and it uses steganography to obscure its C2 traffic. Cozy Bear compartmentalizes its attacks to avoid using the same infrastructure to target different victims, a practice the researchers say "is generally only seen by the most meticulous attackers."
Operation Ghost's targets include the Ministries of Foreign Affairs in at least three European countries, as well as "the Washington, DC embassy of a European Union country." The targets were previously hit by known Cozy Bear malware, including CozyDuke, OnionDuke or MiniDuke. ESET researchers note that Cozy Bear shows both considerable patience and focus on its targets. It's also stealthy. Compromised organizations must ensure that all of the group's malware is removed from the environment within a short period of time, or else the attackers will use any leftover footholds to quickly reinfect your systems.