The Russians Who Hacked the DNC Are Now Targeting European Governments

At least three countries have been affected, researchers say, with more victims likely.

Annette Riedl/DPA via ZUMA Press

The group of Russian hackers that hacked the Democratic National Committee ahead of the 2016 US presidential election “has been busy compromising government targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of a European Union county, all without drawing attention to their activities,” according to a report released Thursday by ESET, a European cybersecurity firm.

The research shows the Russian government’s apparent hacking of foreign government targets remains robust and active, and that the attackers have found ways to conduct operations even after the high profile attacks on the US presidential election brought unprecedented public attention to their efforts.

The report, titled “Operation Ghost: The Dukes aren’t back—they never left,” details how the group known variously as Cozy Bear, APT29, or the Dukes—which was one of two Russian-intelligence linked groups found to have hacked the DNC—has used a variety of methods to remain active even as they were under the eyes of the world’s major intelligence services. According to the report, the group has been targeting foreign ministries in at “least three different countries in Europe” and European diplomats in the United States; additional victims are likely, the authors note, but because the hackers used unique setups for each attack they were not able to identify them.

“We spent months apparently chasing a ghost then, a few months ago, we were able to attribute several distinct intrusions to the Dukes,” the authors wrote, explaining a difficult research process based on analyzing code, shared infrastructure, malware operations, and overlaps with previous attacks. The report details the group’s harnessing of some previously unseen tools combined with tactics and methods from previous known attacks, including the use of Twitter and Reddit to host URLs related to the operations, Dropbox, and steganography—hiding data within other data, in this case concealing information enabling the attacks in innocuous-looking photos.

Two photos used as part of Russian operations described in the report.


“Operation Ghost shows that the Dukes never stopped their espionage activities,” the authors wrote. “They might pause for a while and re-appear in another form, but they still need to spy to fulfill their mandates.”


Mother Jones was founded as a nonprofit in 1976 because we knew corporations and the wealthy wouldn't fund the type of hard-hitting journalism we set out to do.

Today, reader support makes up about two-thirds of our budget, allows us to dig deep on stories that matter, and lets us keep our reporting free for everyone. If you value what you get from Mother Jones, please join us with a tax-deductible donation today so we can keep on doing the type of journalism 2019 demands.

We Recommend


Give a Year of the Truth

at our special holiday rate

just $12

Order Now

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.


We have a new comment system! We are now using Coral, from Vox Media, for comments on all new articles. We'd love your feedback.