Operation Ghost: The DNC hacking group “Dukes” still attacks government targets, ESET discovers

Next story

BRATISLAVA - The Dukes (aka APT29 and Cozy Bear) briefly stole the spotlight after their suspected involvement in the breach of the Democratic National Committee in the run-up to the 2016 US elections. After an attack in Norway in January 2017 and despite a suspected comeback in November 2018, the Dukes seemingly vanished from the cyberespionage scene. However, ESET researchers have discovered an operation dubbed “Ghost,” which started much earlier, in 2013, and is still ongoing. The Dukes have infiltrated an EU Member State’s embassy in Washington, DC, and Ministries of Foreign Affairs in at least three different countries in Europe. 

ESET has identified three new malware families associated with the Dukes – PolyglotDuke, RegDuke and FatDuke. “One of the first public traces of this campaign can be found on Reddit in July 2014,” says ESET researcher Matthieu Faou. “We can confirm with high confidence that the same group is behind Operation Ghost and the DNC attack,” he adds.


The attribution of these attacks to the Dukes is based on several similarities in the tactics observed in this campaign, as compared with previous ones. Specifically, the Dukes have used Twitter and Reddit to host Command & Control URLs and have employed stenography in pictures to hide malicious payloads or commands. Moreover, Ministries of Foreign Affairs have continued to be targeted – two of the three targets were previously compromised by the group, with at least one machine having the “old” Dukes still installed from several months before. Further proof is indicated by the strong code similarities between already documented samples and Operation Ghost.

“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented, and thus, we believe Operation Ghost was running simultaneously with the other campaigns, and has flown under the radar until now,” explains Faou.

In Operation Ghost, the Dukes have used a limited number of tools, but they have relied on numerous interesting tactics to avoid detection. The Dukes are very persistent, and are systematically stealing credentials and using them to move laterally in the network. ESET has seen them using administrative credentials to compromise or re-compromise machines in the same local network.

The Dukes have a sophisticated malware platform, which is divided into four stages. First, it fetches its C&C URL via Twitter or other social networks and websites. Second, it uses Dropbox to receive commands from the attackers. Third, it drops a simple backdoor, which in turn, drops a more sophisticated backdoor in the last stage with a lot of functionalities and a flexible configuration.

For more details, read the blogpost, “Operation Ghost: The Dukes aren’t back – they never left” and find a detailed whitepaper here. Make sure to follow ESET research on Twitter for the latest news from ESET Research.