Operation Ghost

It is exceptionally rare for a well-documented threat actor to stay under the radar for several years. Here, we document such a case with the Dukes, aka APT29. Not only have they mostly avoided public scrutiny since 2016, but they compromised high-value targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of an EU country.

The Dukes is an infamous espionage group, best known for breaching the US Democratic National Committee during the 2016 presidential elections. After that, most analysts believed they went dark with the latest high-confidence attribution to this group being two-plus years ago, with a January 2017 campaign targeting Norway. In November 2018, a phishing campaign targeting several US organizations was attributed to the group with medium confidence. However, they used Cobalt Strike, a generic tool, instead of custom malware.

We recently identified several previously unrecognized clusters of activity that we now link with high confidence to the Dukes. These activities likely began in 2013/2014 and were still active as of June 2019. While most of the Dukes’ arsenal was publicly exposed in 2014 and 2015 by multiple security researchers, part of their toolset remained under the radar for more than five years. We have named this newly uncovered campaign Operation Ghost.

Some of the TTPs are similar to previously documented Dukes’ campaigns, including the use of Twitter and custom steganography. However, most of the tools are previously unknown and we identified a completely new, flagship backdoor. This was initially deployed in September 2016 and was still being deployed in June 2019.

Our presentation details the discovery of the early, previously unknown campaign and how we linked that to the Dukes. It also details the timeline of this campaign along with an analysis of new malware families and updated TTPs.