Home Security/Malware Operation Ghost: The Dukes aren’t back – they never left

Operation Ghost: The Dukes aren’t back – they never left

The Dukes have been in the spotlight after their suspected involvement in the breach of the Democratic National Committee in the run-up to the 2016 US elections. Since then, except for a one-off, suspected comeback in November 2018, with a phishing campaign targeting several US-based organizations, no activity has been confidently attributed to the Dukes. This left us thinking that the group had stopped its activities.

This held true until recent months, when we uncovered three new malware families that we attribute to the Dukes – PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019. This means the Dukes have been quite active since 2016, developing new implants and compromising high-value targets. They call these newly uncovered Dukes activities, collectively, Operation Ghost.

Timeline and victimology

ESET believe Operation Ghost started in 2013 and it is still ongoing as of this writing. Their research shows that the Ministries of Foreign Affairs in at least three different countries in Europe are affected by this campaign. They have also discovered an infiltration by the Dukes at the Washington, DC embassy of a European Union country.

Their new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying. The Dukes were able to fly under the radar for many years while compromising high‑value targets, as before.

For a detailed analysis of the backdoor, refer to their white paper.