These were found to be used in attacks against high-value targets. Researchers have dubbed the recently discovered activities of the Dukes as ‘Operation Ghost’.
The background
Operation Ghost is believed to have begun in 2013 and active even now. The Ministries of Foreign Affairs in three European countries were impacted by this campaign. The Dukes also hit a Washington, DC embassy of a European Union country.
Tools and tactics
Researchers observed that the Dukes used only a few tools but a number of tactics to avoid detection in Operation Ghost.
The threat actors did not use the same command-and-control network infrastructure in different victim organizations. This is potentially a tactic to continue the attacks even if certain network IOCs are detected as malicious by victims.
The conclusion
These findings show that the Dukes did not stop their malicious activities, as believed earlier.
“This campaign also shows that APT threat actors going dark for several years does not mean they have stopped spying. They might pause for a while and reappear in another form, but they still need to spy to fulfill their mandates,” said the researchers.
Publisher