Operation Ghost: Research Finds Dukes Group Never Stopped Espionage Activities
- The threat group referred to as Dukes, or Cozy Bear, or the APT 29 was believed to have stopped its activities.
- Researchers recently uncovered three malware families—PolyglotDuke, RegDuke, and FatDuke—that have been attributed to the Dukes.
These were found to be used in attacks against high-value targets. Researchers have dubbed the recently discovered activities of the Dukes as ‘Operation Ghost’.
Operation Ghost is believed to have begun in 2013 and active even now. The Ministries of Foreign Affairs in three European countries were impacted by this campaign. The Dukes also hit a Washington, DC embassy of a European Union country.
Tools and tactics
Researchers observed that the Dukes used only a few tools but a number of tactics to avoid detection in Operation Ghost.
- The attacks involve stealing credentials and moving laterally on the network. The administrative credentials were used by the threat actors to compromise and re-compromise systems on a local network.
- Their malware platform is divided into four stages. PolyglotDuke uses websites such as Twitter or Reddit to get its command-and-control URL.
- RegDuke is a recovery first stage that uses Dropbox as its command-and-control server.
- MiniDuke backdoor is a simple backdoor that acts as the second stage.
- FatDuke, the third stage is a sophisticated backdoor with a flexible configuration.
The threat actors did not use the same command-and-control network infrastructure in different victim organizations. This is potentially a tactic to continue the attacks even if certain network IOCs are detected as malicious by victims.
These findings show that the Dukes did not stop their malicious activities, as believed earlier.
“This campaign also shows that APT threat actors going dark for several years does not mean they have stopped spying. They might pause for a while and reappear in another form, but they still need to spy to fulfill their mandates,” said the researchers.