Operation Ghost: The Dukes aren`t back – they never left

Matthieu Faou, Thomas Dupuy/ESET

It is exceptionally rare for a well-documented threat actor to stay completely under the radar for several years. Here, we document such a case with an infamous political espionage APT group. Not only have they avoided public scrutiny since 2016, but also they compromised high-value targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of an EU country. We recently identified several previously unrecognized clusters of activity that we now link with high confidence to this group and we have named this newly uncovered campaign Operation Ghost Hunt.

Some of the TTPs are similar to previously documented campaigns. However, most of the tools are previously unknown and we identified a completely new, flagship backdoor. This was initially deployed in September 2016 and was still being deployed in June 2019. Our presentation details the discovery of the early, previously unknown campaign and how we linked that to this group. It also details the timeline of this campaign along with an analysis of five new malware variants and updated TTPs.

Organizer’s note:This abstract reveals limited details as, for operational reasons, not everything that will be included in this presentation can be disclosed at this moment. Closer to the event we will update this abstract with the full details the researchers provided us and that were the basis of the presentation’s selection.

November 7 at 10:00 - 10:30, Stage A

Matthieu Faou is a malware researcher at ESET where he specializes in targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, RECON, Virus Bulletin, or Botconf.

Thomas Dupuy is a malware researcher at ESET Canada. Thomas has breakfast reversing binaries, contributes to open source projects during lunch and plays CTF by night. Curious by nature, Thomas likes to analyze malware of exotic architectures.