Operation Ghost

Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]

ID: C0023
First Seen:  September 2013 [1]
Last Seen:  October 2019 [1]
Version: 1.0
Created: 23 March 2023
Last Modified: 06 April 2023

Groups

ID Name Description
G0016 APT29

[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[1]

Enterprise T1001 .002 Data Obfuscation: Steganography

During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[1]

Enterprise T1587 .001 Develop Capabilities: Malware

For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.[1]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.[1]

Software

ID Name Description
S0512 FatDuke

For Operation Ghost, APT29 used FatDuke as a third-stage backdoor.[1]

S0051 MiniDuke

For Operation Ghost, APT29 used MiniDuke as a second-stage backdoor.[1]

S0518 PolyglotDuke

For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1]

S0029 PsExec

For Operation Ghost, APT29 used PsExec for lateral movement on compromised networks.[1]

S0511 RegDuke

For Operation Ghost, APT29 used RegDuke as a first-stage implant.[1]

References