Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[1] |
Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[1] |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[1] |
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.[1] |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.[1] |
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[1] |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[1] |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.[1] |
ID | Name | Description |
---|---|---|
S0512 | FatDuke |
For Operation Ghost, APT29 used FatDuke as a third-stage backdoor.[1] |
S0051 | MiniDuke |
For Operation Ghost, APT29 used MiniDuke as a second-stage backdoor.[1] |
S0518 | PolyglotDuke |
For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1] |
S0029 | PsExec |
For Operation Ghost, APT29 used PsExec for lateral movement on compromised networks.[1] |
S0511 | RegDuke |
For Operation Ghost, APT29 used RegDuke as a first-stage implant.[1] |