1. Home
  2. Campaigns
  3. Operation Ghost

Operation Ghost

Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]

ID: C0023
First Seen:  September 2013 [1]
Last Seen:  October 2019 [1]
Version: 1.0
Created: 23 March 2023
Last Modified: 06 April 2023
Version Permalink

Groups

ID Name Description
G0016 APT29

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[1]
Enterprise T1001 .002 Data Obfuscation: Steganography

During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[1]
Enterprise T1587 .001 Develop Capabilities: Malware

For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[1]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.[1]
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[1]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.[1]

Software

ID Name Description
S0512 FatDuke

For Operation Ghost, APT29 used FatDuke as a third-stage backdoor.[1]
S0051 MiniDuke

For Operation Ghost, APT29 used MiniDuke as a second-stage backdoor.[1]
S0518 PolyglotDuke

For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1]
S0029 PsExec

For Operation Ghost, APT29 used PsExec for lateral movement on compromised networks.[1]
S0511 RegDuke

For Operation Ghost, APT29 used RegDuke as a first-stage implant.[1]

References

  1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.