C0023 Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.
| Item |
Value |
| ID |
C0023 |
| Associated Names |
|
| First Seen |
September 2013 |
| Last Seen |
October 2019 |
| Version |
1.0 |
| Created |
23 March 2023 |
| Last Modified |
06 April 2023 |
| Navigation Layer |
View In ATT&CK® Navigator |
Groups
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.001 |
Domains |
For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.002 |
Steganography |
During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers. |
| enterprise |
T1587 |
Develop Capabilities |
- |
| enterprise |
T1587.001 |
Malware |
For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke. |
| enterprise |
T1585 |
Establish Accounts |
- |
| enterprise |
T1585.001 |
Social Media Accounts |
For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.003 |
Windows Management Instrumentation Event Subscription |
During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.003 |
Steganography |
During Operation Ghost, APT29 used steganography to hide payloads inside valid images. |
| enterprise |
T1078 |
Valid Accounts |
- |
| enterprise |
T1078.002 |
Domain Accounts |
For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks. |
| enterprise |
T1102 |
Web Service |
- |
| enterprise |
T1102.002 |
Bidirectional Communication |
For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers. |
Software
References