C0023 Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.1
| Item | Value |
|---|---|
| ID | C0023 |
| Associated Names | |
| First Seen | September 2013 |
| Last Seen | October 2019 |
| Version | 1.0 |
| Created | 23 March 2023 |
| Last Modified | 06 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.1 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.1 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.001 | Social Media Accounts | For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | During Operation Ghost, APT29 used steganography to hide payloads inside valid images.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.1 |