C0023 Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.
|23 March 2023
|06 April 2023
|View In ATT&CK® Navigator
|For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.
|During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.
|For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.
|Social Media Accounts
|For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.
|Event Triggered Execution
|Windows Management Instrumentation Event Subscription
|During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.
|Obfuscated Files or Information
|During Operation Ghost, APT29 used steganography to hide payloads inside valid images.
|For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.
|For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.