1. Home
  2. Campaigns
  3. Operation Ghost

Operation Ghost

Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]

ID: C0023
First Seen:  September 2013 [1]
Last Seen:  October 2019 [1]
Version: 1.0
Created: 23 March 2023
Last Modified: 06 April 2023

Groups

ID Name Description
G0016 APT29

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.[1]
Enterprise T1585 .001 建立账户: Social Media Accounts

For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.[1]
Enterprise T1587 .001 开发能力: Malware

For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[1]
Enterprise T1001 .002 数据混淆: Steganography

During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[1]
Enterprise T1078 .002 有效账户: Domain Accounts

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[1]
Enterprise T1027 .003 混淆文件或信息: Steganography

During Operation Ghost, APT29 used steganography to hide payloads inside valid images.[1]
Enterprise T1102 .002 网络服务: Bidirectional Communication

For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.[1]
Enterprise T1583 .001 获取基础设施: Domains

For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[1]

Software

ID Name Description
S0512 FatDuke

For Operation Ghost, APT29 used FatDuke as a third-stage backdoor.[1]
S0051 MiniDuke

For Operation Ghost, APT29 used MiniDuke as a second-stage backdoor.[1]
S0518 PolyglotDuke

For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1]
S0029 PsExec

For Operation Ghost, APT29 used PsExec for lateral movement on compromised networks.[1]
S0511 RegDuke

For Operation Ghost, APT29 used RegDuke as a first-stage implant.[1]

References

  1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.