Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
For Operation Dust Storm, the threat actors disguised some executables as JPG files.[1] |
|
| Enterprise | T1568 | 动态解析 |
For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
During Operation Dust Storm, attackers used VBS code to decode payloads.[1] |
|
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
During Operation Dust Storm, the threat actors used Visual Basic scripts.[1] |
| .007 | 命令与脚本解释器: JavaScript |
During Operation Dust Storm, the threat actors used JavaScript code.[1] |
||
| Enterprise | T1203 | 客户端执行漏洞利用 |
During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.[1] |
|
| Enterprise | T1585 | .002 | 建立账户: Email Accounts |
For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.[1] |
| Enterprise | T1189 | 浏览器攻击 |
During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.[1] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
For Operation Dust Storm, the threat actors used UPX to pack some payloads.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[1] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email.[1] |
| .002 | 用户执行: Malicious File |
During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email.[1] |
||
| Enterprise | T1218 | .005 | 系统二进制代理执行: Mshta |
During Operation Dust Storm, the threat actors executed JavaScript code via |
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.[1] |
| Enterprise | T1518 | 软件发现 |
During Operation Dust Storm, the threat actors deployed a file called |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document.[1] |
| .002 | 钓鱼: Spearphishing Link |
During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.[1] |
||
| Mobile | T1533 | Data from Local System |
During Operation Dust Storm, the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1] |
|
| Mobile | T1646 | Exfiltration Over C2 Channel |
During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.[1] |
|
| Mobile | T1420 | File and Directory Discovery |
During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices.[1] |
|
| Mobile | T1636 | .004 | Protected User Data: SMS Messages |
During Operation Dust Storm, the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S0032 | gh0st RAT | |
| S0084 | Mis-Type | |
| S0083 | Misdat | |
| S0012 | PoisonIvy | |
| S0085 | S-Type | |
| S0086 | ZLib |