Night Dragon, Campaign C0002 | MITRE ATT&CK®

Night Dragon

Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]

ID: C0002
First Seen:  November 2009 [1]
Last Seen:  February 2011 [1]
Version: 1.1
Created: 08 September 2022
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

During Night Dragon, threat actors purchased hosted services to use for C2.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During Night Dragon, threat actors used HTTP for C2.[1]

Enterprise T1110 .002 Brute Force: Password Cracking

During Night Dragon, threat actors used Cain & Abel to crack password hashes.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[1]

Enterprise T1584 .004 Compromise Infrastructure: Server

During Night Dragon, threat actors compromised web servers to use for C2.[1]

Enterprise T1005 Data from Local System

During Night Dragon, the threat actors collected files and other data from compromised systems.[1]

Enterprise T1074 .002 Data Staged: Remote Data Staging

During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[1]

Enterprise T1568 Dynamic Resolution

During Night Dragon, threat actors used dynamic DNS services for C2.[1]

Enterprise T1114 .001 Email Collection: Local Email Collection

During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[1]

Enterprise T1190 Exploit Public-Facing Application

During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[1]

Enterprise T1133 External Remote Services

During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1]

Enterprise T1008 Fallback Channels

During Night Dragon, threat actors used company extranet servers as secondary C2 servers.[1]

Enterprise T1083 File and Directory Discovery

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[1]

Enterprise T1105 Ingress Tool Transfer

During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[1]

Enterprise T1112 Modify Registry

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

During Night Dragon, threat actors used software packing in its tools.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

During Night Dragon, threat actors used Trojans from underground hacker websites.[1]

.002 Obtain Capabilities: Tool

During Night Dragon, threat actors obtained and used tools such as gsecdump.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

During Night Dragon, threat actors dumped account hashes using gsecdump.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]

Enterprise T1219 Remote Access Software

During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[1]

Enterprise T1033 System Owner/User Discovery

During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.[1]

Enterprise T1204 .001 User Execution: Malicious Link

During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[1]

Enterprise T1078 Valid Accounts

During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1]

.002 Domain Accounts

During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[1]

Software

ID Name Description
S0073 ASPXSpy

During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.[1]

S0110 at

During Night Dragon, threat actors used at to execute droppers.[1]

S0008 gsecdump

During Night Dragon, threat actors used gsecdump to dump account hashes.[1]

S0029 PsExec

During Night Dragon, threat actors used PsExec to remotely execute droppers.[1]

S0350 zwShell

During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1]

References