Operation Dust Storm, Campaign C0016 | MITRE ATT&CK®

Operation Dust Storm

Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]

Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]

ID: C0016
First Seen:  January 2010 [1]
Last Seen:  February 2016 [1]
Version: 1.1
Created: 29 September 2022
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

During Operation Dust Storm, the threat actors used Visual Basic scripts.[1]

.007 Command and Scripting Interpreter: JavaScript

During Operation Dust Storm, the threat actors used JavaScript code.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

During Operation Dust Storm, attackers used VBS code to decode payloads.[1]

Enterprise T1189 Drive-by Compromise

During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.[1]

Enterprise T1568 Dynamic Resolution

For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322.[1]

Enterprise T1585 .002 Establish Accounts: Email Accounts

For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.[1]

Enterprise T1203 Exploitation for Client Execution

During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.[1]

Enterprise T1036 Masquerading

For Operation Dust Storm, the threat actors disguised some executables as JPG files.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

For Operation Dust Storm, the threat actors used UPX to pack some payloads.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document.[1]

.002 Phishing: Spearphishing Link

During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.[1]

Enterprise T1518 Software Discovery

During Operation Dust Storm, the threat actors deployed a file called DeployJava.js to fingerprint installed software on a victim system prior to exploit delivery.[1]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

During Operation Dust Storm, the threat actors executed JavaScript code via mshta.exe.[1]

Enterprise T1204 .001 User Execution: Malicious Link

During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email.[1]

.002 User Execution: Malicious File

During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email.[1]

Mobile T1533 Data from Local System

During Operation Dust Storm, the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1]

Mobile T1646 Exfiltration Over C2 Channel

During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.[1]

Mobile T1420 File and Directory Discovery

During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

During Operation Dust Storm, the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.[1]

Software

References