Campaigns | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Campaigns | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item">Campaigns</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="overflow-x-auto"> <h1>Campaigns</h1> <p> The security community tracks intrusion activity using various analytic methodologies and terms, such as operations, intrusion sets, and campaigns. Some intrusion activity may be referenced by a variety of names due to different organizations tracking similar activity, often from different vantage points; conversely other times reported activity is not given a designated name. </p> <p> Malicious cyber activity may be attributed to a threat group, or referenced as unattributed activity. Alternatively, complex cyber operations may involve multiple affiliated or unaffiliated groups, with each playing a unique role (ie. initial access, data exfiltration, etc). </p> <p> For the purposes of the Campaigns page, the MITRE ATT&CK team uses the term Campaign to describe any grouping of intrusion activity conducted over a specific period of time with common targets and objectives. Unnamed intrusion activity is cited using a unique ATT&CK identifier, otherwise the team will use the activity name as noted in public reporting. For named Campaigns, the team makes a best effort to track overlapping names, which are designated as “Associated Campaigns” on each page, as we believe these overlaps are useful for analysts. Campaign entries will also be attributed to ATT&CK Group and Software pages, when possible, based on public reporting; unattributed activity will simply reference “threat actors” in the procedure example. </p> <p> Campaigns are mapped to publicly reporting techniques and original references are included. The information provided does not represent all possible techniques used in a Campaign but rather a subset that is available through open source reporting. </p> <h6 class="table-object-count">Campaigns: 36</h6> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th>    <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0028"> C0028 </a> </td> <td> <a href="/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a> was a <a href="/groups/G0034">Sandworm Team</a> campaign during which they used <a href="/software/S0089">BlackEnergy</a> (specifically BlackEnergy3) and <a href="/software/S0607">KillDisk</a> to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0025"> C0025 </a> </td> <td> <a href="/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a> was a <a href="/groups/G0034">Sandworm Team</a> campaign during which they used <a href="/software/S0604">Industroyer</a> malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by <a href="/groups/G0034">Sandworm Team</a>.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0034"> C0034 </a> </td> <td> <a href="/campaigns/C0034"> 2022 Ukraine Electric Power Attack </a> </td>    <td> <p>The <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a> was a <a href="/groups/G0034">Sandworm Team</a> campaign that used a combination of GOGETTER, Neo-REGEORG, <a href="/software/S0693">CaddyWiper</a>, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0040"> C0040 </a> </td> <td> <a href="/campaigns/C0040"> APT41 DUST </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0040">APT41 DUST</a> was conducted by <a href="/groups/G0096">APT41</a> from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. <a href="https://attack.mitre.org/campaigns/C0040">APT41 DUST</a> targeted sectors such as shipping, logistics, and media for information gathering purposes. <a href="/groups/G0096">APT41</a> used previously-observed malware such as <a href="/software/S1158">DUSTPAN</a> as well as newly observed tools such as <a href="/software/S1159">DUSTTRAP</a> in <a href="https://attack.mitre.org/campaigns/C0040">APT41 DUST</a>.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0010"> C0010 </a> </td> <td> <a href="/campaigns/C0010"> C0010 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0010">C0010</a> was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. <a href="https://attack.mitre.org/campaigns/C0010">C0010</a> began by at least late 2020, and was still ongoing as of mid-2022.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0011"> C0011 </a> </td> <td> <a href="/campaigns/C0011"> C0011 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0011">C0011</a> was a suspected cyber espionage campaign conducted by <a href="/groups/G0134">Transparent Tribe</a> that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from <a href="/groups/G0134">Transparent Tribe</a>'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <a href="/campaigns/C0015"> C0015 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0015">C0015</a> was a ransomware intrusion during which the unidentified attackers used <a href="/software/S0534">Bazar</a>, <a href="/software/S0154">Cobalt Strike</a>, and <a href="/software/S0575">Conti</a>, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated <a href="/software/S0575">Conti</a> ransomware playbook based on the observed pattern of activity and operator errors.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0017">C0017</a> was an <a href="/groups/G0096">APT41</a> campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of <a href="https://attack.mitre.org/campaigns/C0017">C0017</a> are unknown, however <a href="/groups/G0096">APT41</a> was observed exfiltrating Personal Identifiable Information (PII).</p> </td> </tr> <tr> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <a href="/campaigns/C0018"> C0018 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0018">C0018</a> was a month-long ransomware intrusion that successfully deployed <a href="/software/S1053">AvosLocker</a> onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing <a href="/software/S1053">AvosLocker</a>.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0021"> C0021 </a> </td> <td> <a href="/campaigns/C0021"> C0021 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0021">C0021</a> was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. <a href="https://attack.mitre.org/campaigns/C0021">C0021</a>'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected <a href="/groups/G0016">APT29</a> activity.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0026"> C0026 </a> </td> <td> <a href="/campaigns/C0026"> C0026 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0026">C0026</a> was a campaign identified in September 2022 that included the selective distribution of <a href="/software/S1075">KOPILUWAK</a> and <a href="/software/S1076">QUIETCANARY</a> malware to previous <a href="/software/S1074">ANDROMEDA</a> malware victims in Ukraine through re-registered <a href="/software/S1074">ANDROMEDA</a> C2 domains. Several tools and tactics used during <a href="https://attack.mitre.org/campaigns/C0026">C0026</a> were consistent with historic <a href="/groups/G0010">Turla</a> operations.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0027"> C0027 </a> </td> <td> <a href="/campaigns/C0027"> C0027 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0027">C0027</a> was a financially-motivated campaign linked to <a href="/groups/G1015">Scattered Spider</a> that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During <a href="https://attack.mitre.org/campaigns/C0027">C0027</a> <a href="/groups/G1015">Scattered Spider</a> used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0032"> C0032 </a> </td> <td> <a href="/campaigns/C0032"> C0032 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0032">C0032</a> was an extended campaign suspected to involve the <a href="/software/S1009">Triton</a> adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the <a href="https://attack.mitre.org/campaigns/C0030">Triton Safety Instrumented System Attack</a>.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0033"> C0033 </a> </td> <td> <a href="/campaigns/C0033"> C0033 </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0033">C0033</a> was a <a href="/groups/G0056">PROMETHIUM</a> campaign during which they used <a href="/software/S0491">StrongPity</a> to target Android users. <a href="https://attack.mitre.org/campaigns/C0033">C0033</a> was the first publicly documented mobile campaign for <a href="/groups/G0056">PROMETHIUM</a>, who previously used Windows-based techniques.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0004"> C0004 </a> </td> <td> <a href="/campaigns/C0004"> CostaRicto </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a> was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. <a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a> actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a> was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a> targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a> featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0001"> C0001 </a> </td> <td> <a href="/campaigns/C0001"> Frankenstein </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a> was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including <a href="/software/S0363">Empire</a>. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0007"> C0007 </a> </td> <td> <a href="/campaigns/C0007"> FunnyDream </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a> was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the <a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a> campaign to possible Chinese-speaking threat actors through the use of the <a href="/software/S1041">Chinoxy</a> backdoor and noted infrastructure overlap with the TAG-16 threat group.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0038"> C0038 </a> </td> <td> <a href="/campaigns/C0038"> HomeLand Justice </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a> was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a> was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department. A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0035"> C0035 </a> </td> <td> <a href="/campaigns/C0035"> KV Botnet Activity </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0035">KV Botnet Activity</a> consisted of exploitation of primarily "end-of-life" small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. <a href="https://attack.mitre.org/campaigns/C0035">KV Botnet Activity</a> was used by <a href="/groups/G1017">Volt Typhoon</a> to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster. This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0020"> C0020 </a> </td> <td> <a href="/campaigns/C0020"> Maroochy Water Breach </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0020">Maroochy Water Breach</a> was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0002"> C0002 </a> </td> <td> <a href="/campaigns/C0002"> Night Dragon </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a> was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0012"> C0012 </a> </td> <td> <a href="/campaigns/C0012"> Operation CuckooBees </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a> was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a> was conducted by actors affiliated with <a href="/groups/G0044">Winnti Group</a>, <a href="/groups/G0096">APT41</a>, and BARIUM.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0022"> C0022 </a> </td> <td> <a href="/campaigns/C0022"> Operation Dream Job </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a> was a cyber espionage operation likely conducted by <a href="/groups/G0032">Lazarus Group</a> that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, Operation North Star, and Operation Interception; by 2022 security researchers described <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a> as an umbrella term covering both Operation Interception and Operation North Star.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0016"> C0016 </a> </td> <td> <a href="/campaigns/C0016"> Operation Dust Storm </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0016">Operation Dust Storm</a> was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the <a href="https://attack.mitre.org/campaigns/C0016">Operation Dust Storm</a> threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.</p><p><a href="https://attack.mitre.org/campaigns/C0016">Operation Dust Storm</a> threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0023"> C0023 </a> </td> <td> <a href="/campaigns/C0023"> Operation Ghost </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a> was an <a href="/groups/G0016">APT29</a> campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0006"> C0006 </a> </td> <td> <a href="/campaigns/C0006"> Operation Honeybee </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a> was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a> initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0013"> C0013 </a> </td> <td> <a href="/campaigns/C0013"> Operation Sharpshooter </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0013">Operation Sharpshooter</a> was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous <a href="/groups/G0032">Lazarus Group</a> operations, including fake job recruitment lures and shared malware code. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0005"> C0005 </a> </td> <td> <a href="/campaigns/C0005"> Operation Spalax </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0005">Operation Spalax</a> was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The <a href="https://attack.mitre.org/campaigns/C0005">Operation Spalax</a> threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to <a href="/groups/G0099">APT-C-36</a>, however identified enough differences to report this as separate, unattributed activity. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a> was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.</p><p>Security researchers assessed the <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a> actors used similar TTPs and tools as APT20, suggesting a possible overlap. <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a> was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0036"> C0036 </a> </td> <td> <a href="/campaigns/C0036"> Pikabot Distribution February 2024 </a> </td>    <td> <p><a href="/software/S1145">Pikabot</a> was distributed in <a href="https://attack.mitre.org/campaigns/C0036">Pikabot Distribution February 2024</a> using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of <a href="/software/S1145">Pikabot</a> distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td>    <td> <p>The <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a> was a sophisticated supply chain cyber operation conducted by <a href="/groups/G0016">APT29</a> that was discovered in mid-December 2020. <a href="/groups/G0016">APT29</a> used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting. Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm. </p><p>In April 2021, the US and UK governments attributed the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a> to Russia's Foreign Intelligence Service (SVR); public statements included citations to <a href="/groups/G0016">APT29</a>, Cozy Bear, and The Dukes. The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on <a href="/groups/G0016">APT29</a> activity on their systems. </p> </td> </tr> <tr> <td> <a href="/campaigns/C0030"> C0030 </a> </td> <td> <a href="/campaigns/C0030"> Triton Safety Instrumented System Attack </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0030">Triton Safety Instrumented System Attack</a> was a campaign employed by <a href="/groups/G0088">TEMP.Veles</a> which leveraged the <a href="/software/S1009">Triton</a> malware framework against a petrochemical organization. The malware and techniques used within this campaign targeted specific Triconex <a href="https://attack.mitre.org/assets/A0010">Safety Controller</a>s within the environment. The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0031"> C0031 </a> </td> <td> <a href="/campaigns/C0031"> Unitronics Defacement Campaign </a> </td>    <td> <p>The <a href="https://attack.mitre.org/campaigns/C0031">Unitronics Defacement Campaign</a> was a collection of intrusions across multiple sectors by the <a href="/groups/G1027">CyberAv3ngers</a>, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series <a href="https://attack.mitre.org/assets/A0003">Programmable Logic Controller (PLC)</a> with <a href="https://attack.mitre.org/assets/A0002">Human-Machine Interface (HMI)</a>. The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0039"> C0039 </a> </td> <td> <a href="/campaigns/C0039"> Versa Director Zero Day Exploitation </a> </td>    <td> <p><a href="https://attack.mitre.org/campaigns/C0039">Versa Director Zero Day Exploitation</a> was conducted by <a href="/groups/G1017">Volt Typhoon</a> from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. <a href="https://attack.mitre.org/campaigns/C0039">Versa Director Zero Day Exploitation</a> was followed by the delivery of the <a href="/software/S1154">VersaMem</a> web shell for both credential theft and follow-on code execution.</p> </td> </tr> <tr> <td> <a href="/campaigns/C0037"> C0037 </a> </td> <td> <a href="/campaigns/C0037"> Water Curupira Pikabot Distribution </a> </td>    <td> <p><a href="/software/S1145">Pikabot</a> was distributed in <a href="https://attack.mitre.org/campaigns/C0037">Water Curupira Pikabot Distribution</a> throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of <a href="/software/S0650">QakBot</a>, with several technical overlaps and similarities with <a href="/software/S0650">QakBot</a>, indicating a possible connection. The identified activity led to the deployment of tools such as <a href="/software/S0154">Cobalt Strike</a>, while coinciding with campaigns delivering <a href="/software/S1111">DarkGate</a> and <a href="/software/S0483">IcedID</a> en route to ransomware deployment.</p> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Campaigns | MITRE ATT&CK®