CINXE.COM

Naikon, Group G0019 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Naikon, Group G0019 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">Naikon</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Naikon </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G0019">Naikon</a> is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015."data-reference="CameraShy"><sup><a href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> Active since at least 2010, <a href="/groups/G0019">Naikon</a> has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015."data-reference="CameraShy"><sup><a href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p><p>While <a href="/groups/G0019">Naikon</a> shares some characteristics with <a href="/groups/G0013">APT30</a>, the two groups do not appear to be exact matches.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015."data-reference="Baumgartner Golovkin Naikon 2015"><sup><a href="https://securelist.com/the-naikon-apt/69953/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">ID:&nbsp;</span>G0019 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Contributors</span>: Kyaw Pyiyt Htet, @KyawPyiytHtet </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Version</span>: 2.0 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Last Modified:&nbsp;</span>19 August 2021 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0019" href="/versions/v16/groups/G0019/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0019" href="/versions/v16/groups/G0019/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK<sup>&reg;</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G0019/G0019-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0019/G0019-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has modified a victim's Windows Run registry to establish persistence.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1574">T1574</a> </td> <td> <a href="/techniques/T1574/002">.002</a> </td> <td> <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/002">DLL Side-Loading</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used DLL side-loading to load malicious DLL's into legitimate executables.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036/004">.004</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> renamed a malicious service <code>taskmgr</code> to appear to be a legitimate version of Task Manager.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has disguised malicious programs as Google Chrome, Adobe, and VMware executables.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1046">T1046</a> </td> <td> <a href="/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used the LadonGo scanner to scan target networks.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1137">T1137</a> </td> <td> <a href="/techniques/T1137/006">.006</a> </td> <td> <a href="/techniques/T1137">Office Application Startup</a>: <a href="/techniques/T1137/006">Add-ins</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1566">T1566</a> </td> <td> <a href="/techniques/T1566/001">.001</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used malicious e-mail attachments to deliver malware.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1018">T1018</a> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used a netbios scanner for remote machine identification.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used schtasks.exe for lateral movement in compromised networks.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1518">T1518</a> </td> <td> <a href="/techniques/T1518/001">.001</a> </td> <td> <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> uses commands such as <code>netsh advfirewall firewall</code> to discover local firewall settings.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> uses commands such as <code>netsh interface show</code> to discover network interface settings.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204/002">.002</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has convinced victims to open malicious attachments to execute malware.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used administrator credentials for lateral movement in compromised networks.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/groups/G0019">Naikon</a> has used WMIC.exe for lateral movement.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0456">S0456</a> </td> <td> <a href="/software/S0456">Aria-body</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/002">Create Process with Token</a>, <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/001">Token Impersonation/Theft</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1010">Application Window Discovery</a>, <a href="/techniques/T1560">Archive Collected Data</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1025">Data from Removable Media</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1568">Dynamic Resolution</a>: <a href="/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0095">S0095</a> </td> <td> <a href="/software/S0095">ftp</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1570">Lateral Tool Transfer</a> </td> </tr> <tr> <td> <a href="/software/S0061">S0061</a> </td> <td> <a href="/software/S0061">HDoor</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1046">Network Service Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0630">S0630</a> </td> <td> <a href="/software/S0630">Nebulae</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/002">DLL Side-Loading</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0039">S0039</a> </td> <td> <a href="/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/007">Additional Local or Domain Groups</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0108">S0108</a> </td> <td> <a href="/software/S0108">netsh</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/007">Netsh Helper DLL</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0097">S0097</a> </td> <td> <a href="/software/S0097">Ping</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0029">S0029</a> </td> <td> <a href="/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1570">Lateral Tool Transfer</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/software/S0629">S0629</a> </td> <td> <a href="/software/S0629">RainyDay</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/004">Windows Credential Manager</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1074">Data Staged</a>: <a href="/techniques/T1074/001">Local Data Staging</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/002">DLL Side-Loading</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0055">S0055</a> </td> <td> <a href="/software/S0055">RARSTONE</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015."data-reference="CameraShy"><sup><a href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/001">Dynamic-link Library Injection</a> </td> </tr> <tr> <td> <a href="/software/S0058">S0058</a> </td> <td> <a href="/software/S0058">SslMM</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015."data-reference="CameraShy"><sup><a href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/009">Shortcut Modification</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0060">S0060</a> </td> <td> <a href="/software/S0060">Sys10</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0096">S0096</a> </td> <td> <a href="/software/S0096">Systeminfo</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0057">S0057</a> </td> <td> <a href="/software/S0057">Tasklist</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0059">S0059</a> </td> <td> <a href="/software/S0059">WinMM</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015."data-reference="CameraShy"><sup><a href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" target="_blank"> ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://securelist.com/the-naikon-apt/69953/" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10