Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

C0017

[C0017](https://attack.mitre.org/campaigns/C0017) was an [APT41](https://attack.mitre.org/groups/G0096) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://attack.mitre.org/campaigns/C0017) are unknown, however [APT41](https://attack.mitre.org/groups/G0096) was observed exfiltrating Personal Identifiable Information (PII).(Citation: Mandiant APT41)

Start date
1 May 2021
End date
1 February 2022
Techniques
29

Attributed actors

APT41· primary

Techniques (29)

collection3
T1074.001Local Data Staging
T1005Data from Local System
T1560.003Archive via Custom Method
command-and-control6
T1102Web Service
T1090Proxy
T1102.001Dead Drop Resolver
T1001.003Protocol or Service Impersonation
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access1
T1003.002Security Account Manager
discovery3
T1680Local Storage Discovery
T1033System Owner/User Discovery
T1016System Network Configuration Discovery
execution4
T1059.003Windows Command Shell
T1059.007JavaScript
T1574Hijack Execution Flow
T1053.005Scheduled Task
exfiltration3
T1041Exfiltration Over C2 Channel
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
T1567Exfiltration Over Web Service
initial-access1
T1190Exploit Public-Facing Application
persistence2
T1505.003Web Shell
T1053.005Scheduled Task
privilege-escalation2
T1053.005Scheduled Task
T1134Access Token Manipulation
resource-development1
T1588.002Tool
stealth7
T1036.005Match Legitimate Resource Name or Location
T1036.004Masquerade Task or Service
T1140Deobfuscate/Decode Files or Information
T1574Hijack Execution Flow
T1027.002Software Packing
T1027Obfuscated Files or Information
T1134Access Token Manipulation

Indicators of compromise

No IOCs linked to this campaign yet.