Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

Operation CuckooBees

[Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was conducted by actors affiliated with [Winnti Group](https://attack.mitre.org/groups/G0044), [APT41](https://attack.mitre.org/groups/G0096), and BARIUM.(Citation: Cybereason OperationCuckooBees May 2022)

Start date
1 December 2019
End date
1 May 2022
Techniques
33

Attributed actors

APT41· primary

Techniques (33)

collection2
T1005Data from Local System
T1560.001Archive via Utility
command-and-control1
T1071.001Web Protocols
credential-access1
T1003.002Security Account Manager
discovery15
T1018Remote System Discovery
T1087.001Local Account
T1135Network Share Discovery
T1049System Network Connections Discovery
T1057Process Discovery
T1120Peripheral Device Discovery
T1124System Time Discovery
T1069.001Local Groups
T1082System Information Discovery
T1033System Owner/User Discovery
T1007System Service Discovery
T1083File and Directory Discovery
T1201Password Policy Discovery
T1087.002Domain Account
T1016System Network Configuration Discovery
execution4
T1059.003Windows Command Shell
T1574.001DLL
T1059.005Visual Basic
T1053.005Scheduled Task
initial-access3
T1133External Remote Services
T1078.002Domain Accounts
T1190Exploit Public-Facing Application
persistence6
T1547.006Kernel Modules and Extensions
T1133External Remote Services
T1505.003Web Shell
T1078.002Domain Accounts
T1543.003Windows Service
T1053.005Scheduled Task
privilege-escalation4
T1547.006Kernel Modules and Extensions
T1078.002Domain Accounts
T1543.003Windows Service
T1053.005Scheduled Task
resource-development1
T1588.002Tool
stealth5
T1036.005Match Legitimate Resource Name or Location
T1027.010Command Obfuscation
T1078.002Domain Accounts
T1027.011Fileless Storage
T1574.001DLL

Indicators of compromise

No IOCs linked to this campaign yet.