high_confidence
Operation Honeybee
[Operation Honeybee](https://attack.mitre.org/campaigns/C0006) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://attack.mitre.org/campaigns/C0006) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.(Citation: McAfee Honeybee)
Start date
1 August 2017
End date
1 February 2018
Techniques
28
Attributed actors
Techniques (28)
collection3
T1074.001Local Data Staging
T1005Data from Local System
T1560.001Archive via Utility
command-and-control2
T1105Ingress Tool Transfer
T1071.002File Transfer Protocols
defense-impairment2
T1553.002Code Signing
T1112Modify Registry
discovery3
T1057Process Discovery
T1082System Information Discovery
T1083File and Directory Discovery
execution6
T1059.003Windows Command Shell
T1204.002Malicious File
T1569.002Service Execution
T1106Native API
T1574.011Services Registry Permissions Weakness
T1059.005Visual Basic
exfiltration1
T1041Exfiltration Over C2 Channel
persistence2
T1112Modify Registry
T1543.003Windows Service
privilege-escalation2
T1548.002Bypass User Account Control
T1543.003Windows Service
resource-development4
T1585.002Email Accounts
T1588.004Digital Certificates
T1583.001Domains
T1583.004Server
stealth6
T1036.005Match Legitimate Resource Name or Location
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1574.011Services Registry Permissions Weakness
T1036Masquerading
T1027.013Encrypted/Encoded File
Indicators of compromise
No IOCs linked to this campaign yet.