high_confidence

Operation Wocao

[Operation Wocao](https://attack.mitre.org/campaigns/C0014) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.(Citation: FoxIT Wocao December 2019) Security researchers assessed the [Operation Wocao](https://attack.mitre.org/campaigns/C0014) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.(Citation: FoxIT Wocao December 2019)

Start date

1 December 2017

End date

1 December 2019

Techniques

Techniques (70)

collection6

T1115Clipboard Data

T1119Automated Collection

T1056.001Keylogging

T1074.001Local Data Staging

T1005Data from Local System

T1560.001Archive via Utility

command-and-control9

T1090Proxy

T1573.002Asymmetric Cryptography

T1090.001Internal Proxy

T1095Non-Application Layer Protocol

T1105Ingress Tool Transfer

T1071.001Web Protocols

T1571Non-Standard Port

T1090.003Multi-hop Proxy

T1001Data Obfuscation

credential-access7

T1558.003Kerberoasting

T1003.001LSASS Memory

T1111Multi-Factor Authentication Interception

T1555.005Password Managers

T1056.001Keylogging

T1552.004Private Keys

T1003.006DCSync

defense-impairment3

T1685.005Clear Windows Event Logs

T1112Modify Registry

T1686.003Windows Host Firewall

discovery19

T1018Remote System Discovery

T1135Network Share Discovery

T1049System Network Connections Discovery

T1046Network Service Discovery

T1680Local Storage Discovery

T1057Process Discovery

T1120Peripheral Device Discovery

T1124System Time Discovery

T1069.001Local Groups

T1082System Information Discovery

T1012Query Registry

T1033System Owner/User Discovery

T1518.001Security Software Discovery

T1007System Service Discovery

T1518Software Discovery

T1083File and Directory Discovery

T1016.001Internet Connection Discovery

T1087.002Domain Account

T1016System Network Configuration Discovery

execution8

T1059.003Windows Command Shell

T1059.006Python

T1569.002Service Execution

T1047Windows Management Instrumentation

T1106Native API

T1059.001PowerShell

T1059.005Visual Basic

T1053.005Scheduled Task

exfiltration1

T1041Exfiltration Over C2 Channel

initial-access5

T1078Valid Accounts

T1133External Remote Services

T1078.002Domain Accounts

T1190Exploit Public-Facing Application

T1078.003Local Accounts

lateral-movement2

T1570Lateral Tool Transfer

T1021.002SMB/Windows Admin Shares

persistence7

T1078Valid Accounts

T1133External Remote Services

T1112Modify Registry

T1505.003Web Shell

T1078.002Domain Accounts

T1053.005Scheduled Task

T1078.003Local Accounts

privilege-escalation5

T1078Valid Accounts

T1078.002Domain Accounts

T1055Process Injection

T1053.005Scheduled Task

T1078.003Local Accounts

reconnaissance1

T1589Gather Victim Identity Information

resource-development4

T1587.001Malware

T1588.002Tool

T1585.002Email Accounts

T1583.004Server

stealth8

T1036.005Match Legitimate Resource Name or Location

T1078Valid Accounts

T1070.004File Deletion

T1027.010Command Obfuscation

T1078.002Domain Accounts

T1027.005Indicator Removal from Tools

T1055Process Injection

T1078.003Local Accounts

Indicators of compromise

No IOCs linked to this campaign yet.