Type: Nation-State-Sponsor

Status: Inactive

Active Since/Discovered: 2006-2011

Targets: Kazakhstan, Taiwan, Greece, and the U.S.

Target Sectors: Energy (oil, gas and petrochemical companies)

Malware:

• Night Dragon Operation Custom malware,
• zwShell, Cain & Abel, Possibly: Gh0st RAT, webShell, ASPXSpy

Preferred Attack Vector: SQL Injection

• Compromise public-facing web servers via SQL injection; install malware and RATs
• Use the compromised web servers to stage attacks on internal targets
• Launch spear-phishing attacks on mobile worker laptops to compromise VPN-connected accounts and gain additional internal access
• Use password stealing tools to access other systems and install RATs and malware in the process
• Target computers that belong to executives to capture their email and files

TTP:

• DLL is a Hidden or System file attribute and can be found by size (19-23 KB)
• It is usually located in the C:WindowsSystem32 or C:WindowsSysWow64 directory

Unique:

• Attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time
• Hours suggest hackers are employees rather than freelance or unprofessional hackers