Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.
|Enterprise||T1583||.001||Acquire Infrastructure: Domains|
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1585||.002||Establish Accounts: Email Accounts|
|Enterprise||T1203||Exploitation for Client Execution||
During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.
|Enterprise||T1027||Obfuscated Files or Information||
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|.002||Phishing: Spearphishing Link|
|Enterprise||T1218||.005||System Binary Proxy Execution: Mshta|
|Enterprise||T1204||.001||User Execution: Malicious Link|
|.002||User Execution: Malicious File|
|Mobile||T1533||Data from Local System|
|Mobile||T1646||Exfiltration Over C2 Channel|
|Mobile||T1420||File and Directory Discovery|
|Mobile||T1636||.004||Protected User Data: SMS Messages|