Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!
GROUPS
  1. Home
  2. Groups
  3. Axiom

Axiom

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. [1] Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. [2] [3] [4]

ID: G0001
Aliases: Axiom, Group 72
Version: 1.0

Alias Descriptions

NameDescription
Axiom[1]
Group 72[5]

Techniques Used

DomainIDNameUse
EnterpriseT1015Accessibility FeaturesAxiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[1]
EnterpriseT1003Credential DumpingAxiom has been known to dump credentials.[1]
EnterpriseT1001Data ObfuscationThe Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[1]
EnterpriseT1190Exploit Public-Facing ApplicationAxiom has been observed using SQL injection to gain access to systems.[1][5]
EnterpriseT1076Remote Desktop ProtocolThe Axiom group is known to have used RDP during operations.[1]

Software

IDNameTechniques
S0021DerusbiAudio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0009HikitConnection Proxy, Custom Cryptographic Protocol
S0203HydraqAccess Token Manipulation, Custom Cryptographic Protocol, Data from Local System, Execution through Module Load, Exfiltration Over Alternative Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Service Execution, System Information Discovery, System Network Configuration Discovery, System Service Discovery

References

  1. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  2. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  3. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  1. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  2. Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.