Axiom
Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. [1] Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. [2] [3] [4]
Associated Group Descriptions
Name | Description |
---|---|
Group 72 |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1001 | Data Obfuscation |
The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. |
|
.002 | Steganography |
Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[1] |
||
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[1] |
Enterprise | T1190 | Exploit Public-Facing Application |
Axiom has been observed using SQL injection to gain access to systems.[1][5] |
|
Enterprise | T1003 | OS Credential Dumping | ||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
The Axiom group is known to have used RDP during operations.[1] |
Software
References
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.