JUST RELEASED: ATT&CK for Industrial Control Systems
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
No groups
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. Axiom

Axiom

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. [1] Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. [2] [3] [4]

ID: G0001
Associated Groups: Group 72
Version: 1.1
Created: 31 May 2017
Last Modified: 24 September 2019

Associated Group Descriptions

Name Description
Group 72 [5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1015 Accessibility Features

Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[1]
Enterprise T1003 Credential Dumping

Axiom has been known to dump credentials.[1]
Enterprise T1001 Data Obfuscation

The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[1]
Enterprise T1190 Exploit Public-Facing Application

Axiom has been observed using SQL injection to gain access to systems.[1][5]
Enterprise T1076 Remote Desktop Protocol

The Axiom group is known to have used RDP during operations.[1]

Software

ID Name References Techniques
S0021 Derusbi [1] Audio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0009 Hikit [1] Connection Proxy, Custom Cryptographic Protocol
S0203 Hydraq [1] Access Token Manipulation, Custom Cryptographic Protocol, Data from Local System, Execution through Module Load, Exfiltration Over Alternative Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Service Execution, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0412 ZxShell [6] Access Token Manipulation, Command-Line Interface, Commonly Used Port, Connection Proxy, Create Account, Disabling Security Tools, Endpoint Denial of Service, File and Directory Discovery, File Deletion, Hooking, Indicator Removal on Host, Input Capture, Network Service Scanning, New Service, Process Discovery, Process Injection, Query Registry, Remote Desktop Protocol, Remote File Copy, Remote Services, Rundll32, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery, System Service Discovery, Uncommonly Used Port, Video Capture

References

  1. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  2. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  3. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  1. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  2. Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  3. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.