JUST RELEASED: ATT&CK for Industrial Control Systems

Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]

ID: G0014
Version: 1.1
Created: 31 May 2017
Last Modified: 25 March 2019

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1307 Acquire and/or use 3rd party infrastructure services

Night Dragon used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.[1]

PRE-ATT&CK T1330 Acquire and/or use 3rd party software services

Night Dragon used third party hosting services in the U.S. in an attempt to hide their operations.[1]

PRE-ATT&CK T1351 Remote access tool development

Night Dragon used privately developed and customized remote access tools.[1]

Enterprise T1043 Commonly Used Port

Night Dragon has used ports 25 and 80 for C2 communications.[1]

Enterprise T1003 Credential Dumping

Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1]

Enterprise T1074 Data Staged

Night Dragon has copied files to company web servers and subsequently downloaded them.[1]

Enterprise T1089 Disabling Security Tools

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[[1]

Enterprise T1190 Exploit Public-Facing Application

Night Dragon has performed SQL injection attacks of extranet web servers to gain access.[1]

Enterprise T1133 External Remote Services

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]

Enterprise T1027 Obfuscated Files or Information

A Night Dragon DLL included an XOR-encoded section.[1]

Enterprise T1075 Pass the Hash

Night Dragon used pass-the-hash tools to gain usernames and passwords.[1]

Enterprise T1219 Remote Access Tools

Night Dragon has used several remote administration tools as persistent infiltration channels.[1]

Enterprise T1045 Software Packing

Night Dragon is known to use software packing in its tools.[1]

Enterprise T1192 Spearphishing Link

Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]

Enterprise T1071 Standard Application Layer Protocol

Night Dragon has used HTTP for C2.[1]

Enterprise T1204 User Execution

Night Dragon enticed users to click on links in spearphishing emails to download malware.[1]

Enterprise T1078 Valid Accounts

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]


ID Name References Techniques
S0073 ASPXSpy [1] Web Shell
S0110 at [1] Scheduled Task
S0008 gsecdump [1] Credential Dumping
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0350 zwShell [1] Command-Line Interface, File and Directory Discovery, File Deletion, Modify Registry, New Service, Remote Desktop Protocol, Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Admin Shares