JUST RELEASED: ATT&CK for Industrial Control Systems


Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

ID: G0054
Contributors: Alan Neville, @abnev
Version: 1.0
Created: 16 January 2018
Last Modified: 25 March 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Sowbug has used command line during its intrusions.[1]

Enterprise T1003 Credential Dumping

Sowbug has used credential dumping tools.[1]

Enterprise T1002 Data Compressed

Sowbug extracted documents and bundled them into a RAR archive.[1]

Enterprise T1039 Data from Network Shared Drive

Sowbug extracted Word documents from a file server on a victim network.[1]

Enterprise T1083 File and Directory Discovery

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[1]

Enterprise T1056 Input Capture

Sowbug has used keylogging tools.[1]

Enterprise T1036 Masquerading

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[1]

Enterprise T1135 Network Share Discovery

Sowbug listed remote shared drives that were accessible from a victim.[1]

Enterprise T1082 System Information Discovery

Sowbug obtained OS version and hardware configuration from a victim.[1]


ID Name References Techniques
S0171 Felismus [1] Command-Line Interface, Custom Cryptographic Protocol, Masquerading, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0188 Starloader [1] Deobfuscate/Decode Files or Information, Masquerading