Compromise 3rd party infrastructure to support delivery

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. [1] [2]

ID: T1312
Sub-techniques:  No sub-techniques
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Similar Techniques by Tactic

Tactic Technique
Establish & Maintain Infrastructure Compromise 3rd party infrastructure to support delivery

Procedure Examples

Name Description

APT1 compromised a vast set of 3rd party victim hop points as part of their network infrastructure. For example, APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be "hijacked" since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.[3]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Commonly used technique currently (e.g., [ WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).


  1. Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017.
  2. Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017.