Skip to content

C0002 Night Dragon

Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.1

Item Value
ID C0002
Associated Names
First Seen November 2009
Last Seen February 2011
Version 1.0
Created 08 September 2022
Last Modified 22 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.004 Server During Night Dragon, threat actors purchased hosted services to use for C2.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During Night Dragon, threat actors used HTTP for C2.1
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking During Night Dragon, threat actors used Cain & Abel to crack password hashes.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.1
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server During Night Dragon, threat actors compromised web servers to use for C2.1
enterprise T1005 Data from Local System During Night Dragon, the threat actors collected files and other data from compromised systems.1
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.1
enterprise T1568 Dynamic Resolution During Night Dragon, threat actors used dynamic DNS services for C2.1
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection During Night Dragon, threat actors used RAT malware to exfiltrate email archives.1
enterprise T1190 Exploit Public-Facing Application During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.1
enterprise T1133 External Remote Services During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.1
enterprise T1008 Fallback Channels During Night Dragon, threat actors used company extranet servers as secondary C2 servers.1
enterprise T1083 File and Directory Discovery During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.1
enterprise T1105 Ingress Tool Transfer During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.1
enterprise T1112 Modify Registry During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.1
enterprise T1027 Obfuscated Files or Information During Night Dragon, threat actors used a DLL that included an XOR-encoded section.1
enterprise T1027.002 Software Packing During Night Dragon, threat actors used software packing in its tools.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware During Night Dragon, threat actors used Trojans from underground hacker websites.1
enterprise T1588.002 Tool During Night Dragon, threat actors obtained and used tools such as gsecdump.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager During Night Dragon, threat actors dumped account hashes using gsecdump.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.1
enterprise T1219 Remote Access Software During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.1
enterprise T1033 System Owner/User Discovery During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.1
enterprise T1078 Valid Accounts During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.1
enterprise T1078.002 Domain Accounts During Night Dragon, threat actors used domain accounts to gain further access to victim systems.1

Software

ID Name Description
S0073 ASPXSpy During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.1

References

  1. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.