Skip to content

C0049 Leviathan Australian Intrusions

Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.1

Item Value
ID C0049
Associated Names
First Seen April 2022
Last Seen September 2022
Version 1.0
Created 03 February 2025
Last Modified 14 March 2025
Navigation Layer View In ATT&CK® Navigator

Groups

ID Name References
G0065 Leviathan Leviathan Australian Intrusions was conducted by the Leviathan threat actor.1

Techniques Used

Domain ID Name Use
enterprise T1213 Data from Information Repositories -
enterprise T1213.006 Databases Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Leviathan stored captured credential material on local log files on victim systems during Leviathan Australian Intrusions.1
enterprise T1482 Domain Trust Discovery Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.1
enterprise T1041 Exfiltration Over C2 Channel Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.1
enterprise T1190 Exploit Public-Facing Application Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.1
enterprise T1212 Exploitation for Credential Access Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.1
enterprise T1068 Exploitation for Privilege Escalation Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.1
enterprise T1615 Group Policy Discovery Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.1
enterprise T1056 Input Capture Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.1
enterprise T1111 Multi-Factor Authentication Interception Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.1
enterprise T1135 Network Share Discovery Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.006 Vulnerabilities Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.1
enterprise T1021.004 SSH Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.1
enterprise T1018 Remote System Discovery Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.1
enterprise T1594 Search Victim-Owned Websites Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Leviathan relied extensively on web shell use following initial access for persistence and command execution purposes in victim environments during Leviathan Australian Intrusions.1
enterprise T1528 Steal Application Access Token Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.1
enterprise T1082 System Information Discovery Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.1
enterprise T1552 Unsecured Credentials Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.1
enterprise T1552.001 Credentials In Files Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.1
enterprise T1078 Valid Accounts Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions.1
enterprise T1078.002 Domain Accounts Leviathan compromised domain credentials during Leviathan Australian Intrusions.1
enterprise T1078.003 Local Accounts Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.1

References

  1. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.