Skip to content

T1593 Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.213

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).

Item Value
ID T1593
Sub-techniques T1593.001, T1593.002, T1593.003
Tactics TA0043
Platforms PRE
Version 1.1
Created 02 October 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G1052 Contagious Interview Contagious Interview has utilized open-source indicator of compromise repositories to determine their exposure to include VirusTotal, and MalTrail.7
G0094 Kimsuky Kimsuky has used LLMs to identify think tanks, government organizations, etc. that have information.8
G0129 Mustang Panda Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.45
G0034 Sandworm Team Sandworm Team researched Ukraine’s unique legal entity identifier (called an “EDRPOU” number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.9
G1033 Star Blizzard
Star Blizzard has used open-source research to identify information about victims to use in targeting.1110
G1017 Volt Typhoon Volt Typhoon has conducted pre-compromise web searches for victim information.6

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys.
M1047 Audit Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.

References

  1. Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024. 

  2. Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020. 

  3. Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. 

  4. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  5. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  6. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  7. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025. 

  8. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024. 

  9. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  10. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024. 

  11. Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.