Skip to content

T1594 Search Victim-Owned Websites

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.2

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).

In addition to manually browsing the website, adversaries may attempt to identify hidden directories or files that could contain additional sensitive information or vulnerable functionality. They may do this through automated activities such as Wordlist Scanning, as well as by leveraging files such as sitemap.xml and robots.txt.13

Item Value
ID T1594
Sub-techniques
Tactics TA0043
Platforms PRE
Version 1.1
Created 02 October 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0040 APT41 DUST APT41 DUST involved access of external victim websites for target development.14
C0029 Cutting Edge During Cutting Edge, threat actors peformed reconnaissance of victims’ internal websites via proxied connections.12
G1011 EXOTIC LILY EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.9
G0094 Kimsuky Kimsuky has searched for information on the target company’s website.7
C0049 Leviathan Australian Intrusions Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.13
G0034 Sandworm Team Sandworm Team has conducted research against potential victim websites as part of its operational planning.10
G0122 Silent Librarian Silent Librarian has searched victim’s websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.456
G1038 TA578 TA578 has filled out contact forms on victims’ websites to direct them to adversary-controlled URLs.11
G1017 Volt Typhoon Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.8

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

References

  1. Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps to Enumerate Users and Discover Sensitive Information. Retrieved July 18, 2024. 

  2. Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020. 

  3. Darren Pauli. (2015, May 19). Robots.txt tells hackers the places you don’t want them to look. Retrieved July 18, 2024. 

  4. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. 

  5. Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021. 

  6. Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. 

  7. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  8. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  9. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  10. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  11. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  12. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. 

  13. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025. 

  14. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.