(Talos) Group 72 is a long standing threat actor group involved in Operation SMN, named Axiom by Novetta. The group is sophisticated, well funded, and possesses an established, defined software development methodology. The group targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, media sectors. Geographically, the group almost exclusively targets organizations based in United States, Japan, Taiwan, and Korea. The preferred tactics of the group include watering-hole attacks, spear-phishing, and other web-based tactics. The tools and infrastructure used by the attackers are common to a number of other threat actor groups which may indicate some degree of overlap. We have seen similar patterns used in domain registration for malicious domains, and the same tactics used in other threat actor groups leading us to believe that this group may be part of a larger organization that comprises many separate teams, or that different groups share tactics, code and personnel from time to time. Though both this group and {{Winnti Group, Blackfly, Wicked Panda}} use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups’ TTPs and targeting. Could be related to {{APT 17, Deputy Dog, Elderwood, Sneaky Panda}} and/or {{APT 20, Violin Panda}}.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Axiom, Group 72
Names: Axiom, Group 72
Country: China
Sponsor: State-sponsored
Motivation: Information theft and espionage
First-seen: 2008
Description: (Talos) Group 72 is a long standing threat actor group involved in Operation SMN, named Axiom by Novetta. The group is sophisticated, well funded, and possesses an established, defined software development methodology. The group targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, media sectors. Geographically, the group almost exclusively targets organizations based in United States, Japan, Taiwan, and Korea. The preferred tactics of the group include watering-hole attacks, spear-phishing, and other web-based tactics. The tools and infrastructure used by the attackers are common to a number of other threat actor groups which may indicate some degree of overlap. We have seen similar patterns used in domain registration for malicious domains, and the same tactics used in other threat actor groups leading us to believe that this group may be part of a larger organization that comprises many separate teams, or that different groups share tactics, code and personnel from time to time. Though both this group and {{Winnti Group, Blackfly, Wicked Panda}} use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups’ TTPs and targeting. Could be related to {{APT 17, Deputy Dog, Elderwood, Sneaky Panda}} and/or {{APT 20, Violin Panda}}.
Observed-sectors: Aerospace
Observed-sectors: Defense
Observed-sectors: Industrial
Observed-sectors: Manufacturing
Observed-sectors: Media
Observed-countries: Japan
Observed-countries: South Korea
Observed-countries: Taiwan
Observed-countries: USA
Tools: 9002 RAT
Tools: BlackCoffee
Tools: DeputyDog
Tools: Derusbi
Tools: Gh0st RAT
Tools: HiKit
Tools: PlugX
Tools: Poison Ivy
Tools: Winnti
Tools: ZoxRPC
Tools: ZXShell
Operations: 2008/2014
Operations: Operation “SMN” Axiom is responsible for directing highly sophisticated cyberespionage against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions and government agencies worldwide for at least the last six years. In our coordinated effort, we performed the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group. Our efforts detected and cleaned 43,000 separate installations of Axiom tools, including 180 of their top tier implants. http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
Information: https://blogs.cisco.com/security/talos/threat-spotlight-group-72
Information: http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
Mitre-attack: https://attack.mitre.org/groups/G0001/
Last-card-change: 2022-12-29
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1583.002 ACQUIRE INFRASTRUCTURE : DNS SERVER axiom has acquired dynamic dns services for use in the targeting of intended victims. T1583.003 ACQUIRE INFRASTRUCTURE : VIRTUAL PRIVATE SERVER axiom has used vps hosting providers in targeting of intended victims. T1584.005 COMPROMISE INFRASTRUCTURE : BOTNET axiom has used large groups of compromised machines for use as proxy nodes. | T1190 EXPLOIT PUBLIC-FACING APPLICATION axiom has been observed using sql injection to gain access to systems. T1078 VALID ACCOUNTS axiom has used previously compromised administrative accounts to escalate privileges. | T1203 EXPLOITATION FOR CLIENT EXECUTION axiom has used exploits for multiple vulnerabilities including cve-2014-0322, cve-2012-4792, cve-2012-1889, and cve-2013-3893. | T1546.008 EVENT TRIGGERED EXECUTION : ACCESSIBILITY FEATURES axiom actors have been known to use the sticky keys replacement within rdp sessions to obtain persistence. T1078 VALID ACCOUNTS axiom has used previously compromised administrative accounts to escalate privileges. | T1546.008 EVENT TRIGGERED EXECUTION : ACCESSIBILITY FEATURES axiom actors have been known to use the sticky keys replacement within rdp sessions to obtain persistence. T1078 VALID ACCOUNTS axiom has used previously compromised administrative accounts to escalate privileges. | T1078 VALID ACCOUNTS axiom has used previously compromised administrative accounts to escalate privileges. | T1563.002 REMOTE SERVICE SESSION HIJACKING : RDP HIJACKING axiom has targeted victims with remote administration tools including rdp. | T1001.002 DATA OBFUSCATION : STEGANOGRAPHY axiom has used steganography to hide its c2 communications. |