Open Hunting - Threat Library

Openhunting Threat Library

Operation Poison Needles

(Type: -)

(Qihoo 360) On the evening of November 29, 2018, shortly after the break-out of the Kerch Strait Incident, 360 Advanced Threat Response Team was the first security team to discover the APT attack against the FSBI “Polyclinic No.2” affiliated to the Presidential Administration of Russia. The lure document used to initiate the attack was a carefully forged employee questionnaire, which exploited the latest Flash 0day vulnerability CVE-2018-15982 and a customized Trojan with self-destruction function. All the technical details indicate that the APT group is determined to compromise the target at any price, but at the same time, it is also very cautious.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year

2018

Trend Per Month

Dec 2018

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day

2018-12-05 by 360 from 360

Basic Information (Credit @etda.or.th)

Actor: Operation Poison Needles

Names: Operation Poison Needles

Country: Ukraine

Motivation: Information theft and espionage

First-seen: 2018

Description: (Qihoo 360) On the evening of November 29, 2018, shortly after the break-out of the Kerch Strait Incident, 360 Advanced Threat Response Team was the first security team to discover the APT attack against the FSBI “Polyclinic No.2” affiliated to the Presidential Administration of Russia. The lure document used to initiate the attack was a carefully forged employee questionnaire, which exploited the latest Flash 0day vulnerability CVE-2018-15982 and a customized Trojan with self-destruction function. All the technical details indicate that the APT group is determined to compromise the target at any price, but at the same time, it is also very cautious.

Observed-sectors: Healthcare

Observed-countries: Russia

Tools: 0-day Flash exploit

Information: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN

Last-card-change: 2020-04-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.