We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Mapping To Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0066
Associated Groups:  Elderwood, Elderwood Gang, Beijing Group, Sneaky Panda
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Obfuscated Files or Information When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Obfuscated Files or Information When adversaries’ malware is detonated, they are vulnerable to dynamic analysis, which can reveal how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Ingress Tool Transfer When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Ingress Tool Transfer When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Ingress Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Drive-by Compromise When adversaries maintain drive-by sites, they provide a pathway for beginning engagements and may be unable to differentiate real from deceptive victims. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When adversaries maintain drive-by sites and collect information about potential victims, they may reveal information about their targeting preferences by selecting or rejecting an arbitrary victim. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When adversaries maintain drive-by sites, they reveal information about their targeting capabilities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfeit control over when and where the product is connected in the target network. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfeit control over when and where the product is connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Exploitation for Client Execution When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation for Client Execution When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Client Execution When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Client Execution When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
User Execution When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
User Execution When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
User Execution When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
User Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
User Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
User Execution When adversaries’ malware is detonated, they are vulnerable to dynamic analysis, which can reveal how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Phishing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Phishing When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.