Sykipot

“The National Defense University discovered Chinese malware in its computer systems.” / “used malware, known as ‘Sykipot’, to target entities in the U.S. defense industrial base…” / “campaign… used their access to spread malware to foreign government websites.”

“P.L.A. Unit 61398 attacked Digital Bond, a SCADA security company with a spear phishing attack.” / “Chinese hackers engaged in a phishing campaign aimed at compromising hundreds of Gmail passwords…” / “Alleged Chinese hackers posed as C-Suite executives in a spear phishing campaign to access the network of Alcoa.”

“P.L.A. Unit 61398 attacked Digital Bond, a SCADA security company with a spear phishing attack.” / “Alleged Chinese hackers posed as C-Suite executives in a spear phishing campaign to access the network of Alcoa.”

"The National Defense University discovered Chinese malware in its computer systems." / "Chinese hackers used malware, known as ‘Sykipot’"

"January 2007: The National Defense University discovered Chinese malware in its computer systems."; "September 2013... used malware, known as ‘Sykipot’"

"The National Defense University discovered Chinese malware in its computer systems." and repeated references to intrusions involving malware (e.g., Luckycat; Sykipot; malware spread to foreign government websites).

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

"The National Defense University discovered Chinese malware in its computer systems." and repeated references to intrusions involving malware (e.g., Luckycat; Sykipot; malware spread to foreign government websites).

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Throughout the timeline: repeated “stole trade secret information” across aerospace, automotive, chemicals, semiconductors, pharma, agriculture, etc.

"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery. OilRig has run net group "domain admins" /domain and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN.

Multiple actors and tools are described enumerating domain users/admins via Windows net commands (e.g., net user /domain, net group "Domain Admins" /domain), LDAP/AD queries (e.g., Get-ADUser, Get-ADGroupMember), and AD enumeration utilities (e.g., AdFind, BloodHound, AD Explorer).

AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.

Repeated throughout: “stole trade secret information…”, “stole sensitive military information…”, “stole personal information…”

“Chinese hackers… stole trade secret information…” (multiple incidents across aerospace, energy, pharma, and government)

“Chinese hackers used malware, known as ‘Sykipot’…” / “discovered Chinese malware in its computer systems.” / “used their access to spread malware to foreign government websites.”

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").

“Chinese hackers exfiltrated national security information…”, “exfiltrated information about the Space Shuttle Discovery program…”, “stole trade secret information…”, “614 gigabytes of material… were taken…”

Multiple entries describe “exfiltrated” or “stole” data (e.g., “exfiltrated information…”, “downloading 10 to 20 terabytes of data”, “stole 614 gigabytes of material…”).

Numerous entries: "stole trade secret information" across aerospace, automotive, chemicals, semiconductors, pharma, agriculture, etc.