🇨🇳

IronHusky

APT Group Information theft and espionage 3 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

Mongolia

Sectors Targeted

Defense Financial Government

Details

Origin 🇨🇳 CN

Last Updated 08 Nov 2023

MITRE ATT&CK 36

T1027 - Obfuscated Files or Information T1036 - Masquerading T1040 - Network Sniffing T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1055 - Process Injection T1056 - Input Capture T1059 - Command and Scripting Interpreter T1059.001 T1059.004 - Unix Shell T1059.007 - JavaScript T1070 - Indicator Removal on Host T1071.001 T1078 T1082 - System Information Discovery T1090 - Proxy T1102 - Web Service T1104 - Multi-Stage Channels T1106 - Native API T1113 - Screen Capture T1115 - Clipboard Data T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1189 - Drive-by Compromise T1195 - Supply Chain Compromise T1495 - Firmware Corruption T1496 - Resource Hijacking T1525 - Implant Internal Image T1530 - Data from Cloud Storage Object T1547 - Boot or Logon Autostart Execution T1553 - Subvert Trust Controls T1562 - Impair Defenses T1566 - Phishing T1568 - Dynamic Resolution T1574 - Hijack Execution Flow T1588 - Obtain Capabilities

Related Zero-Days 3

CVE-2020-0986 CVE-2021-28310 CVE-2021-40449

Known Names 2 entries

IronHusky Kaspersky

BBCY-TA1 BlackBerry

Observed Target Countries 2

Based on ETDA data — countries highlighted in red

Mongolia Russia

Description

(Kaspersky) IronHusky is a Chinese-speaking actor that we first detected in summer 2017. It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target. This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group’s limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups, such as PlugX and PoisonIvy.

Tools Used 3

MysterySnail RAT Poison Ivy PlugX

Operations 1

2021-08 Operation “MysterySnail” In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/

Reports & References 2

https://securelist.com/apt-trends-report-q1-2018/85280/ https://securelist.com/mysterysnail-new-version/116226/

ETDA Profile

IronHusky

Origin

China

First Seen 2017

Motivation

Information theft and espionage

View on ETDA APT Groups ↗