ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Dust Storm

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Dust Storm

NamesDust Storm (Cylance)
CountryChina China
SponsorSeems state-sponsored
MotivationInformation theft and espionage
First seen2010
Description(Cylance) Very little public information was available throughout 2010 on this threat, despite the group’s primary backdoor gaining some level of prominence in targeted Asian attacks. This may be explained by the group’s early reliance on Dynamic DNS domains for their command and control (C2) infrastructure, as well as their use of public RATs like Poison Ivy and Gh0st RAT for second-stage implants.

It wasn’t until June 2011 that Operation Dust Storm started to garner some notoriety from a series of attacks which leveraged an unpatched Internet Explorer 8 vulnerability, CVE-2011-1255, to gain a foothold into victim networks. In these attacks, a link to the exploit was sent via a spear phishing email from a purported Chinese student seeking advice or asking the target a question following a presentation.

As to other documented cases, the attacker started interacting with the infected machine within minutes of compromise to begin manual network and host enumeration.

In October 2011, the group attempted to take advantage of the ongoing Libyan crisis at the time and phish the news cycle regarding Muammar Gaddafi’s death on October 20, 2011. It appears that in addition to some US defense targets, this campaign was also directed at a Uyghur mailing list. This time, the group used a specially crafted malicious Windows Help (.hlp) file, which exploited CVE-2010-1885.
ObservedSectors: Energy, Oil and gas and Uyghurs.
Countries: Japan, South Korea, USA and Europe and Southeast Asia.
Tools usedGh0st RAT, Misdat, MiS-Type, Poison Ivy, S-Type.
Information<https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf>
<https://www.symantec.com/connect/blogs/inside-back-door-attack>
MITRE ATT&CK<https://attack.mitre.org/groups/G0031/>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]