Cyber Risk in the National Government Sector
Understand more about cyber risk in this sector.
Cyber Risk Graph
Explore how this sector relates to the wider risk graph
Threat Reports
Publicly available threat reporting on cyber attacks against National Government.
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named ...
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
The Operations of Winnti group
This report from researchers at NTT describes activity which they attribute to the Winnti Group (who they refer to as ENT-1) and identify overlaps ...
Review of the Summer 2023 Microsoft Exchange Online Intrusion
This report by the US Cyber Safety Review Board presents the findings of an investigation into compromise of Microsoft Exchange Online mailboxes ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
This Security Intelligence blog post by researchers at IBM's X-Force describes activity by ITG05 - a group which shows overlap with APT28/Forest ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
APT37 (REAPER) - The Overlooked North Korean Actor
This special report by FireEye discusses an investigation into APT37, a suspected North Korean cyber espionage group. According to the report, ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The ...
Winter Vivern: Uncovering a Wave of Global Espionage
SentinelLabs conducted an investigation into the Winter Vivern Advanced Persistent Threat (APT) group, in part leveraging observations made by The ...
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Proofpoint researchers describe espionage activity targeting US elected officials and staffers which they attribute to TA473 (also known as Winter ...
Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages
This report by DomainTools researchers identifies a cyber threat group they call "Winter Vivern". The report describes malicious Excel macros used ...
Winter Vivern – all Summer
This report by researchers from Lab52 details an infection campaign which they attribute to Winter Vivern. The report provides technical analysis ...
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
Project CAMERASHY
This report by ThreatConnect and Defense Group Inc outlines activities by the Naikon APT (advanced persistent threat) group and attributes them to ...
Ministry of Defence of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT
This report by the Dutch AIVD and MIVD is a cybersecurity advisory covering activity which they attribute to Chinese threat actors. The report ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use against National Government.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1027.003 | Steganography | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1047 | Windows Management Instrumentation | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1010 | Application Window Discovery | Discovery |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1112 | Modify Registry | Defense Evasion |
| T1587.003 | Digital Certificates | Resource Development |
| T1587.001 | Malware | Resource Development |
| T1046 | Network Service Discovery | Discovery |
| T1203 | Exploitation for Client Execution | Execution |
| T1070.004 | File Deletion | Defense Evasion |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1187 | Forced Authentication | Credential Access |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1027.002 | Software Packing | Defense Evasion |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1590.001 | Domain Properties | Reconnaissance |
| T1036 | Masquerading | Defense Evasion |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1102.003 | One-Way Communication | Command and Control |
| T1087.003 | Email Account | Discovery |
| T1583 | Acquire Infrastructure | Resource Development |
| T1572 | Protocol Tunneling | Command and Control |
| T1074.001 | Local Data Staging | Collection |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1049 | System Network Connections Discovery | Discovery |
| T1137.001 | Office Template Macros | Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1135 | Network Share Discovery | Discovery |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1204.002 | Malicious File | Execution |
| T1069.002 | Domain Groups | Discovery |
| T1555.001 | Keychain | Credential Access |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1059.003 | Windows Command Shell | Execution |
| T1039 | Data from Network Shared Drive | Collection |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1056.001 | Keylogging | Collection, Credential Access |
| T1036.004 | Masquerade Task or Service | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1497.001 | System Checks | Defense Evasion, Discovery |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1057 | Process Discovery | Discovery |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1014 | Rootkit | Defense Evasion |
| T1555 | Credentials from Password Stores | Credential Access |
| T1564.003 | Hidden Window | Defense Evasion |
| T1124 | System Time Discovery | Discovery |
| T1528 | Steal Application Access Token | Credential Access |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1583.001 | Domains | Resource Development |
| T1115 | Clipboard Data | Collection |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1589.002 | Email Addresses | Reconnaissance |
| T1071.001 | Web Protocols | Command and Control |
| T1189 | Drive-by Compromise | Initial Access |
| T1496 | Resource Hijacking | Impact |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1114 | Email Collection | Collection |
| T1083 | File and Directory Discovery | Discovery |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1560.002 | Archive via Library | Collection |
| T1021 | Remote Services | Lateral Movement |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1059.002 | AppleScript | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1114.002 | Remote Email Collection | Collection |
| T1218.005 | Mshta | Defense Evasion |
| T1553.002 | Code Signing | Defense Evasion |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1110.002 | Password Cracking | Credential Access |
| T1087.001 | Local Account | Discovery |
| T1566 | Phishing | Initial Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1584 | Compromise Infrastructure | Resource Development |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1588.004 | Digital Certificates | Resource Development |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1585.003 | Cloud Accounts | Resource Development |
| T1106 | Native API | Execution |
| T1090 | Proxy | Command and Control |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1016.001 | Internet Connection Discovery | Discovery |
| T1587.002 | Code Signing Certificates | Resource Development |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1033 | System Owner/User Discovery | Discovery |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1059.005 | Visual Basic | Execution |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1571 | Non-Standard Port | Command and Control |
| T1074.002 | Remote Data Staging | Collection |
| T1586 | Compromise Accounts | Resource Development |
| T1489 | Service Stop | Impact |
| T1102 | Web Service | Command and Control |
| T1592.002 | Software | Reconnaissance |
| T1018 | Remote System Discovery | Discovery |
| T1005 | Data from Local System | Collection |
| T1560 | Archive Collected Data | Collection |
| T1003.001 | LSASS Memory | Credential Access |
| T1119 | Automated Collection | Collection |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1562 | Impair Defenses | Defense Evasion |
| T1589.001 | Credentials | Reconnaissance |
| T1087.002 | Domain Account | Discovery |
| T1569.002 | Service Execution | Execution |
| T1573 | Encrypted Channel | Command and Control |
| T1213 | Data from Information Repositories | Collection |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1110.001 | Password Guessing | Credential Access |
| T1561 | Disk Wipe | Impact |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1070.006 | Timestomp | Defense Evasion |
| T1007 | System Service Discovery | Discovery |
| T1559 | Inter-Process Communication | Execution |
| T1482 | Domain Trust Discovery | Discovery |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1059.006 | Python | Execution |
| T1012 | Query Registry | Discovery |
| T1059.004 | Unix Shell | Execution |
| T1558.003 | Kerberoasting | Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1082 | System Information Discovery | Discovery |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003.003 | NTDS | Credential Access |
| T1518 | Software Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1027.004 | Compile After Delivery | Defense Evasion |
| T1620 | Reflective Code Loading | Defense Evasion |
| T1583.002 | DNS Server | Resource Development |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command and Control |
| T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505 | Server Software Component | Persistence |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1653 | Power Settings | Persistence |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1070 | Indicator Removal | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1480 | Execution Guardrails | Defense Evasion |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1129 | Shared Modules | Execution |
| T1027.001 | Binary Padding | Defense Evasion |
| T1497.003 | Time Based Evasion | Defense Evasion, Discovery |
| T1588.005 | Exploits | Resource Development |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1583.004 | Server | Resource Development |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1601.001 | Patch System Image | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1016 | System Network Configuration Discovery | Discovery |
| T1531 | Account Access Removal | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1608.003 | Install Digital Certificate | Resource Development |
| T1136.001 | Local Account | Persistence |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1020 | Automated Exfiltration | Exfiltration |
| T1566.002 | Spearphishing Link | Initial Access |
| T1036.007 | Double File Extension | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1110.003 | Password Spraying | Credential Access |
| T1586.002 | Email Accounts | Resource Development |
| T1584.004 | Server | Resource Development |
| T1608.005 | Link Target | Resource Development |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1656 | Impersonation | Defense Evasion |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1021.004 | SSH | Lateral Movement |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1486 | Data Encrypted for Impact | Impact |
| T1204 | User Execution | Execution |
| T1074 | Data Staged | Collection |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1485 | Data Destruction | Impact |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1219 | Remote Access Software | Command and Control |
| T1560.001 | Archive via Utility | Collection |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1490 | Inhibit System Recovery | Impact |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1001 | Data Obfuscation | Command and Control |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1204.001 | Malicious Link | Execution |
| T1059.007 | JavaScript | Execution |
| T1132 | Data Encoding | Command and Control |
| T1056 | Input Capture | Collection, Credential Access |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1592.004 | Client Configurations | Reconnaissance |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1554 | Compromise Client Software Binary | Persistence |
| T1600 | Weaken Encryption | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |