Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0049: Leviathan Australian Intrusions

Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]

EnterpriseC0049CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Leviathan Australian Intrusions is a campaign describing long-term intrusions against Australian victims attributed by ATT&CK to Leviathan. Its business significance is the pattern: public-facing exploitation followed by credential capture and credential re-use, enabling privilege escalation, lateral movement, data staging, and exfiltration of sensitive data including valid credentials. For leaders, this is less a single malware problem and more a test of exposure management, identity controls, logging depth, and incident response readiness.

Executive priority

Treat this campaign as a decision point for whether the organization can withstand a credential-driven intrusion after an exposed service is compromised. Priority questions: Are public-facing applications and edge services inventoried and patched quickly? Can the SOC see credential abuse across domain, local, cloud, SaaS, SSH, SMB, and MFA-related activity? Are sensitive databases and file shares monitored for unusual collection and staging? Can incident responders rapidly revoke credentials, tokens, and sessions while preserving evidence?

Technical view

ATT&CK provides no campaign-specific detection text, so defensive validation should be built from the related techniques: exploit public-facing applications, web shell persistence, system/share/domain discovery, valid account abuse, domain and local account misuse, MFA interception, token theft, unsecured credentials, Kerberoasting, SMB and SSH lateral movement, local data staging, database collection, and exfiltration over a C2 channel. Detection teams should test whether logs connect these phases into one investigation path rather than treating each alert in isolation.

Likely telemetry

  • Internet-facing application, web server, reverse proxy, and WAF logs
  • Vulnerability and external attack surface inventory for public-facing systems
  • Web server file integrity, script execution, and web shell indicators
  • Endpoint process, command-line, file creation, and archive/staging activity
  • Windows authentication, Kerberos, domain controller, SMB, and admin share events

Detection direction

  • Correlate public-facing exploitation indicators with later authentication from the same host, new web-accessible files, unusual child processes, or outbound connections.
  • Baseline and alert on abnormal use of valid accounts, especially cross-host logons, unusual SMB/admin share access, SSH access outside normal administration, and use of local accounts where domain accounts are expected.
  • Monitor for discovery behavior across systems, shares, domain trusts, and system information, while tuning out legitimate inventory, backup, and administrative tooling.
  • Validate Kerberos and service account monitoring for patterns consistent with service ticket abuse, especially where service accounts have weak hygiene or excessive privilege.
  • Review IdP, MFA, and application-token logs for suspicious session creation, token use, impossible or unusual access patterns, and access to sensitive SaaS or cloud resources.

Mitigation priorities

  • Start with exposure management: maintain an inventory of public-facing applications and prioritize remediation of exploitable weaknesses and misconfigurations.
  • Reduce credential blast radius through least privilege, privileged access controls, local account governance, service account hygiene, and prevention of password reuse.
  • Harden identity paths that enable re-use: monitor and control domain accounts, local accounts, application tokens, and MFA/session mechanisms.
  • Constrain lateral movement by limiting SMB/admin share and SSH access to required administrative paths and segmenting sensitive systems.
  • Remove insecurely stored credentials from files, configuration, shares, repositories, backups, and administrative scripts; rotate exposed credentials and tokens during response.
Analyst notes and limits

The supplied ATT&CK object identifies a campaign focused on Australian victims and links it to Leviathan and a CISA advisory. The most useful defensive reading is the campaign chain: external service exploitation, credential capture/re-use, privilege escalation, lateral movement, collection, and exfiltration. Glexia should use this object to drive control validation across vulnerability management, IAM, SOC correlation, and IR credential containment.

ATT&CK does not provide official detection guidance, campaign platforms, or campaign tactics for this object. Platforms and tactics above are inferred only from related ATT&CK techniques and should be validated against the local environment. This take does not assert current exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Leviathan Australian Intrusions

Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

26 rows
Domain ID Name Relationship / procedure
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1074.001 Local Data Staging Sub-technique

Leviathan stored captured credential material on local log files on victim systems during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1615 Group Policy Discovery

Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1213.006 Databases Sub-technique

Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1552 Unsecured Credentials

Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1078.002 Domain Accounts Sub-technique

Leviathan compromised domain credentials during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1686 Disable or Modify System Firewall

Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1552.001 Credentials In Files Sub-technique

Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1082 System Information Discovery

Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1018 Remote System Discovery

Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1190 Exploit Public-Facing Application

Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1558.003 Kerberoasting Sub-technique

Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1041 Exfiltration Over C2 Channel

Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1482 Domain Trust Discovery

Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1135 Network Share Discovery

Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1594 Search Victim-Owned Websites

Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1078 Valid Accounts

Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1056 Input Capture

Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1505.003 Web Shell Sub-technique

Leviathan relied extensively on web shell use following initial access for persistence and command execution purposes in victim environments during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1078.003 Local Accounts Sub-technique

Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1068 Exploitation for Privilege Escalation

Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1528 Steal Application Access Token

Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1111 Multi-Factor Authentication Interception

Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1021.004 SSH Sub-technique

Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Enterprise T1212 Exploitation for Credential Access

Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.CitationCISA Leviathan 2024
Enterprise T1588.006 Vulnerabilities Sub-technique

Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.CitationCISA Leviathan 2024
Associated objects

Groups, software, and campaigns

Group Enterprise

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1615: Group Policy Discovery Enterprise uses · Technique T1213.006: Databases Enterprise uses · Technique T1552: Unsecured Credentials Enterprise uses · Technique T1078.002: Domain Accounts Enterprise uses · Technique T1686: Disable or Modify System Firewall Enterprise uses · Technique T1552.001: Credentials In Files Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1558.003: Kerberoasting Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1482: Domain Trust Discovery Enterprise attributed to · Group G0065: Leviathan Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1594: Search Victim-Owned Websites Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1056: Input Capture Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1078.003: Local Accounts Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1528: Steal Application Access Token Enterprise uses · Technique T1111: Multi-Factor Authentication Interception Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f6cdf1065b69d4a4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f6cdf1065b69…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CISA Leviathan 2024

    CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.

    Open source URL
  2. [2]
    mitre-attack C0049
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use