C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
Analyst context for executives and security teams
Night Dragon matters because it represents an espionage campaign focused on energy-sector business and operationally sensitive information, including oil and gas production systems, financials, executive targets, and SCADA-related data. For leaders, the decision value is not the campaign name itself; it is the pattern of risk: externally reachable systems, valid account abuse, credential theft, remote administration tools, web shells, command-and-control over web protocols, data staging, and collection from local systems and email can combine into a long-running compromise of business and operational intelligence.
Executive priority
Treat this as a governance and resilience case study for energy, petrochemical, and similar industrial organizations. Priority questions include: Are public-facing applications and external remote services controlled and monitored? Are domain and local credentials protected well enough to prevent broad reuse? Can the SOC distinguish legitimate administrator use of tools such as PsExec and at from suspicious activity? Is there evidence collection across enterprise IT and any SCADA-adjacent environments sufficient for incident response, audit, and regulatory reporting? Budget should favor identity hardening, external attack surface reduction, endpoint and web-server telemetry, and response readiness for data theft investigations.
Technical view
ATT&CK relationships for Night Dragon include credential access against the Windows SAM, password cracking, valid and domain account abuse, external remote services, exploitation of public-facing applications, malicious links, Windows command shell execution, registry modification, file and user discovery, local email collection, local and remote data collection/staging, ingress tool transfer, web-protocol command-and-control, fallback channels, and obfuscation through packed or encrypted/encoded files. Related software includes gsecdump, PsExec, ASPXSpy, at, and zwShell. SOC and IR teams should validate whether they can reconstruct the chain from initial access through credential use, lateral execution, collection, staging, and outbound communications, especially on Windows hosts, web servers, remote access infrastructure, and systems that bridge business and operational data environments.
Likely telemetry
- Authentication logs for VPN, external remote services, domain accounts, local accounts, and privileged accounts
- Windows endpoint telemetry including process creation, command-line activity, registry changes, scheduled task or at usage, and security events related to credential access
- Active Directory and identity-provider events for unusual domain account use, privilege changes, and abnormal login patterns
- Web server and public-facing application logs for exploitation attempts, web shell behavior, suspicious uploads, and unusual command execution
- EDR or host file telemetry for credential dumping tools, packed or encoded files, tool transfer, file discovery, email data access, and local data collection
Detection direction
- Prioritize behavior-based detections over campaign-name matching, since the ATT&CK object provides no official detection text and the software includes tools that may also be used legitimately.
- Tune for suspicious combinations: valid account use followed by PsExec or command shell execution, registry modification, credential dumping, discovery commands, data staging, and outbound web traffic.
- Separate authorized administration from abuse by baselining where PsExec, at, command shells, and remote services are expected, who may use them, and from which management hosts.
- Validate web shell coverage on Internet-facing applications, including file upload paths, anomalous script execution, unusual child processes from web services, and outbound connections from web servers.
- Correlate credential theft indicators with subsequent domain account use, especially logins from unusual hosts, times, geographies, or remote access paths.
Mitigation priorities
- Reduce exposure of public-facing applications and external remote services through inventory, patching, configuration review, strong authentication, and least-privilege access.
- Harden identity controls first: protect domain accounts, restrict administrative privileges, monitor privileged use, and reduce opportunities for credential reuse after SAM or hash theft.
- Constrain and monitor legitimate administration tools such as PsExec and at through approved-use policies, administrative tiering, and centralized logging.
- Improve endpoint and server visibility for command execution, registry changes, credential dumping behavior, suspicious file transfer, and packed or encoded files.
- Strengthen web application and web-server controls to reduce web shell risk, including secure configuration, file integrity monitoring where appropriate, and rapid investigation of suspicious uploads or script execution.
Analyst notes and limits
The supplied ATT&CK object identifies Night Dragon as a past cyber espionage campaign targeting oil, energy, and petrochemical organizations and executives in Kazakhstan, Taiwan, Greece, and the United States. The official description states that researchers assessed the unidentified actors were based in China; this summary treats that as an assessment, not confirmed attribution. The strongest defensive value comes from the relationship set: credential theft and valid account abuse, web and remote access paths, administrative tool misuse, collection, staging, and command-and-control behaviors.
ATT&CK provides no official detection text, no object-level platforms or tactics, and no guaranteed sequence of activity for every intrusion. Platform and tactic references here are derived from the related software and techniques only. Local asset inventory, identity architecture, logging coverage, and business data flows are required to determine actual exposure and detection coverage.
Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[1] |
| Enterprise | T1608.001 | Upload Malware Sub-technique | During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[1] |
| Enterprise | T1588.001 | Malware Sub-technique | During Night Dragon, threat actors used Trojans from underground hacker websites.[1] |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[1] |
| Enterprise | T1204.001 | Malicious Link Sub-technique | During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[1] |
| Enterprise | T1133 | External Remote Services | During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
| Enterprise | T1005 | Data from Local System | During Night Dragon, the threat actors collected files and other data from compromised systems.[1] |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[1] |
| Enterprise | T1027.002 | Software Packing Sub-technique | During Night Dragon, threat actors used software packing in its tools.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application | During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[1] |
| Enterprise | T1078 | Valid Accounts | During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[1] |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[1] |
| Enterprise | T1033 | System Owner/User Discovery | During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.[1] |
| Enterprise | T1588.002 | Tool Sub-technique | During Night Dragon, threat actors obtained and used tools such as gsecdump.[1] |
| Enterprise | T1112 | Modify Registry | During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.[1] |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | During Night Dragon, threat actors dumped account hashes using gsecdump.[1] |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Night Dragon, threat actors used HTTP for C2.[1] |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[1] |
| Enterprise | T1008 | Fallback Channels | During Night Dragon, threat actors used company extranet servers as secondary C2 servers.[1] |
| Enterprise | T1685 | Disable or Modify Tools | During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[1] |
| Enterprise | T1083 | File and Directory Discovery | During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.[1] |
| Enterprise | T1583.004 | Server Sub-technique | During Night Dragon, threat actors purchased hosted services to use for C2.[1] |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.[1] |
| Enterprise | T1219 | Remote Access Tools | During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.[1] |
| Enterprise | T1110.002 | Password Cracking Sub-technique | During Night Dragon, threat actors used Cain & Abel to crack password hashes.[1] |
| Enterprise | T1584.004 | Server Sub-technique | During Night Dragon, threat actors compromised web servers to use for C2.[1] |
| Enterprise | T1568 | Dynamic Resolution | During Night Dragon, threat actors used dynamic DNS services for C2.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[1] |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[1] |
Groups, software, and campaigns
S0008: gsecdump
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0350: zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]
S0110: at
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1642ffd6d398… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Night Dragon
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Open source URL -
[2]
mitre-attack C0002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.