{"description": "Enterprise techniques used by Indian Critical Infrastructure Intrusions, ATT&CK campaign C0043 (v1.0)", "name": "Indian Critical Infrastructure Intrusions (C0043)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "During [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043), [RedEcho](https://attack.mitre.org/groups/G1042) registered domains spoofing Indian critical infrastructure entities.(Citation: RecordedFuture RedEcho 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043), [RedEcho](https://attack.mitre.org/groups/G1042) network activity included SSL traffic over TCP 443 and HTTP traffic over non-standard ports.(Citation: RecordedFuture RedEcho 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "comment": "[Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043) included the use of compromised infrastructure, such as DVR and IP camera devices, for command and control purposes in [ShadowPad](https://attack.mitre.org/software/S0596) activity.(Citation: RecordedFuture RedEcho 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "During [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043), [RedEcho](https://attack.mitre.org/groups/G1042) used dynamic DNS domains associated with malicious infrastructure.(Citation: RecordedFuture RedEcho 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "During [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043), [RedEcho](https://attack.mitre.org/groups/G1042) used SSL for network communication.(Citation: RecordedFuture RedEcho 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1599", "comment": "[Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043) involved the use of [FRP](https://attack.mitre.org/software/S1144) to bridge network boundaries and overcome NAT.(Citation: RecordedFuture RedEcho 2022) [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043) also involved the use of VPN tunnels with a potentially compromised MSP entity allowing for direct access to critical infrastructure entity networks.(Citation: Dragos YIR 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "During [Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043), [RedEcho](https://attack.mitre.org/groups/G1042) used non-standard ports such as TCP 8080 for HTTP communication.(Citation: RecordedFuture RedEcho 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.004", "comment": "[Indian Critical Infrastructure Intrusions](https://attack.mitre.org/campaigns/C0043) included the use of digital certificates spoofing Microsoft.(Citation: RecordedFuture RedEcho 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Indian Critical Infrastructure Intrusions", "color": "#66b1ff"}]}