{"description": "Mobile techniques used by Operation Triangulation, ATT&CK campaign C0054 (v1.0)", "name": "Operation Triangulation (C0054)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1437", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used HTTPS POST requests for C2 communication.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used a microphone-recording module.(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1634", "showSubtechniques": true}, {"techniqueID": "T1634.001", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have dumped the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1533", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors stole data from SQLite databases.(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.001", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used 3DES and AES to encrypt C2 communication and data.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1521.002", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used RSA to encrypt C2 communication.(Citation: SecureList OpTriangulation 21Jun2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1658", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors sent iMessage messages with malicious exploits that executed without user interaction.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.(Citation: SecureList OpTriangulation Dec2023)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1404", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors exploited a kernel vulnerability to obtain root privileges.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of files in a specified directory using the `fts` API.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1630", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors deleted the initial exploitation message and exploit attachment.(Citation: SecureList OpTriangulation 01Jun2023) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors removed files from the device.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors downloaded subsequent stages from the C2.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors monitored the device\u2019s geolocation.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1575", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the Audio Queue API to record audio.(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1424", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of processes.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated SMS messages.(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated data from WhatsApp and Telegram.(Citation: SecureList OpTriangulation 23Oct2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors collected device and user information.(Citation: SecureList OpTriangulation 01Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.(Citation: SecureList OpTriangulation 21Jun2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Triangulation", "color": "#66b1ff"}]}