{ "type": "bundle", "id": "bundle--1249ff74-8dc9-4fd1-bb0d-7bdda72f5256", "spec_version": "2.1", "created": "2026-06-11T23:57:51.259Z", "modified": "2026-06-11T23:57:51.259Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--5d6dbe20-6e8a-4a91-b927-49995af62ca5", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--4b561ca5-4e2a-4835-a366-69f2246d2d1c", "start_refs": [ "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b" ], "name": "Equifax Breach", "description": "Attack flow on the 2017 Equifax breach.", "scope": "incident", "external_references": [ { "source_name": "CNET", "description": "Article", "url": "https://www.cnet.com/news/privacy/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/" }, { "source_name": "CSO", "description": "Article", "url": "https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html" }, { "source_name": "Department of Justice", "description": "Press Release", "url": "https://www.justice.gov/opa/press-release/file/1246891/download" }, { "source_name": "Government Accountability Office", "description": "Congressional Request", "url": "https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf" } ] }, { "type": "identity", "id": "identity--4b561ca5-4e2a-4835-a366-69f2246d2d1c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.259Z", "modified": "2026-06-11T23:57:51.259Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "threat-actor", "id": "threat-actor--d3193187-95c8-428c-9de5-0e2049a778e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Wu Zhiyong", "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", "threat_actor_types": [ "Nation-state" ], "first_seen": "2017-05-13T04:00:00.000Z", "last_seen": "2017-07-30T04:00:00.000Z", "roles": [ "Agent" ], "goals": [ "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" ], "sophistication": "Expert", "resource_level": "Government", "primary_motivation": "organizational-gain" }, { "type": "threat-actor", "id": "threat-actor--ed3f9e1b-1c65-4d72-9bb3-01e0ec01b094", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Wang Qian", "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", "threat_actor_types": [ "Nation-state" ], "first_seen": "2017-05-13T04:00:00.000Z", "last_seen": "2017-07-30T04:00:00.000Z", "roles": [ "Agent" ], "goals": [ "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" ], "sophistication": "Expert", "resource_level": "Government", "primary_motivation": "organizational-gain" }, { "type": "threat-actor", "id": "threat-actor--52e873ba-3b38-46d4-ac6f-fa5d4875d049", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Xu Ke", "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", "threat_actor_types": [ "Nation-state" ], "first_seen": "2017-05-13T04:00:00.000Z", "last_seen": "2017-07-30T04:00:00.000Z", "roles": [ "Agent" ], "goals": [ "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" ], "sophistication": "Expert", "resource_level": "Government", "primary_motivation": "organizational-gain" }, { "type": "threat-actor", "id": "threat-actor--60ee3b8c-c6f9-4ac5-ab95-7d7e5a592638", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Liu Lei", "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", "threat_actor_types": [ "Nation-state" ], "first_seen": "2017-05-13T04:00:00.000Z", "last_seen": "2017-07-30T04:00:00.000Z", "roles": [ "Agent" ], "goals": [ "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" ], "sophistication": "Expert", "resource_level": "Government", "primary_motivation": "organizational-gain" }, { "type": "attack-action", "id": "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Vulnerability Scanning", "description": "US-CERT warned about a vulnerability within Apache Struts. Attackers searched the web for systems with this vulnerability", "effect_refs": [ "attack-condition--6a38d6e6-107c-4941-9848-a7a91b9560f8" ] }, { "type": "attack-condition", "id": "attack-condition--6a38d6e6-107c-4941-9848-a7a91b9560f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers discovered vulnerable Apache Struts Web Framework on Equifax's dispute portal" }, { "type": "attack-action", "id": "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Attackers used software designed to exploit the Apache Struts Web Framework vulnerability to gain access to Equifax's online dispute portal", "effect_refs": [ "attack-condition--085ff46c-3c7d-43f0-8e8f-0b265e209f4d" ] }, { "type": "attack-condition", "id": "attack-condition--085ff46c-3c7d-43f0-8e8f-0b265e209f4d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers sold foothold into Equifax's network to more experience attackers" }, { "type": "attack-action", "id": "attack-action--21be9f13-3c4b-4c97-b532-326568e19550", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "New attackers exploited foothold and installed web shell onto the Online Dispute Portal", "asset_refs": [ "attack-asset--c8ab9a0b-16c8-472d-8eca-a52c2e512019" ], "effect_refs": [ "attack-action--d9d6e1e2-dc1e-404f-a4fd-a1fac90c0a86", "attack-action--98563102-bd12-43d2-829c-e6591931f1fb" ] }, { "type": "attack-asset", "id": "attack-asset--c8ab9a0b-16c8-472d-8eca-a52c2e512019", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Online Dispute Portal" }, { "type": "attack-action", "id": "attack-action--d9d6e1e2-dc1e-404f-a4fd-a1fac90c0a86", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Credentials", "description": "Attackers conducted recon on the online dispute portal to obtain valid credentials for database servers", "effect_refs": [ "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d" ] }, { "type": "attack-action", "id": "attack-action--98563102-bd12-43d2-829c-e6591931f1fb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Gather Victim Network Information", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "technique_id": "T1590", "technique_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", "description": "Attackers conducted recon to identify databases with PII", "effect_refs": [ "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d" ] }, { "type": "attack-operator", "id": "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--6641e2c7-8ea1-443f-a29d-89e544be5eb9" ] }, { "type": "attack-action", "id": "attack-action--6641e2c7-8ea1-443f-a29d-89e544be5eb9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Encrypted Channel", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1573", "technique_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "description": "Queried databases for PII using existing encrypted channels", "effect_refs": [ "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10" ] }, { "type": "attack-condition", "id": "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers discovered and compromised databases storing PII" }, { "type": "attack-action", "id": "attack-action--bd230072-e0f0-4478-a209-7d7aded898f2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Archive Collected Data", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1560", "technique_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "description": "Split and compress output files with information", "effect_refs": [ "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053" ] }, { "type": "attack-action", "id": "attack-action--20aa5b9f-3477-4e0a-a5d0-93b6c199be69", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "Obfuscate PII information to evade DLP systems", "effect_refs": [ "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053" ] }, { "type": "attack-operator", "id": "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--23fade7d-fc7b-42d6-b962-fd13f8d67e88" ] }, { "type": "attack-action", "id": "attack-action--23fade7d-fc7b-42d6-b962-fd13f8d67e88", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "description": "Exfiltration over standard encrypted web protocols to disguise the exchanges as normal network traffic", "effect_refs": [ "attack-action--e0206671-984d-49d1-bd1a-12e10966395f" ] }, { "type": "attack-action", "id": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Multi-hop Proxy", "description": "Attackers used multi-hop proxies in approximately thirty-four servers located in nearly twenty countries", "effect_refs": [ "attack-action--61cfb4a1-6468-4095-bd42-c9e0476a9e00", "attack-action--f4e8ee77-2e14-450d-92d4-d7a1b6595c16" ] }, { "type": "infrastructure", "id": "infrastructure--66dbb482-b762-4299-a995-6e0ae0c48d42", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Proxies", "description": "Adversary used multi-hop proxies", "infrastructure_types": [ "Anonymization" ] }, { "type": "infrastructure", "id": "infrastructure--82e17e5c-bd8a-493a-a209-8d6b2ab86e50", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Servers", "description": "Adversary used 34 servers located in nearly 20 countries to host multi-hop proxies for obfuscation", "infrastructure_types": [ "anonymization" ] }, { "type": "attack-action", "id": "attack-action--f4e8ee77-2e14-450d-92d4-d7a1b6595c16", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File Deletion", "description": "Deleted the compressed files after exfiltrating the sensitive data" }, { "type": "attack-action", "id": "attack-action--61cfb4a1-6468-4095-bd42-c9e0476a9e00", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Clear Windows Event Logs", "description": "Wiped log files on a daily basis in an effort to eliminate records of activity" }, { "type": "vulnerability", "id": "vulnerability--236a6a2c-e12c-4ed9-983b-602b7af3bc2a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "CVE-2017-5638", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string." }, { "type": "malware", "id": "malware--49e4d378-bc15-4ab9-bb3f-b05e3b896bb0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "name": "Web Shell", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "communicates-with-c2", "exfiltrates-data" ] }, { "type": "relationship", "id": "relationship--5d7d04c9-e769-48cc-b5c2-2ff91fcff0f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b", "target_ref": "vulnerability--236a6a2c-e12c-4ed9-983b-602b7af3bc2a" }, { "type": "relationship", "id": "relationship--9dd127b9-f75a-4a27-94db-699f31560add", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-condition--6a38d6e6-107c-4941-9848-a7a91b9560f8", "target_ref": "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03" }, { "type": "relationship", "id": "relationship--6340eaaa-ee31-4c22-ba7e-eca004a52fe2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03", "target_ref": "vulnerability--236a6a2c-e12c-4ed9-983b-602b7af3bc2a" }, { "type": "relationship", "id": "relationship--921266a4-a817-4376-bf3f-3f22f4d6fcba", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-condition--085ff46c-3c7d-43f0-8e8f-0b265e209f4d", "target_ref": "attack-action--21be9f13-3c4b-4c97-b532-326568e19550" }, { "type": "relationship", "id": "relationship--a95902d1-e232-47a1-9b74-418a1ede7af1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-action--21be9f13-3c4b-4c97-b532-326568e19550", "target_ref": "malware--49e4d378-bc15-4ab9-bb3f-b05e3b896bb0" }, { "type": "relationship", "id": "relationship--e1937fd4-c549-4efc-b4db-653a6bf26125", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10", "target_ref": "attack-action--20aa5b9f-3477-4e0a-a5d0-93b6c199be69" }, { "type": "relationship", "id": "relationship--7f6e6e0c-bec3-4820-9f65-a2fb1221378c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10", "target_ref": "attack-action--bd230072-e0f0-4478-a209-7d7aded898f2" }, { "type": "relationship", "id": "relationship--beedc611-e91f-4e01-9ea3-8a37a9d3e6dd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", "target_ref": "infrastructure--82e17e5c-bd8a-493a-a209-8d6b2ab86e50" }, { "type": "relationship", "id": "relationship--486d9fc8-8b47-465f-80b8-3899250f4b56", "spec_version": "2.1", "created": "2026-06-11T23:57:51.260Z", "modified": "2026-06-11T23:57:51.260Z", "relationship_type": "related-to", "source_ref": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", "target_ref": "infrastructure--66dbb482-b762-4299-a995-6e0ae0c48d42" } ] }