AI-Powered Cyber Espionage: Inside the GTG-1002 Campaign

Technique Description Reconnaissance TA0043 The adversary is trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. Active Scanning T1595 Claude performed automated scanning of external services, open ports, endpoints, identity systems, and APIs. Gather Victim Network Information T1590 AI enumerated network ranges, enterprise infrastructure layouts, accessible cloud services, VPN endpoints. Search Open Websites / Technical Information T1593 AI gathered publicly available org info as part of target profiling. Initial Access TA0001 The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. Exploit Public-Facing Application T1190 AI generated exploits and leveraged discovered vulnerabilities on internet-exposed systems. Valid Accounts T1078 Stolen or misconfigured credentials were used to gain authenticated access to systems. Execution TA0002 The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. Command Execution via Tooling T1059 AI invoked scanners, exploit frameworks, and custom scripts through the orchestration layer. Native or Third-Party Tool Execution T1105 / T1204 Claude directed commodity pentesting and recon tools (rather than custom malware). Persistence TA0003 Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Valid Accounts T1078 Continued persistence was achieved by reusing harvested credentials rather than implanting malware. Privilege Escalation TA0004 Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: SYSTEM/root level local administrator user account with admin-like access user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. Exploitation for Privilege Escalation T1068 AI attempted privilege escalation via service misconfigurations and vulnerable internal apps. Valid Accounts / Privilege Abuse T1078.004 Stolen high-privilege credentials enabled movement into admin-level areas. Defense Evasion TA0005 Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. Valid Accounts (Credential Misuse) T1078 Enables evasion because activity appears legitimate. Obfuscated Files or Information T1027 Payloads/exploit scripts generated and executed transiently through automation tools. Credential Access TA0006 The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. OS Credential Dumping T1003 AI located credential stores, password files, configuration keys. Brute Force T1110 Claude tested harvested credentials across systems and services. Discovery TA0007 The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. Network Service Discovery T1046 AI scanned internal networks to identify reachable databases, APIs, and application servers. System Information Discovery T1082 Enumerated OS, versions, running services. Account Discovery T1087 AI mapped privileges and relationships of each compromised identity. Query Registry T1012 AI autonomously identified database servers and validated access. Lateral Movement TA0008 The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target, then pivoting through multiple systems and accounts to gain access to it. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Valid Accounts T1078 Primary method of lateral expansion—credential reuse. Remote Service Access T1021 Claude accessed additional hosts/services using authenticated sessions. Collection TA0009 The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. Exploitation for Client Execution T1203 Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior Automated Collection T1119 AI sifted and categorized data autonomously for intelligence value. Exfiltration TA0010 Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it Exfiltration Over Web Services T1567 Data packaged and transmitted through legitimate Internet channels. Exfiltration to Cloud Storage / T1567.002 / Report implies use of C2-driven orchestration rather than custom implants. Command and Control TA0011 Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Web Protocols T1071.001 All command, orchestration, and callback traffic flowed over HTTPS. Application-Layer Protocol T1071 AI tasking and tool orchestration used benign app-layer formats. Proxy T1090 Human operators used a control framework, MCP tools, and browser automation to instruct Claude.