Description
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
Platforms
Mitigations (1)
Encrypt Sensitive InformationM1041
Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used DYEPACK to manipulate SWIFT messages en route to a printer.(Citation: FireEye APT38 Oct 2018) |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0530 | Melcoz | Malware | [Melcoz](https://attack.mitre.org/software/S0530) can monitor the clipboard for cryptocurrency addresses and change the intended address to one contro... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) can intercept and modify transaction details associated with hardware wallet applications before ... |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) is capable of modifying email content, headers, and attachments during transit.(Citation: ESET ... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has a function that can watch the contents of the system clipboard for valid bitcoin addresses, w... |
References
- Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1565.002 (Transmitted Data Manipulation)?
T1565.002 is a MITRE ATT&CK technique named 'Transmitted Data Manipulation'. It belongs to the Impact tactic(s). Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)...
How can T1565.002 be detected?
Detection of T1565.002 (Transmitted Data Manipulation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1565.002?
There are 1 documented mitigations for T1565.002. Key mitigations include: Encrypt Sensitive Information.
Which threat groups use T1565.002?
Known threat groups using T1565.002 include: APT38.