Cyber Resilience

Campaign · all campaigns

Operation WocaoC0014 state

🇨🇳 CN

aka Operation Wocao

Last updated: 2026-07-03

0attributed CVEs
95ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[Operation Wocao](https://attack.mitre.org/campaigns/C0014) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.(Citation: FoxIT Wocao December 2019) Security researchers assessed the [Operation Wocao](https://attack.mitre.org/campaigns/C0014) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.(Citation: FoxIT Wocao December 2019)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-459 / 9562%
CM-655 / 9558%
CM-247 / 9549%
AC-341 / 9543%
SI-341 / 9543%
AC-637 / 9539%
CA-737 / 9539%
CM-737 / 9539%
AC-236 / 9538%
IA-227 / 9528%
AC-526 / 9527%
SI-725 / 9526%
CM-524 / 9525%
SC-723 / 9524%
AC-421 / 9522%

Co-occurring actors

None.

Similar actors

Similar TTPs

Same nation-state