Campaign · all campaigns
C0017C0017 state-contractor
🇨🇳 CN · MSS
aka C0017
Run by APT41
Last updated: 2026-07-03
About this actor
[C0017](https://attack.mitre.org/campaigns/C0017) was an [APT41](https://attack.mitre.org/groups/G0096) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://attack.mitre.org/campaigns/C0017) are unknown, however [APT41](https://attack.mitre.org/groups/G0096) was observed exfiltrating Personal Identifiable Information (PII).(Citation: Mandiant APT41)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 29 / 40 | 72% |
CM-6 | 25 / 40 | 62% |
SI-3 | 25 / 40 | 62% |
CM-2 | 24 / 40 | 60% |
AC-3 | 21 / 40 | 52% |
CA-7 | 20 / 40 | 50% |
AC-2 | 19 / 40 | 48% |
AC-6 | 19 / 40 | 48% |
CM-7 | 19 / 40 | 48% |
AC-4 | 15 / 40 | 38% |
SC-7 | 14 / 40 | 35% |
SI-7 | 11 / 40 | 28% |
AC-5 | 10 / 40 | 25% |
SI-10 | 10 / 40 | 25% |
CM-5 | 9 / 40 | 22% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- GALLIUM 0.39
- SharePoint ToolShell Exploitation 0.33
- Operation CuckooBees 0.31
- FIN13 0.29
- APT39 0.29
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- Cutting Edge 1.00
- KV Botnet Activity 1.00
Same category
- APT41 DUST 1.00
- RedDelta Modified PlugX Infection Chain Operations 1.00
- APT3 1.00
- APT41 1.00
- Mustang Panda 1.00