Center for Threat-Informed Defense Adds menuPass Adversary Emulation Plan to Growing Library

Plan tackles threat group targeting managed service providers and Japanese institutions

McLean, VA, and Bedford, MA, February 4, 2021 MITRE Engenuity’s Center for Threat-Informed Defense (Center) has added a plan to its public library of adversary emulation resources that will enable defenders to replicate tactics and techniques used by menuPass, a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

Analysts believe that menuPass has operated against targets in at least 12 countries but has thus far focused on companies that provide IT infrastructure and support services and Japanese institutions. menuPass leveraged its unauthorized access to these managed service providers’ networks to pivot into subscriber networks and steal information from organizations in banking and finance, telecommunications, healthcare, manufacturing, consulting, biotechnology, automotive, and energy.

With the addition of the menuPass plan, the publicly available library now has three emulation plans available for defenders to use. “When the Center established our Adversary Emulation Library last fall, we committed to the community that this would be a living resource,” said Richard Struse, Center director. “With the support of, and in collaboration with, our members, we will continue to add new resources to this library that will empower defenders to better assess and defend their organizations.”

The release of this emulation plan is the culmination of collaborative research and development with Center members including Fujitsu and Siemens.

“Intelligence-driven cyber defense from an adversary’s perspective helps organizations improve their risk resilience. This plan systematically documents the publicly-reported behaviors of an adversary that has been attacking Japanese organizations and impacting them significantly,” said Manabu Muramatsu, senior director of cybersecurity, Infrastructure Service Division in the Defense Systems Unit at Fujitsu Limited. “We are proud that we could contribute, in particular, to quality improvements in the machine-readable emulation plan and the script to convert it to a CALDERA plugin. Fujitsu plans to leverage this emulation plan to support our customers to better protect themselves.”

“Adversary emulation plans are a great way for us at Siemens to continuously validate and improve our defense capabilities,” said Hans Wallinger, chief technologist for cyber defense at Siemens AG. “It is a privilege for our Siemens Cyber Defense teams to partner with industry leaders on threat-informed defense topics and share back with a very engaged MITRE ATT&CK community. We are very much looking forward to continued collaborations and hope to see the adversary library grow.”

The adversary emulation library is available in the Center’s GitHub organization [] and is released under the Apache 2 license. The emulation plan is available for security teams to use themselves, as well as in machine-readable form for use with automated tools.

About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

Media contact:

Jeremy Singer