Threat Actor
Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Authors
Authors and/or Contributors |
---|
Alexandre Dulaunoy |
Florian Roth |
Thomas Schreck |
Timo Steffens |
Various |
APT1
PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT1.
Known Synonyms |
---|
Brown Fox |
Byzantine Candor |
COMMENT PANDA |
Comment Crew |
Comment Group |
G0006 |
GIF89a |
Group 3 |
PLA Unit 61398 |
ShadyRAT |
TG-8223 |
Internal MISP references
UUID 1cb7e1cc-d695-42b1-92f4-fd0112a3c9be
which can be used as unique global reference for APT1
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/PLA_Unit_61398 - webarchive
- http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/pla-unit-61398 - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/ - webarchive
- https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0006/ - webarchive
- https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Taiwan', 'Israel', 'Norway', 'United Arab Emirates', 'United Kingdom', 'Singapore', 'India', 'Belgium', 'South Africa', 'Switzerland', 'Canada', 'France', 'Luxembourg', 'Japan'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
Nitro
These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nitro.
Known Synonyms |
---|
Covert Grove |
Internal MISP references
UUID 0b06fb39-ed3d-4868-ac42-12fff6df2c80
which can be used as unique global reference for Nitro
in MISP communities and other software using the MISP galaxy
External references
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf - webarchive
- https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Chemical'] |
Dust Storm
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dust Storm.
Known Synonyms |
---|
G0031 |
Internal MISP references
UUID 9e71024e-817f-45b0-92a0-d886c30bc929
which can be used as unique global reference for Dust Storm
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
WET PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WET PANDA.
Known Synonyms |
---|
Red Chimera |
Internal MISP references
UUID ba8973b2-fd97-4aa7-9307-ea4838d96428
which can be used as unique global reference for WET PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
FOXY PANDA
Adversary group targeting telecommunication and technology organizations.
Internal MISP references
UUID 41c15f08-a646-49f7-a644-1bebbf7a4dcd
which can be used as unique global reference for FOXY PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Technology', 'Telecoms'] |
PREDATOR PANDA
Internal MISP references
UUID 1969f622-d64a-4436-9a34-4c47fcb2535f
which can be used as unique global reference for PREDATOR PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
UNION PANDA
Internal MISP references
UUID 7195b51f-500e-4034-a851-bf34a2728dc8
which can be used as unique global reference for UNION PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
SPICY PANDA
Internal MISP references
UUID 4959652d-72fa-46e4-be20-4ec686409bfb
which can be used as unique global reference for SPICY PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
ELOQUENT PANDA
Internal MISP references
UUID 432b0304-768f-4fb9-9762-e745ef524ec7
which can be used as unique global reference for ELOQUENT PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
DIZZY PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DIZZY PANDA.
Known Synonyms |
---|
LadyBoyle |
Internal MISP references
UUID 8a8f39df-74b3-4946-ab64-f84968bababe
which can be used as unique global reference for DIZZY PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
Grayling
Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.
Internal MISP references
UUID 6714de29-4dd8-463c-99a3-77c9e80fa47d
which can be used as unique global reference for Grayling
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Taiwan', 'United States', 'Vietnam', 'Solomon Islands'] |
cfr-target-category | ['Biomedical', 'Government', 'Information technology'] |
country | CN |
APT2
Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT2.
Known Synonyms |
---|
4HCrew |
G0024 |
MSUpdater |
PLA Unit 61486 |
PUTTER PANDA |
SULPHUR |
SearchFire |
TG-6952 |
Internal MISP references
UUID 0ca45163-e223-4167-b1af-f088ed14a93d
which can be used as unique global reference for APT2
in MISP communities and other software using the MISP galaxy
External references
- http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/putter-panda - webarchive
- https://attack.mitre.org/groups/G0024 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['U.S. satellite and aerospace sector'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT3
Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT3.
Known Synonyms |
---|
BORON |
BRONZE MAYFAIR |
Boyusec |
Buckeye |
GOTHIC PANDA |
Group 6 |
Red Sylvan |
TG-0110 |
UPS |
Internal MISP references
UUID d144c83e-2302-4947-9e24-856fbf7949ae
which can be used as unique global reference for APT3
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html - webarchive
- https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-3 - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-mayfair - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Hong Kong'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Political party'] |
Related clusters
To see the related clusters, click here.
DarkHotel
Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHotel.
Known Synonyms |
---|
APT-C-06 |
ATK52 |
DUBNIUM |
Fallout Team |
G0012 |
Karba |
Luder |
Nemim |
Nemin |
Pioneer |
SIG25 |
Shadow Crane |
T-APT-02 |
TUNGSTEN BRIDGE |
Tapaoux |
Zigzag Hail |
Internal MISP references
UUID b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d
which can be used as unique global reference for DarkHotel
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/ - webarchive
- https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2 - webarchive
- https://securelist.com/blog/research/66779/the-darkhotel-apt/ - webarchive
- https://securelist.com/the-darkhotel-apt/66779/ - webarchive
- https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726 - webarchive
- https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/darkhotel - webarchive
- https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians - webarchive
- https://attack.mitre.org/groups/G0012/ - webarchive
- https://www.secureworks.com/research/threat-profiles/tungsten-bridge - webarchive
- https://www.antiy.cn/research/notice&report/research_report/20200522.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Republic of) |
cfr-suspected-victims | ['Japan', 'Russia', 'Taiwan', 'South Korea', 'China'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | KR |
Related clusters
To see the related clusters, click here.
APT12
A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT12.
Known Synonyms |
---|
BRONZE GLOBE |
BeeBus |
Calc Team |
Crimson Iron |
DNSCalc |
DynCalc |
Group 22 |
IXESHE |
NUMBERED PANDA |
TG-2754 |
Internal MISP references
UUID 48146604-6693-4db1-bd94-159744726514
which can be used as unique global reference for APT12
in MISP communities and other software using the MISP galaxy
External references
- http://www.crowdstrike.com/blog/whois-numbered-panda/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-12 - webarchive
- https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-globe - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Taiwan', 'Japan'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT16
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT16.
Known Synonyms |
---|
G0023 |
SVCMONDR |
Internal MISP references
UUID 1f73e14f-b882-4032-a565-26dc653b0daf
which can be used as unique global reference for APT16
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-16 - webarchive
- https://attack.mitre.org/groups/G0023 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'Taiwan'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
APT17
FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT17.
Known Synonyms |
---|
AURORA PANDA |
Axiom |
BRONZE KEYSTONE |
Dogfish |
G0001 |
G0025 |
Group 72 |
Group 8 |
HELIUM |
Hidden Lynx |
Tailgater Team |
Internal MISP references
UUID 99e30d89-9361-4b73-a999-9e5ff9320bcb
which can be used as unique global reference for APT17
in MISP communities and other software using the MISP galaxy
External references
- https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-17 - webarchive
- https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/ - webarchive
- https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware - webarchive
- https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire - webarchive
- https://www.recordedfuture.com/hidden-lynx-analysis/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-keystone - webarchive
- https://attack.mitre.org/groups/G0025/ - webarchive
- https://cfr.org/cyber-operations/axiom - webarchive
- https://attack.mitre.org/groups/G0001/ - webarchive
- https://www.youtube.com/watch?v=NFJqD-LcpIg - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Netherlands', 'Italy', 'Japan', 'United Kingdom', 'Belgium', 'Russia', 'Indonesia', 'Germany', 'Switzerland', 'China'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Defense', 'Intelligence', 'Technology', 'Mining', 'Government, Administration', 'Justice'] |
Related clusters
To see the related clusters, click here.
APT18
Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT18.
Known Synonyms |
---|
DYNAMITE PANDA |
G0026 |
PLA Navy |
SCANDIUM |
TG-0416 |
Wekby |
Internal MISP references
UUID 9a683d9c-8f7d-43df-bba2-ad0ca71e277c
which can be used as unique global reference for APT18
in MISP communities and other software using the MISP galaxy
External references
- https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828 - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-18 - webarchive
- https://attack.mitre.org/groups/G0026 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Aerospace', 'Defense', 'Health', 'High tech', 'Telecoms'] |
Related clusters
To see the related clusters, click here.
APT19
Adversary group targeting financial, technology, non-profit organisations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT19.
Known Synonyms |
---|
BRONZE FIRESTONE |
Black Vine |
Codoso |
DEEP PANDA |
G0009 |
G0073 |
Group 13 |
KungFu Kittens |
PinkPanther |
Pupa |
Shell Crew |
Sunshop Group |
TEMP.Avengers |
WebMasters |
Internal MISP references
UUID 066d25c1-71bd-4bd4-8ca7-edbba00063f4
which can be used as unique global reference for APT19
in MISP communities and other software using the MISP galaxy
External references
- http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf - webarchive
- https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/deep-panda - webarchive
- https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ - webarchive
- https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/ - webarchive
- https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/ - webarchive
- https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/ - webarchive
- https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/ - webarchive
- https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/ - webarchive
- https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/ - webarchive
- https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/ - webarchive
- https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442 - webarchive
- https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html - webarchive
- https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/ - webarchive
- https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/ - webarchive
- https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html - webarchive
- https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/ - webarchive
- https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695 - webarchive
- https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/ - webarchive
- https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group - webarchive
- https://attack.mitre.org/groups/G0009/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-firestone - webarchive
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - webarchive
- http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/ - webarchive
- https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel - webarchive
- https://www.youtube.com/watch?v=FC9ARZIZglI - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Technology', 'Finance', 'Non-profit organisation'] |
Related clusters
To see the related clusters, click here.
Naikon
Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naikon.
Known Synonyms |
---|
BRONZE GENEVA |
BRONZE STERLING |
Camerashy |
G0013 |
G0019 |
Naikon |
OVERRIDE PANDA |
PLA Unit 78020 |
Internal MISP references
UUID 2f1fd017-9df6-4759-91fb-e7039609b5ff
which can be used as unique global reference for Naikon
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/analysis/publications/69953/the-naikon-apt/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive
- https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks - webarchive
- https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/ - webarchive
- https://threatconnect.com/blog/tag/naikon/ - webarchive
- https://attack.mitre.org/groups/G0019/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-geneva - webarchive
- https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d - webarchive
- https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['India', 'Saudi Arabia', 'Vietnam', 'Myanmar', 'Singapore', 'Thailand', 'Malaysia', 'Cambodia', 'China', 'Philippines', 'South Korea', 'United States', 'Indonesia', 'Laos'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT30
APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT30.
Known Synonyms |
---|
G0013 |
Internal MISP references
UUID d3881afe-f781-4c53-9f68-33487a119a59
which can be used as unique global reference for APT30
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'South Korea', 'Saudi Arabia', 'Thailand', 'Vietnam', 'Malaysia', 'India'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
LOTUS PANDA
Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOTUS PANDA.
Known Synonyms |
---|
ATK1 |
BRONZE ELGIN |
DRAGONFISH |
G0030 |
Lotus BLossom |
Red Salamander |
ST Group |
Spring Dragon |
Internal MISP references
UUID 32fafa69-fe3c-49db-afd4-aac2664bcf0d
which can be used as unique global reference for LOTUS PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/70726/the-spring-dragon-apt/ - webarchive
- https://securelist.com/spring-dragon-updated-activity/79067/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/lotus-blossom - webarchive
- https://unit42.paloaltonetworks.com/operation-lotus-blossom/ - webarchive
- https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf - webarchive
- https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/ - webarchive
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting - webarchive
- https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf - webarchive
- https://attack.mitre.org/groups/G0030/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-elgin - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'Philippines', 'Hong Kong', 'Indonesia', 'Taiwan', 'Vietnam'] |
cfr-target-category | ['Military', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Military', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
HURRICANE PANDA
We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.
Internal MISP references
UUID 0286e80e-b0ed-464f-ad62-beec8536d0cb
which can be used as unique global reference for HURRICANE PANDA
in MISP communities and other software using the MISP galaxy
External references
- http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/ - webarchive
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ - webarchive
- https://www.crowdstrike.com/blog/storm-chasing/ - webarchive
- https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Technology', 'Telecoms'] |
APT27
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT27.
Known Synonyms |
---|
BRONZE UNION |
Budworm |
EMISSARY PANDA |
Earth Smilodon |
G0027 |
GreedyTaotie |
Group 35 |
Iron Taurus |
Iron Tiger |
Lucky Mouse |
Red Phoenix |
TEMP.Hippo |
TG-3390 |
ZipToken |
Internal MISP references
UUID 834e0acd-d92a-4e38-bb14-dc4159d7cb32
which can be used as unique global reference for APT27
in MISP communities and other software using the MISP galaxy
External references
- https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf - webarchive
- https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/ - webarchive
- https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/ - webarchive
- https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/iron-tiger - webarchive
- https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/ - webarchive
- https://www.secureworks.com/research/bronze-union - webarchive
- http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states - webarchive
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
- https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/ - webarchive
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/ - webarchive
- https://securelist.com/luckymouse-ndisproxy-driver/87914/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf - webarchive
- https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ - webarchive
- https://securelist.com/luckymouse-hits-national-data-center/86083/ - webarchive
- https://attack.mitre.org/groups/G0027/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-union - webarchive
- https://unit42.paloaltonetworks.com/atoms/iron-taurus/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
- https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['United States', 'United Kingdom', 'France', 'Japan', 'Taiwan', 'India', 'Canada', 'China', 'Thailand', 'Israel', 'Australia', 'Republic of Korea', 'Russia', 'Iran', 'Turkey'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Technology', 'Government, Administration', 'Defense'] |
Related clusters
To see the related clusters, click here.
APT10
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT10.
Known Synonyms |
---|
ATK41 |
BRONZE RIVERSIDE |
CVNX |
Cloud Hopper |
G0045 |
Granite Taurus |
HOGFISH |
Menupass Team |
POTASSIUM |
Red Apollo |
STONE PANDA |
TA429 |
happyyongzi |
Internal MISP references
UUID 56b37b05-72e7-4a89-ba8a-61ce45269a8c
which can be used as unique global reference for APT10
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-10 - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive
- https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/ - webarchive
- https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf - webarchive
- https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html - webarchive
- https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018 - webarchive
- https://attack.mitre.org/groups/G0045/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-riverside - webarchive
- https://unit42.paloaltonetworks.com/atoms/granite-taurus - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new - webarchive
- https://www.crowdstrike.com/blog/two-birds-one-stone-panda/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'India', 'South Africa', 'South Korea', 'Sweden', 'United States', 'Canada', 'Australia', 'France', 'Finland', 'United Kingdom', 'Brazil', 'Thailand', 'Switzerland', 'Norway'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
Hellsing
This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage
Internal MISP references
UUID af482dde-9e47-48d5-9cb2-cf8f6d6303d3
which can be used as unique global reference for Hellsing
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Malaysia', 'Indonesia', 'Philippines', 'United States', 'India'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Infrastructure', 'Diplomacy'] |
Night Dragon
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Night Dragon.
Known Synonyms |
---|
G0014 |
Internal MISP references
UUID b3714d59-b61e-4713-903a-9b4f04ae7f3d
which can be used as unique global reference for Night Dragon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
APT15
This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT15.
Known Synonyms |
---|
BRONZE DAVENPORT |
BRONZE IDLEWOOD |
BRONZE PALACE |
G0004 |
Ke3Chang |
Lurid |
Metushy |
Mirage |
NICKEL |
Nylon Typhoon |
Playful Dragon |
Red Vulture |
Royal APT |
Social Network Team |
VIXEN PANDA |
Internal MISP references
UUID 3501fbf2-098f-47e7-be6a-6b0ff5742ce8
which can be used as unique global reference for APT15
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html - webarchive
- http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/ - webarchive
- https://github.com/nccgroup/Royal_APT - webarchive
- https://www.cfr.org/interactive/cyber-operations/mirage - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf - webarchive
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ - webarchive
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ - webarchive
- https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ - webarchive
- https://attack.mitre.org/groups/G0004/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-palace - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['European Union', 'India', 'United Kingdom', 'Germany'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Government, Administration'] |
Related clusters
To see the related clusters, click here.
APT14
PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT14.
Known Synonyms |
---|
ALUMINUM |
ANCHOR PANDA |
QAZTeam |
Internal MISP references
UUID c82c904f-b3b4-40a2-bf0d-008912953104
which can be used as unique global reference for APT14
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Germany', 'Australia', 'Sweden'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
motive | Espionage |
targeted-sector | ['Other', 'Aerospace', 'Defense', 'Intelligence', 'Maritime', 'Military', 'Space'] |
Related clusters
To see the related clusters, click here.
APT21
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT21.
Known Synonyms |
---|
HAMMER PANDA |
NetTraveler |
TEMP.Zhenbao |
Internal MISP references
UUID b80f4788-ccb2-466d-ae16-b397159d907e
which can be used as unique global reference for APT21
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/nettraveler - webarchive
- https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes - webarchive
- https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary - webarchive
- https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/ - webarchive
- https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests - webarchive
- http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Mongolia', 'Kazakhstan', 'Tajikistan', 'Germany', 'United Kingdom', 'India', 'Kyrgyzstan', 'South Korea', 'United States', 'Chile', 'Russia', 'China', 'Spain', 'Canada', 'Morocco'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
DAGGER PANDA
Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAGGER PANDA.
Known Synonyms |
---|
IceFog |
PLA Unit 69010 |
Red Wendigo |
RedFoxtrot |
Trident |
Internal MISP references
UUID 32c534b9-abec-4823-b223-a810f897b47b
which can be used as unique global reference for DAGGER PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/ - webarchive
- https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/icefog - webarchive
- https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['South Korea', 'United States', 'Japan', 'Germany', 'China'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Other', 'Maritime', 'Military', 'Government, Administration', 'Telecoms'] |
APT24
The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT24.
Known Synonyms |
---|
G0011 |
PITTY PANDA |
Temp.Pittytiger |
Internal MISP references
UUID 4d37813c-b8e9-4e58-a758-03168d8aa189
which can be used as unique global reference for APT24
in MISP communities and other software using the MISP galaxy
External references
- http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2 - webarchive
- http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2 - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html - webarchive
- https://attack.mitre.org/groups/G0011 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
Roaming Tiger
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roaming Tiger.
Known Synonyms |
---|
BRONZE WOODLAND |
Rotten Tomato |
Internal MISP references
UUID 1fb177c1-472a-4147-b7c4-b5269b11703d
which can be used as unique global reference for Roaming Tiger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Beijing Group
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Beijing Group.
Known Synonyms |
---|
Elderwood |
Elderwood Gang |
G0066 |
SIG22 |
SNEAKY PANDA |
Internal MISP references
UUID da754aeb-a86d-4874-b388-d1d2028a56be
which can be used as unique global reference for Beijing Group
in MISP communities and other software using the MISP galaxy
External references
- https://www.cfr.org/interactive/cyber-operations/sneaky-panda - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0066/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Canada', 'United Kingdom', 'Switzerland', 'Hong Kong', 'Australia', 'India', 'Taiwan', 'China', 'Denmark'] |
cfr-target-category | ['Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
RADIO PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RADIO PANDA.
Known Synonyms |
---|
Shrouded Crossbow |
Internal MISP references
UUID c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e
which can be used as unique global reference for RADIO PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
APT.3102
Internal MISP references
UUID f33fd440-93ee-41e5-974a-be9343e18cdf
which can be used as unique global reference for APT.3102
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
SAMURAI PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SAMURAI PANDA.
Known Synonyms |
---|
PLA Navy |
Wisp Team |
Internal MISP references
UUID 2fb07fa4-0d7f-43c7-8ff4-b28404313fe7
which can be used as unique global reference for SAMURAI PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Hong Kong'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
IMPERSONATING PANDA
Internal MISP references
UUID b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1
which can be used as unique global reference for IMPERSONATING PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
APT20
We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT20.
Known Synonyms |
---|
Crawling Taurus |
TH3Bug |
VIOLIN PANDA |
Internal MISP references
UUID 8bcd855f-a4c1-453a-bede-ff36582f4f40
which can be used as unique global reference for APT20
in MISP communities and other software using the MISP galaxy
External references
- http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/ - webarchive
- https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf - webarchive
- https://unit42.paloaltonetworks.com/atoms/crawling-taurus/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
TOXIC PANDA
A group targeting dissident groups in China and at the boundaries.
Internal MISP references
UUID 1514546d-f6ea-4af3-bbea-24d6fd9e6761
which can be used as unique global reference for TOXIC PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
TEMPER PANDA
China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMPER PANDA.
Known Synonyms |
---|
Admin338 |
G0018 |
MAGNESIUM |
Team338 |
admin@338 |
Internal MISP references
UUID ac4bce1f-b3ec-4c44-bd36-b6cc986b319b
which can be used as unique global reference for TEMPER PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html - webarchive
- https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/admin338 - webarchive
- https://attack.mitre.org/groups/G0018/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Hong Kong', 'United States'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Activists', 'Trade', 'Finance', 'Political party'] |
Related clusters
To see the related clusters, click here.
APT23
TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT23.
Known Synonyms |
---|
BRONZE HOBART |
Earth Centaur |
G0081 |
KeyBoy |
PIRATE PANDA |
Red Orthrus |
Tropic Trooper |
Internal MISP references
UUID 7f16d1f5-04ee-4d99-abf0-87e1f23f9fee
which can be used as unique global reference for APT23
in MISP communities and other software using the MISP galaxy
External references
- https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ - webarchive
- http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ - webarchive
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ - webarchive
- https://blog.lookout.com/titan-mobile-threat - webarchive
- https://attack.mitre.org/groups/G0081/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-hobart - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Military', 'Government, Administration'] |
Flying Kitten
Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flying Kitten.
Known Synonyms |
---|
Ajax Security Team |
AjaxSecurityTeam |
Group 26 |
Saffron Rose |
SaffronRose |
Sayad |
Internal MISP references
UUID ba724df5-9aa0-45ca-8e0e-7101c208ae48
which can be used as unique global reference for Flying Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf - webarchive
- https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/saffron-rose - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Iranian internet activists'] |
cfr-target-category | ['Military', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Aerospace', 'Defense', 'Gas', 'Oil'] |
Related clusters
To see the related clusters, click here.
Cutting Kitten
One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cutting Kitten.
Known Synonyms |
---|
ITsecTeam |
Internal MISP references
UUID 11e17436-6ede-4733-8547-4ce0254ea19e
which can be used as unique global reference for Cutting Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Bank of America', 'US Bancorp', 'Fifth Third Bank', 'Citigroup', 'PNC', 'BB&T', 'Wells Fargo', 'Capital One', 'HSBC', 'AT&T', 'NYSE'] |
cfr-type-of-incident | ['Denial of service'] |
country | IR |
Charming Kitten
Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Charming Kitten.
Known Synonyms |
---|
CharmingCypress |
G0058 |
Group 83 |
NewsBeef |
Newscaster |
Parastoo |
iKittens |
Internal MISP references
UUID f98bac6b-12fd-4cad-be84-c84666932232
which can be used as unique global reference for Charming Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Operation_Newscaster - webarchive
- https://iranthreats.github.io/resources/macdownloader-macos-malware/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf - webarchive
- https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/ - webarchive
- https://cryptome.org/2012/11/parastoo-hacks-iaea.htm - webarchive
- https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf - webarchive
- https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/ - webarchive
- https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/newscaster - webarchive
- https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/ - webarchive
- https://securelist.com/freezer-paper-around-free-meat/74503/ - webarchive
- https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/ - webarchive
- http://www.arabnews.com/node/1195681/media - webarchive
- https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f - webarchive
- https://blog.certfa.com/posts/the-return-of-the-charming-kitten/ - webarchive
- https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber - webarchive
- https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf - webarchive
- https://attack.mitre.org/groups/G0058/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['U.S. government/defense sector websites', 'Saudi Arabia', 'Israel', 'Iraq', 'United Kingdom'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Defense', 'Diplomacy', 'Military', 'Technology', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
APT33
Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT33.
Known Synonyms |
---|
APT 33 |
ATK35 |
COBALT TRINITY |
Elfin |
G0064 |
HOLMIUM |
MAGNALLIUM |
Peach Sandstorm |
Refined Kitten |
TA451 |
Internal MISP references
UUID 4f69ec6d-cb6b-42af-b8e2-920a2aa4be10
which can be used as unique global reference for APT33
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/ - webarchive
- https://www.brighttalk.com/webcast/10703/275683 - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-trinity - webarchive
- https://attack.mitre.org/groups/G0064/ - webarchive
- https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-33 - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
capabilities | STONEDRILL wiper, variants of TURNEDUP malware |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Saudi Arabia', 'South Korea'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | IR |
mode-of-operation | IT network limited, information gathering against industrial orgs |
victimology | Petrochemical, Aerospace, Saudi Arabia |
Related clusters
To see the related clusters, click here.
Magic Kitten
Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Magic Kitten.
Known Synonyms |
---|
Group 42 |
VOYEUR |
Internal MISP references
UUID 2e77511d-f72f-409e-9b64-e2a15efe9bf4
which can be used as unique global reference for Magic Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
targeted-sector | ['Opposition', 'Dissidents', 'Political party'] |
Rocket Kitten
Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocket Kitten.
Known Synonyms |
---|
Operation Woolen Goldfish |
Operation Woolen-Goldfish |
TEMP.Beanie |
Thamar Reservoir |
Timberworm |
Internal MISP references
UUID f873db71-3d53-41d5-b141-530675ade27a
which can be used as unique global reference for Rocket Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing - webarchive
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf - webarchive
- http://www.clearskysec.com/thamar-reservoir/ - webarchive
- https://citizenlab.ca/2015/08/iran_two_factor_phishing/ - webarchive
- https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/ - webarchive
- https://en.wikipedia.org/wiki/Rocket_Kitten - webarchive
- https://www.cfr.org/interactive/cyber-operations/rocket-kitten - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Saudi Arabia', 'Venezuela', 'Afghanistan', 'United Arab Emirates', 'Iran', 'Israel', 'Iraq', 'Kuwait', 'Turkey', 'Canada', 'Yemen', 'United Kingdom', 'Egypt', 'Syria', 'Jordan'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Activists', 'Defense', 'Journalist', 'Research - Innovation', 'Academia - University', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
Cleaver
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cleaver.
Known Synonyms |
---|
Alibaba |
Cobalt Gypsy |
G0003 |
Op Cleaver |
Operation Cleaver |
TG-2889 |
Tarh Andishan |
Internal MISP references
UUID 86724806-7ec9-4a48-a0a7-ecbde3bf4810
which can be used as unique global reference for Cleaver
in MISP communities and other software using the MISP galaxy
External references
- https://www.secureworks.com/research/the-curious-case-of-mia-ash - webarchive
- https://www.cfr.org/interactive/cyber-operations/operation-cleaver - webarchive
- http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/ - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing - webarchive
- https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations - webarchive
- https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf - webarchive
- https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf - webarchive
- https://attack.mitre.org/groups/G0003/ - webarchive
- https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/ - webarchive
- https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles - webarchive
- https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten - webarchive
- https://www.cfr.org/cyber-operations/operation-cleaver - webarchive
- https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html - webarchive
- https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Canada', 'France', 'Israel', 'Mexico', 'Saudi Arabia', 'China', 'Germany', 'United States', 'Pakistan', 'South Korea', 'United Kingdom', 'India', 'Kuwait', 'Qatar', 'Turkey'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Defense', 'Energy', 'Technology', 'Government, Administration', 'Academia - University'] |
Related clusters
To see the related clusters, click here.
Sands Casino
Internal MISP references
UUID 1de1a64e-ea14-4e79-9e41-6958bdb6c0ff
which can be used as unique global reference for Sands Casino
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Rebel Jackal
This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rebel Jackal.
Known Synonyms |
---|
FallagaTeam |
Internal MISP references
UUID 29af2812-f7fb-4edb-8cc4-86d0d9e3644b
which can be used as unique global reference for Rebel Jackal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TN |
motive | Hacktivists-Nationalists |
Viking Jackal
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Viking Jackal.
Known Synonyms |
---|
Vikingdom |
Internal MISP references
UUID 7f99ba32-421c-4905-9deb-006e8eda40c1
which can be used as unique global reference for Viking Jackal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | AE |
APT28
The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT28.
Known Synonyms |
---|
APT-C-20 |
ATK5 |
Blue Athena |
BlueDelta |
FANCY BEAR |
FROZENLAKE |
Fancy Bear |
Fighting Ursa |
Forest Blizzard |
G0007 |
Grizzly Steppe |
Group 74 |
IRON TWILIGHT |
ITG05 |
Pawn Storm |
SIG40 |
SNAKEMACKEREL |
STRONTIUM |
Sednit |
Sofacy |
Swallowtail |
T-APT-12 |
TA422 |
TG-4127 |
Tsar Team |
UAC-0028 |
Internal MISP references
UUID 5b4ee3ea-eee3-4c8e-8323-85ae32658754
which can be used as unique global reference for APT28
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/groups/G0007/ - webarchive
- https://en.wikipedia.org/wiki/Fancy_Bear - webarchive
- https://en.wikipedia.org/wiki/Sofacy_Group - webarchive
- https://www.bbc.com/news/technology-37590375 - webarchive
- https://www.bbc.co.uk/news/technology-45257081 - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-28 - webarchive
- https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f - webarchive
- https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html - webarchive
- https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ - webarchive
- https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630 - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/ - webarchive
- https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf - webarchive
- https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff - webarchive
- https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf - webarchive
- https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware - webarchive
- https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government - webarchive
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/ - webarchive
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive
- https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny - webarchive
- https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/ - webarchive
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ - webarchive
- https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/ - webarchive
- https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/ - webarchive
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ - webarchive
- https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/ - webarchive
- https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament - webarchive
- https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/ - webarchive
- https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508 - webarchive
- https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/ - webarchive
- https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected - webarchive
- https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf - webarchive
- https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN - webarchive
- https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/ - webarchive
- https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/ - webarchive
- https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae - webarchive
- https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1 - webarchive
- https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf - webarchive
- https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/ - webarchive
- https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ - webarchive
- https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/ - webarchive
- https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/fighting-ursa/ - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Georgia', 'France', 'Jordan', 'United States', 'Hungary', 'World Anti-Doping Agency', 'Armenia', 'Tajikistan', 'Japan', 'NATO', 'Ukraine', 'Belgium', 'Pakistan', 'Asia Pacific Economic Cooperation', 'International Association of Athletics Federations', 'Turkey', 'Mongolia', 'OSCE', 'United Kingdom', 'Germany', 'Poland', 'European Commission', 'Afghanistan', 'Kazakhstan', 'China'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Military', 'Government, Administration', 'Security Service'] |
Related clusters
To see the related clusters, click here.
APT29
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT29.
Known Synonyms |
---|
ATK7 |
Blue Kitsune |
BlueBravo |
COZY BEAR |
Cloaked Ursa |
G0016 |
Grizzly Steppe |
Group 100 |
IRON HEMLOCK |
ITG11 |
Minidionis |
Nobelium |
SeaDuke |
TA421 |
The Dukes |
UAC-0029 |
YTTRIUM |
Internal MISP references
UUID b2056ff0-00b9-482e-b11c-c771daa5f28a
which can be used as unique global reference for APT29
in MISP communities and other software using the MISP galaxy
External references
- https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/ - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf - webarchive
- https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/dukes - webarchive
- https://pylos.co/2018/11/18/cozybear-in-from-the-cold/ - webarchive
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - webarchive
- https://www.secureworks.com/research/threat-profiles/iron-hemlock - webarchive
- https://attack.mitre.org/groups/G0016 - webarchive
- https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/ - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['United States', 'China', 'New Zealand', 'Ukraine', 'Romania', 'Georgia', 'Japan', 'South Korea', 'Belgium', 'Kazakhstan', 'Brazil', 'Mexico', 'Turkey', 'Portugal', 'India', 'Germany'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Think Tanks', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
Turla
A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turla.
Known Synonyms |
---|
ATK13 |
Blue Python |
G0010 |
Group 88 |
Hippo Team |
IRON HUNTER |
ITG12 |
KRYPTON |
MAKERSMARK |
Pacifier APT |
Pfinet |
Popeye |
SIG23 |
SUMMIT |
Secret Blizzard |
Snake |
TAG_0530 |
UAC-0003 |
UAC-0024 |
UAC-0144 |
UNC4210 |
Uroburos |
VENOMOUS Bear |
WRAITH |
Waterbug |
Internal MISP references
UUID fa80877c-f509-4daf-8b62-20aba1635f68
which can be used as unique global reference for Turla
in MISP communities and other software using the MISP galaxy
External references
- https://www.circl.lu/pub/tr-25/ - webarchive
- https://securelist.com/introducing-whitebear/81638/ - webarchive
- https://securelist.com/the-epic-turla-operation/65545/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/turla - webarchive
- https://www.nytimes.com/2010/08/26/technology/26cyber.html - webarchive
- https://securelist.com/blog/research/67962/the-penquin-turla-2/ - webarchive
- https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/ - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf - webarchive
- https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ - webarchive
- https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/ - webarchive
- https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/ - webarchive
- https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/ - webarchive
- https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf - webarchive
- https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548 - webarchive
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ - webarchive
- https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ - webarchive
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ - webarchive
- https://docs.broadcom.com/doc/waterbug-attack-group - webarchive
- https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec - webarchive
- https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/ - webarchive
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - webarchive
- https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html - webarchive
- https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/ - webarchive
- https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/ - webarchive
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - webarchive
- https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit - webarchive
- https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/ - webarchive
- https://attack.mitre.org/groups/G0010/ - webarchive
- https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/ - webarchive
- https://www.secureworks.com/research/threat-profiles/iron-hunter - webarchive
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['France', 'Romania', 'Kazakhstan', 'Poland', 'Tajikistan', 'Russia', 'United States', 'Saudi Arabia', 'Germany', 'India', 'Belarus', 'Netherlands', 'Iran', 'Uzbekistan', 'Iraq'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Government, Administration', 'Education', 'Electric', 'Energy', 'Health'] |
Related clusters
To see the related clusters, click here.
ENERGETIC BEAR
A Russian group that collects intelligence on the energy industry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ENERGETIC BEAR.
Known Synonyms |
---|
ALLANITE |
ATK6 |
BERSERK BEAR |
BROMINE |
Blue Kraken |
CASTLE |
Crouching Yeti |
DYMALLOY |
Dragonfly |
G0035 |
Ghost Blizzard |
Group 24 |
Havex |
IRON LIBERTY |
ITG15 |
Koala Team |
TG-4192 |
Internal MISP references
UUID 64d6559c-6d5c-4585-bbf9-c17868f763ee
which can be used as unique global reference for ENERGETIC BEAR
in MISP communities and other software using the MISP galaxy
External references
- https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet - webarchive
- https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf - webarchive
- http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans - webarchive
- https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/crouching-yeti - webarchive
- https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA - webarchive
- https://dragos.com/wp-content/uploads/CrashOverride-01.pdf - webarchive
- https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html - webarchive
- https://www.riskiq.com/blog/labs/energetic-bear/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks - webarchive
- https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat - webarchive
- https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672 - webarchive
- https://attack.mitre.org/groups/G0035/ - webarchive
- https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/dymalloy - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['United States', 'Germany', 'Turkey', 'China', 'Spain', 'France', 'Ireland', 'Japan', 'Italy', 'Poland'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Energy'] |
Related clusters
To see the related clusters, click here.
Sandworm
This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sandworm.
Known Synonyms |
---|
APT44 |
Blue Echidna |
ELECTRUM |
FROZENBARENTS |
G0034 |
IRIDIUM |
IRON VIKING |
Quedagh |
Seashell Blizzard |
TEMP.Noble |
TeleBots |
UAC-0082 |
UAC-0113 |
VOODOO BEAR |
Internal MISP references
UUID f512de42-f76b-40d2-9923-59e7dbdfec35
which can be used as unique global reference for Sandworm
in MISP communities and other software using the MISP galaxy
External references
- https://dragos.com/blog/crashoverride/CrashOverride-01.pdf - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-163A - webarchive
- https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid - webarchive
- https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks - webarchive
- https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage - webarchive
- https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/ - webarchive
- https://attack.mitre.org/groups/G0034 - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://dragos.com/adversaries.html - webarchive
- http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks - webarchive
- https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt - webarchive
- https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine - webarchive
- https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare - webarchive
- https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine - webarchive
- https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine - webarchive
- https://cert.gov.ua/article/405538 - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
- https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html - webarchive
- https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235 - webarchive
- https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Russia', 'Lithuania', 'Kyrgyzstan', 'Israel', 'Ukraine', 'Belarus', 'Kazakhstan', 'Georgia', 'Poland', 'Azerbaijan', 'Iran'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Electric', 'Energy', 'Industrial'] |
Related clusters
To see the related clusters, click here.
FIN7
Groups targeting financial organizations or people with significant financial assets.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN7.
Known Synonyms |
---|
ATK32 |
CARBON SPIDER |
Calcium |
Carbanak |
Carbon Spider |
Coreid |
ELBRUS |
G0008 |
G0046 |
GOLD NIAGARA |
Sangria Tempest |
Internal MISP references
UUID 00220228-a5a4-4032-a30d-826bb55aa3fb
which can be used as unique global reference for FIN7
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Carbanak - webarchive
- https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe - webarchive
- http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf - webarchive
- https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks - webarchive
- https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor - webarchive
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - webarchive
- https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/ - webarchive
- https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain - webarchive
- https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf - webarchive
- https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf - webarchive
- https://attack.mitre.org/groups/G0008/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html - webarchive
- https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - webarchive
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - webarchive
- https://blog.morphisec.com/fin7-attacks-restaurant-industry - webarchive
- https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ - webarchive
- https://blog.morphisec.com/fin7-attack-modifications-revealed - webarchive
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - webarchive
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ - webarchive
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html - webarchive
- https://attack.mitre.org/groups/G0046/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://threatintel.blog/OPBlueRaven-Part1/ - webarchive
- https://threatintel.blog/OPBlueRaven-Part2/ - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-niagara - webarchive
- https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous - webarchive
- https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
motive | Cybercrime |
Related clusters
To see the related clusters, click here.
TeamSpy Crew
Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamSpy Crew.
Known Synonyms |
---|
Anger Bear |
IRON LYRIC |
Team Bear |
TeamSpy |
Internal MISP references
UUID 82c1c7fa-c67b-4be6-9be8-8aa400ef2445
which can be used as unique global reference for TeamSpy Crew
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/team-spy-crew - webarchive
- https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/ - webarchive
- https://www.crysys.hu/publications/files/teamspy.pdf - webarchive
- https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf - webarchive
- https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Hungary', 'Belarus'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Activists', 'Intelligence', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
BuhTrap
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.
Internal MISP references
UUID b737c51f-b579-49d5-a907-743b2e6d03cb
which can be used as unique global reference for BuhTrap
in MISP communities and other software using the MISP galaxy
External references
- https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/ - webarchive
- https://www.group-ib.com/brochures/gib-buhtrap-report.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware - webarchive
- https://www.kaspersky.com/blog/financial-trojans-2019/25690/ - webarchive
- https://www.welivesecurity.com/2015/04/09/operation-buhtrap/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank', 'Payment', 'Finance'] |
WOLF SPIDER
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WOLF SPIDER.
Known Synonyms |
---|
FIN4 |
G0085 |
Internal MISP references
UUID ff449346-aa9f-45f6-b482-71e886a5cf57
which can be used as unique global reference for WOLF SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623 - webarchive
- https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html - webarchive
- https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf - webarchive
- https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html - webarchive
- https://attack.mitre.org/groups/G0085/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RO |
targeted-sector | ['Health', 'Finance', 'Pharmacy'] |
Boulder Bear
First observed activity in December 2013.
Internal MISP references
UUID 85b40169-3d1c-491b-9fbf-877ed57f32e0
which can be used as unique global reference for Boulder Bear
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
SHARK SPIDER
This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.
Internal MISP references
UUID 7dd7a8df-9012-4d14-977f-b3f9f71266b4
which can be used as unique global reference for SHARK SPIDER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank'] |
UNION SPIDER
Adversary targeting manufacturing and industrial organizations.
Internal MISP references
UUID db774b7d-a0ee-4375-b24e-fd278f5ab2fd
which can be used as unique global reference for UNION SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Manufacturing', 'Industrial'] |
Silent Chollima
Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Chollima.
Known Synonyms |
---|
Andariel |
GOP |
Guardian of Peace |
Onyx Sleet |
OperationTroy |
PLUTONIUM |
Subgroup: Andariel |
WHOis Team |
Internal MISP references
UUID 245c8dde-ed42-4c49-b48b-634e3e21bdd7
which can be used as unique global reference for Silent Chollima
in MISP communities and other software using the MISP galaxy
External references
- https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | KP |
Lazarus Group
Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lazarus Group.
Known Synonyms |
---|
APT 38 |
APT-C-26 |
APT38 |
ATK117 |
ATK3 |
Andariel |
Appleworm |
BeagleBoyz |
Bluenoroff |
Bureau 121 |
COPERNICIUM |
COVELLITE |
Citrine Sleet |
DEV-0139 |
DEV-1222 |
Dark Seoul |
Diamond Sleet |
G0032 |
G0082 |
Group 77 |
Hastati Group |
Hidden Cobra |
Labyrinth Chollima |
Lazarus group |
NICKEL GLADSTONE |
NewRomanic Cyber Army Team |
Nickel Academy |
Operation AppleJeus |
Operation DarkSeoul |
Operation GhostSecret |
Operation Troy |
Sapphire Sleet |
Stardust Chollima |
Subgroup: Bluenoroff |
TA404 |
Unit 121 |
Whois Hacking Team |
ZINC |
Zinc |
Internal MISP references
UUID 68391641-859f-4a9a-9a1e-3e5cf71ec376
which can be used as unique global reference for Lazarus Group
in MISP communities and other software using the MISP galaxy
External references
- https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/ - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-164A - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-318A - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-318B - webarchive
- https://securelist.com/operation-applejeus/87553/ - webarchive
- https://securelist.com/lazarus-under-the-hood/77908/ - webarchive
- https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity - webarchive
- https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf - webarchive
- https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/lazarus-group - webarchive
- https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret - webarchive
- https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea - webarchive
- https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/ - webarchive
- https://content.fireeye.com/apt/rpt-apt38 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/ - webarchive
- https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack - webarchive
- https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise - webarchive
- https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html - webarchive
- https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov - webarchive
- https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/ - webarchive
- https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ - webarchive
- https://www.us-cert.gov/ncas/analysis-reports/AR19-129A - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/ - webarchive
- https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ - webarchive
- https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/ - webarchive
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf - webarchive
- https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations - webarchive
- https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies - webarchive
- https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c - webarchive
- https://attack.mitre.org/groups/G0032/ - webarchive
- https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105 - webarchive
- https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD - webarchive
- https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/ - webarchive
- https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware - webarchive
- https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html - webarchive
- https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret - webarchive
- https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/ - webarchive
- https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678 - webarchive
- https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/ - webarchive
- https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html - webarchive
- https://www.secureworks.com/research/threat-profiles/nickel-gladstone - webarchive
- https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html - webarchive
- https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/covellite - webarchive
- https://www.hvs-consulting.de/lazarus-report/ - webarchive
- https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37 - webarchive
- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html - webarchive
- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html - webarchive
- https://attack.mitre.org/groups/G0082 - webarchive
- https://attack.mitre.org/groups/G0032 - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/ - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/ - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-048a - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Democratic People's Republic of) |
cfr-suspected-victims | ['South Korea', 'Bangladesh Bank', 'Sony Pictures Entertainment', 'United States', 'Thailand', 'France', 'China', 'Hong Kong', 'United Kingdom', 'Guatemala', 'Canada', 'Bangladesh', 'Japan', 'India', 'Germany', 'Brazil', 'Thailand', 'Australia', 'Cryptocurrency exchanges in South Korea'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | ['Espionage', 'Sabotage'] |
country | KP |
Related clusters
To see the related clusters, click here.
VICEROY TIGER
VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VICEROY TIGER.
Known Synonyms |
---|
APT-C-35 |
Donot Team |
OPERATION HANGOVER |
Orange Kala |
SectorE02 |
Internal MISP references
UUID e2b87f81-a6a1-4524-b03f-193c3191d239
which can be used as unique global reference for VICEROY TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf - webarchive
- https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ - webarchive
- https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia - webarchive
- https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/ - webarchive
- https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html - webarchive
- https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ - webarchive
- https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/ - webarchive
- https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-victims | ['Germany'] |
country | IN |
targeted-sector | ['Government, Administration', 'Security Service'] |
Related clusters
To see the related clusters, click here.
PIZZO SPIDER
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PIZZO SPIDER.
Known Synonyms |
---|
Ambiorx |
DD4BC |
Internal MISP references
UUID dd9806a9-a600-48f8-81fb-07f0f1b7690d
which can be used as unique global reference for PIZZO SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | US |
Corsair Jackal
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corsair Jackal.
Known Synonyms |
---|
TunisianCyberArmy |
Internal MISP references
UUID 59d63dd6-f46f-4334-ad15-30d2e1ee0623
which can be used as unique global reference for Corsair Jackal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TN |
SNOWGLOBE
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SNOWGLOBE.
Known Synonyms |
---|
ATK8 |
Animal Farm |
Snowglobe |
Internal MISP references
UUID 3b8e7462-c83f-4e7d-9511-2fe430d80aab
which can be used as unique global reference for SNOWGLOBE
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/69114/animals-in-the-apt-farm/ - webarchive
- https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france - webarchive
- https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/ - webarchive
- https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ - webarchive
- https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope - webarchive
- https://www.cfr.org/interactive/cyber-operations/snowglobe - webarchive
- https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | France |
cfr-suspected-victims | ['Syria', 'United States', 'Netherlands', 'Russia', 'Spain', 'Iran', 'China', 'Germany', 'Algeria', 'Norway', 'Malaysia', 'Turkey', 'United Kingdom', 'Ivory Coast', 'Greece'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | FR |
Deadeye Jackal
The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Deadeye Jackal.
Known Synonyms |
---|
SEA |
SyrianElectronicArmy |
Internal MISP references
UUID 4265d44e-8372-4ed0-b428-b331a5443d7d
which can be used as unique global reference for Deadeye Jackal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | SY |
targeted-sector | ['Country', 'Defense', 'Opposition', 'Political party', 'News - Media', 'Government, Administration'] |
Operation C-Major
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation C-Major.
Known Synonyms |
---|
APT 36 |
APT36 |
C-Major |
COPPER FIELDSTONE |
Earth Karkaddan |
Green Havildar |
Mythic Leopard |
ProjectM |
TMP.Lapis |
Transparent Tribe |
Internal MISP references
UUID acbb5cad-ffe7-4b0e-a57a-2dbc916e8905
which can be used as unique global reference for Operation C-Major
in MISP communities and other software using the MISP galaxy
External references
- http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf - webarchive
- https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf - webarchive
- https://www.amnesty.org/en/documents/asa33/8366/2018/en/ - webarchive
- https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe - webarchive
- https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf - webarchive
- https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf - webarchive
- https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials - webarchive
- https://s.tencent.com/research/report/669.html - webarchive
- https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html - webarchive
- https://www.secureworks.com/research/threat-profiles/copper-fieldstone - webarchive
- https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html - webarchive
- https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Pakistan |
cfr-target-category | ['Civil society', 'Military', 'Government'] |
country | PK |
targeted-sector | ['Activists', 'Civil society', 'Military'] |
Related clusters
To see the related clusters, click here.
Stealth Falcon
This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Falcon.
Known Synonyms |
---|
FruityArmor |
G0038 |
Internal MISP references
UUID dab75e38-6969-4e78-9304-dc269c3cbcf0
which can be used as unique global reference for Stealth Falcon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United Arab Emirates |
cfr-suspected-victims | ['United Arab Emirates', 'United Kingdom'] |
cfr-target-category | ['Civil society'] |
cfr-type-of-incident | Espionage |
country | AE |
targeted-sector | ['Activists', 'Dissidents', 'Journalist', 'Civil society'] |
Related clusters
To see the related clusters, click here.
HummingBad
This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder
Internal MISP references
UUID 12ab5c28-5f38-4a2f-bd40-40e9c500f4ac
which can be used as unique global reference for HummingBad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
QUILTED TIGER
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUILTED TIGER.
Known Synonyms |
---|
APT-C-09 |
ATK11 |
Chinastrats |
Dropping Elephant |
G0040 |
Monsoon |
Orange Athos |
Patchwork |
Sarit |
Thirsty Gemini |
ZINC EMERSON |
Internal MISP references
UUID 18d473a5-831b-47a5-97a1-a32156299825
which can be used as unique global reference for QUILTED TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign - webarchive
- https://www.cymmetria.com/patchwork-targeted-attack/ - webarchive
- https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf - webarchive
- https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ - webarchive
- https://attack.mitre.org/groups/G0040/ - webarchive
- https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive
- https://securelist.com/the-dropping-elephant-actor/75328/ - webarchive
- https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/zinc-emerson - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait - webarchive
- https://unit42.paloaltonetworks.com/atoms/thirstygemini/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | India |
cfr-suspected-victims | ['Bangladesh', 'Sri Lanka', 'Pakistan'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | IN |
targeted-sector | ['Finance', 'Diplomacy'] |
Related clusters
To see the related clusters, click here.
Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC. Scarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scarlet Mimic.
Known Synonyms |
---|
G0029 |
Golfing Taurus |
Internal MISP references
UUID 0da10682-85c6-4c0b-bace-ba1f7adfb63e
which can be used as unique global reference for Scarlet Mimic
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Activists'] |
Related clusters
To see the related clusters, click here.
Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Group.
Known Synonyms |
---|
G0033 |
Internal MISP references
UUID 5fc09923-fcff-4e81-9cae-4518ef31cf4d
which can be used as unique global reference for Poseidon Group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | BR |
Related clusters
To see the related clusters, click here.
DragonOK
Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonOK.
Known Synonyms |
---|
BRONZE OVERBROOK |
G0002 |
G0017 |
Moafee |
Shallow Taurus |
Internal MISP references
UUID a9b44750-992c-4743-8922-129880d277ea
which can be used as unique global reference for DragonOK
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf - webarchive
- https://attack.mitre.org/wiki/Groups - webarchive
- https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor - webarchive
- https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/moafee - webarchive
- https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/ - webarchive
- https://www.phnompenhpost.com/national/kingdom-targeted-new-malware - webarchive
- https://attack.mitre.org/groups/G0017/ - webarchive
- https://attack.mitre.org/groups/G0002/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-overbrook - webarchive
- https://unit42.paloaltonetworks.com/atoms/shallowtaurus/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
ProjectSauron
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ProjectSauron.
Known Synonyms |
---|
G0041 |
Project Sauron |
Sauron |
Strider |
Internal MISP references
UUID f3179cfb-9c86-4980-bd6b-e4fa74adaaa7
which can be used as unique global reference for ProjectSauron
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/project-sauron - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf - webarchive
- https://attack.mitre.org/groups/G0041/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United States |
cfr-suspected-victims | ['Russia', 'Iran', 'Belgium', 'China', 'Sweden', 'Rwanda'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | US |
targeted-sector | ['Intelligence'] |
Related clusters
To see the related clusters, click here.
TA530
TA530, who we previously examined in relation to large-scale personalized phishing campaigns
Internal MISP references
UUID 4b79d1f6-8333-44b6-ac32-d1ea7e47e77f
which can be used as unique global reference for TA530
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
GCMAN
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GCMAN.
Known Synonyms |
---|
G0036 |
Internal MISP references
UUID d93889de-b4bc-4a29-9ce7-d67717c140a0
which can be used as unique global reference for GCMAN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank'] |
Related clusters
To see the related clusters, click here.
APT22
Suckfly is a China-based threat group that has been active since at least 2014
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT22.
Known Synonyms |
---|
BRONZE OLIVE |
G0039 |
Group 46 |
Suckfly |
Internal MISP references
UUID 5abb12e7-5066-4f84-a109-49a037205c76
which can be used as unique global reference for APT22
in MISP communities and other software using the MISP galaxy
External references
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0039/ - webarchive
- https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab - webarchive
- http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-olive - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
FIN6
FIN is a group targeting financial assets including assets able to do financial transaction including PoS.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN6.
Known Synonyms |
---|
ATK88 |
Camouflage Tempest |
G0037 |
GOLD FRANKLIN |
ITG08 |
MageCart Group 6 |
SKELETON SPIDER |
White Giant |
Internal MISP references
UUID 647894f6-1723-4cba-aba4-0ef0966d5302
which can be used as unique global reference for FIN6
in MISP communities and other software using the MISP galaxy
External references
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - webarchive
- https://attack.mitre.org/groups/G0037/ - webarchive
- https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/ - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-franklin - webarchive
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Libyan Scorpions
Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.
Internal MISP references
UUID 815cbe98-e157-4078-9caa-c5a25dd64731
which can be used as unique global reference for Libyan Scorpions
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | LY |
targeted-sector | ['Intelligence'] |
TeamXRat
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamXRat.
Known Synonyms |
---|
CorporacaoXRat |
CorporationXRat |
Internal MISP references
UUID 43ec65d1-a334-4c44-9a44-0fd21f27249d
which can be used as unique global reference for TeamXRat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OilRig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.
OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:
-Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers.
OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.
Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OilRig.
Known Synonyms |
---|
APT 34 |
APT34 |
ATK40 |
Cobalt Gypsy |
Crambus |
EUROPIUM |
Evasive Serpens |
G0049 |
Hazel Sandstorm |
Helix Kitten |
IRN2 |
TA452 |
Twisted Kitten |
Internal MISP references
UUID 42be2a84-5a5c-4c6d-9864-3f09d75bb0ba
which can be used as unique global reference for OilRig
in MISP communities and other software using the MISP galaxy
External references
- https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability - webarchive
- https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ - webarchive
- https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ - webarchive
- https://pan-unit42.github.io/playbook_viewer/ - webarchive
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html - webarchive
- https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html - webarchive
- https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf - webarchive
- https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a - webarchive
- https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json - webarchive
- https://www.cfr.org/interactive/cyber-operations/oilrig - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-34 - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail - webarchive
- https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.clearskysec.com/oilrig/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/ - webarchive
- https://attack.mitre.org/groups/G0049/ - webarchive
- https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-gypsy - webarchive
- https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf - webarchive
- https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/evasive-serpens/ - webarchive
- https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Israel', 'Kuwait', 'United States', 'Turkey', 'Saudi Arabia', 'Qatar', 'Lebanon', 'Middle East'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Chemical', 'Energy', 'Engineering', 'Finance', 'Government, Administration', 'Telecoms', 'Other'] |
Related clusters
To see the related clusters, click here.
Volatile Cedar
Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volatile Cedar.
Known Synonyms |
---|
DeftTorero |
Lebanese Cedar |
Internal MISP references
UUID cf421ce6-ddfe-419a-bc65-6a9fc953232a
which can be used as unique global reference for Volatile Cedar
in MISP communities and other software using the MISP galaxy
External references
- https://blog.checkpoint.com/2015/03/31/volatilecedar/ - webarchive
- https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/ - webarchive
- https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf - webarchive
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | LB |
suspected-victims | ['Middle East', 'Israel', 'Lebanon', 'Saudi Arabia'] |
Related clusters
To see the related clusters, click here.
Dancing Salome
Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.
Internal MISP references
UUID 3d5192f2-f235-46fd-aa68-dd00cc17d632
which can be used as unique global reference for Dancing Salome
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
suspected-victims | ['Ukraine'] |
targeted-sector | ['Think Tanks', 'Government, Administration'] |
TERBIUM
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.
Internal MISP references
UUID 46670c51-fea4-45d6-bdd4-62e85a5c7404
which can be used as unique global reference for TERBIUM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Energy'] |
Related clusters
To see the related clusters, click here.
Molerats
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Molerats.
Known Synonyms |
---|
ALUMINUM SARATOGA |
BLACKSTEM |
Extreme Jackal |
G0021 |
Gaza Cybergang |
Gaza Hackers Team |
Gaza cybergang |
Moonlight |
Operation Molerats |
Internal MISP references
UUID f7c2e501-73b1-400f-a5d9-2e2e07b7dfde
which can be used as unique global reference for Molerats
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html - webarchive
- https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/ - webarchive
- https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/ - webarchive
- https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website - webarchive
- https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html - webarchive
- https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html - webarchive
- https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks - webarchive
- https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf - webarchive
- https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf - webarchive
- https://securelist.com/gaza-cybergang-updated-2017-activity/82765/ - webarchive
- https://www.kaspersky.com/blog/gaza-cybergang/26363/ - webarchive
- https://attack.mitre.org/groups/G0021/ - webarchive
- https://www.secureworks.com/research/threat-profiles/aluminum-saratoga - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | Palestine |
cfr-suspected-victims | ['United States', 'Israel', 'Palestine', 'Middle East', 'Europe'] |
cfr-target-category | ['Government', 'Defense', 'Energy', 'Finance', 'Healthcare', 'Pharmaceuticals', 'Education', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Military'] |
cfr-type-of-incident | Espionage |
country | PS |
Related clusters
To see the related clusters, click here.
PROMETHIUM
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PROMETHIUM.
Known Synonyms |
---|
G0056 |
StrongPity |
Internal MISP references
UUID 43894e2a-174e-4931-94a8-2296afe8f650
which can be used as unique global reference for PROMETHIUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
- https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users - webarchive
- https://attack.mitre.org/groups/G0056/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
Related clusters
To see the related clusters, click here.
NEODYMIUM
NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NEODYMIUM.
Known Synonyms |
---|
G0055 |
Internal MISP references
UUID ada08ea8-4517-4eea-aff1-3ad69e5466bb
which can be used as unique global reference for NEODYMIUM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Packrat
A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.
Internal MISP references
UUID fe344665-d153-4d31-a32a-1509efde1ca7
which can be used as unique global reference for Packrat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Activists', 'Journalist', 'Political party'] |
Cadelle
Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.
Internal MISP references
UUID 03f13462-003c-4296-8784-bccea16710a9
which can be used as unique global reference for Cadelle
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
PassCV
The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.
Internal MISP references
UUID ceae0bc4-eb5f-4184-b949-a6f7d6f0f965
which can be used as unique global reference for PassCV
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Sath-ı Müdafaa
A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.
Internal MISP references
UUID a03e2b4b-617f-4d28-ac4b-9943f792aa22
which can be used as unique global reference for Sath-ı Müdafaa
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
Aslan Neferler Tim
Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aslan Neferler Tim.
Known Synonyms |
---|
Lion Soldiers Team |
Phantom Turk |
Internal MISP references
UUID 23410d3f-c359-422d-9a4e-45f8fdf0c84a
which can be used as unique global reference for Aslan Neferler Tim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
targeted-sector | ['Government, Administration', 'News - Media'] |
Ayyıldız Tim
Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ayyıldız Tim.
Known Synonyms |
---|
Crescent and Star |
Internal MISP references
UUID ab1771de-25bb-4688-b132-eabb5d6452a1
which can be used as unique global reference for Ayyıldız Tim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
targeted-sector | ['Government, Administration'] |
TurkHackTeam
Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TurkHackTeam.
Known Synonyms |
---|
Turk Hack Team |
Internal MISP references
UUID 7ae74dc6-ded3-4873-a803-abb4160d10c0
which can be used as unique global reference for TurkHackTeam
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
Equation Group
The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Equation Group.
Known Synonyms |
---|
EQGRP |
G0020 |
Tilded Team |
Internal MISP references
UUID 7036fb3d-86b7-4d9c-bc66-1e1ead8b7840
which can be used as unique global reference for Equation Group
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Equation_Group - webarchive
- https://www.cfr.org/interactive/cyber-operations/equation-group - webarchive
- https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ - webarchive
- https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0 - webarchive
- https://en.wikipedia.org/wiki/Stuxnet - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf - webarchive
- https://attack.mitre.org/groups/G0020/ -