Skip to content

Hide Navigation Hide TOC

Edit

Tidal Groups

Tidal Groups Galaxy

Authors
Authors and/or Contributors
Tidal Cyber

admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [FireEye admin@338]

Internal MISP references

UUID 8567136b-f84a-45ed-8cce-46324c7da60e which can be used as unique global reference for admin@338 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0018
observed_countries ['HK', 'US']
source MITRE
target_categories ['Financial Services']
Related clusters

To see the related clusters, click here.

Operation Woolen-Goldfish - Associated Group

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.[Check Point Rocket Kitten][TrendMicro Operation Woolen Goldfish March 2015]

Internal MISP references

UUID 9585b539-c040-40a6-a94c-fcf8afa786e2 which can be used as unique global reference for Operation Woolen-Goldfish - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c63555ae-395f-49dd-b279-b6b85c33e41f
Related clusters

To see the related clusters, click here.

AjaxTM - Associated Group

[FireEye Operation Saffron Rose 2013]

Internal MISP references

UUID 81051e64-7fde-44c5-816e-a85b25a02e11 which can be used as unique global reference for AjaxTM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b14e52c9-267e-484b-b3af-14844e5634f5
Related clusters

To see the related clusters, click here.

Flying Kitten - Associated Group

[CrowdStrike Flying Kitten ]

Internal MISP references

UUID aea21266-a894-40a3-a8cd-2eb2136859d8 which can be used as unique global reference for Flying Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 930c273b-0f2f-4398-b016-3623a384e681
Related clusters

To see the related clusters, click here.

Operation Saffron Rose - Associated Group

[FireEye Operation Saffron Rose 2013]

Internal MISP references

UUID c7e17231-5a22-49f8-a174-b15d5143b169 which can be used as unique global reference for Operation Saffron Rose - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b62221c3-4173-4748-9f3c-c1bc57ca2ef3
Related clusters

To see the related clusters, click here.

Rocket Kitten - Associated Group

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.[Check Point Rocket Kitten][IranThreats Kittens Dec 2017]

Internal MISP references

UUID ed2a8933-1662-460c-b400-db7a03921659 which can be used as unique global reference for Rocket Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 59646b90-8877-4904-b72d-7b73ee8af863
Related clusters

To see the related clusters, click here.

Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[FireEye Operation Saffron Rose 2013]

Internal MISP references

UUID e38bcb42-12c1-4202-a794-ec26cd830caa which can be used as unique global reference for Ajax Security Team in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0130
source MITRE
Related clusters

To see the related clusters, click here.

Silent Chollima - Associated Group

[CrowdStrike Silent Chollima Adversary September 2021]

Internal MISP references

UUID 045b431e-ca2a-4b1b-a6fa-758127ce2b4e which can be used as unique global reference for Silent Chollima - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8f90a9f3-849e-4cd8-b276-42498b6968e2
Related clusters

To see the related clusters, click here.

Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[FSI Andariel Campaign Rifle July 2017][IssueMakersLab Andariel GoldenAxe May 2017][AhnLab Andariel Subgroup of Lazarus June 2018][TrendMicro New Andariel Tactics July 2018][CrowdStrike Silent Chollima Adversary September 2021]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[Treasury North Korean Cyber Groups September 2019]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Internal MISP references

UUID 2cc997b5-5076-4eef-9974-f54387614f46 which can be used as unique global reference for Andariel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KP
group_attack_id G0138
observed_countries ['BR', 'CA', 'CN', 'DE', 'IN', 'IL', 'JP', 'KR', 'NO', 'PH', 'RO', 'RU', 'SE', 'US', 'VN']
observed_motivations ['Cyber Espionage', 'Destruction']
source MITRE
target_categories ['Aerospace', 'Agriculture', 'Casinos Gambling', 'Defense', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Media', 'Pharmaceuticals', 'Technology', 'Travel Services']
Related clusters

To see the related clusters, click here.

AnonGhost

AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app's users.[Group-IB Threat Intelligence Tweet October 9 2023]

Internal MISP references

UUID 67e02e39-1db8-4842-b0b1-d250ea9a22c3 which can be used as unique global reference for AnonGhost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5011
observed_countries ['IL', 'US']
owner TidalCyberIan
source Tidal Cyber
target_categories ['Education', 'Government', 'Technology']

Storm-1359 - Associated Group

[Microsoft DDoS Attacks Response June 2023]

Internal MISP references

UUID 8a3ffc59-378f-447a-bd67-129659941a20 which can be used as unique global reference for Storm-1359 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 84d7b5cd-a34d-4365-bdbf-cba51ef26fa9
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Anonymous Sudan

Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.[Flashpoint Anonymous Sudan Timeline] Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.[CyberCX Anonymous Sudan June 19 2023]

Since emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.[Flashpoint Anonymous Sudan Timeline] It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.[The Hacker News Microsoft DDoS June 19 2023][Microsoft DDoS Attacks Response June 2023] Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.[FalconFeedsio Tweet October 9 2023]

Internal MISP references

UUID 132feaeb-a9a1-4ecc-b7e9-86c008c15218 which can be used as unique global reference for Anonymous Sudan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5010
observed_countries ['AU', 'DK', 'FR', 'DE', 'IR', 'IL', 'LV', 'NL', 'SE', 'AE', 'US']
owner TidalCyberIan
source Tidal Cyber
tags ['62bde669-3020-4682-be68-36c83b2588a4']
target_categories ['Aerospace', 'Banks', 'Education', 'Financial Services', 'Government', 'Healthcare', 'Technology']
Related clusters

To see the related clusters, click here.

Aoqin Dragon

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[SentinelOne Aoqin Dragon June 2022]

Internal MISP references

UUID 454402a3-0503-45bf-b2e0-177fa2e2d412 which can be used as unique global reference for Aoqin Dragon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1007
source MITRE

Comment Group - Associated Group

[Mandiant APT1]

Internal MISP references

UUID b618f5c9-c399-4b6e-a614-12a383ba363c which can be used as unique global reference for Comment Group - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id af30fa7e-afcf-4da0-9771-9dfbe389f238
Related clusters

To see the related clusters, click here.

Comment Panda - Associated Group

[CrowdStrike Putter Panda]

Internal MISP references

UUID 22829c72-7358-468d-b661-da019a020d6e which can be used as unique global reference for Comment Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cc50c7a6-2dab-498f-992b-7cdda0c20b7e
Related clusters

To see the related clusters, click here.

Comment Crew - Associated Group

[Mandiant APT1]

Internal MISP references

UUID 88a50fe2-ab89-4dc3-8c47-0b0661f5c8e2 which can be used as unique global reference for Comment Crew - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1c4be283-01e5-4fa8-b566-79bded25cab0
Related clusters

To see the related clusters, click here.

APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [Mandiant APT1]

Internal MISP references

UUID 5307bba1-2674-4fbd-bfd5-1db1ae06fc5f which can be used as unique global reference for APT1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0006
observed_countries ['BE', 'CA', 'FR', 'IN', 'IL', 'JP', 'KR', 'LU', 'NO', 'SG', 'ZA', 'CH', 'TW', 'AE', 'GB', 'US', 'VN']
source MITRE
target_categories ['Aerospace', 'Agriculture', 'Chemical', 'Construction', 'Education', 'Electronics', 'Energy', 'Entertainment', 'Financial Services', 'Healthcare', 'Legal', 'Manufacturing', 'Media', 'Mining', 'Technology', 'Telecommunications', 'Transportation']
Related clusters

To see the related clusters, click here.

DynCalc - Associated Group

[Meyers Numbered Panda] [Moran 2014]

Internal MISP references

UUID 583a2f5d-33db-48b0-9809-5183f4d4dbec which can be used as unique global reference for DynCalc - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 539a41fe-6f8f-496b-9915-4302797d33ca
Related clusters

To see the related clusters, click here.

IXESHE - Associated Group

[Meyers Numbered Panda] [Moran 2014]

Internal MISP references

UUID 3a506347-4e45-4afe-a15a-3c5697ecf07b which can be used as unique global reference for IXESHE - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1bc197b3-bd5f-4c3f-853d-56a8e37af86d
Related clusters

To see the related clusters, click here.

Numbered Panda - Associated Group

[Meyers Numbered Panda]

Internal MISP references

UUID 5142b9b1-ad6a-4d7b-b982-9b200169dfe5 which can be used as unique global reference for Numbered Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 894ed5d0-7eb7-4383-b06f-9cc82d4aa1a6
Related clusters

To see the related clusters, click here.

DNSCALC - Associated Group

[Moran 2014]

Internal MISP references

UUID 1f696314-a0e0-4bc2-8b82-26d7f98bb308 which can be used as unique global reference for DNSCALC - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 11ad1ce8-e59f-48e8-8a52-f7012c9a0d4f
Related clusters

To see the related clusters, click here.

APT12

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.[Meyers Numbered Panda]

Internal MISP references

UUID 225314a7-8f40-48d4-9cff-3ec39b177762 which can be used as unique global reference for APT12 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0005
observed_countries ['DE', 'JP', 'TW', 'US']
source MITRE
target_categories ['Government', 'High Tech', 'Media']
Related clusters

To see the related clusters, click here.

APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. [FireEye EPS Awakens Part 2]

Internal MISP references

UUID 06a05175-0812-44f5-a529-30eba07d1762 which can be used as unique global reference for APT16 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0023
observed_countries ['JP', 'TW', 'TH']
source MITRE
target_categories ['Financial Services', 'Technology']
Related clusters

To see the related clusters, click here.

Deputy Dog - Associated Group

[FireEye APT17]

Internal MISP references

UUID 3df7e342-600a-4312-8e16-5496890302d5 which can be used as unique global reference for Deputy Dog - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b357afb9-0349-4203-a083-5dd2f1f9ead0
Related clusters

To see the related clusters, click here.

APT17

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [FireEye APT17]

Internal MISP references

UUID 5f083251-f5dc-459a-abfc-47a1aa7f5094 which can be used as unique global reference for APT17 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0025
observed_countries ['BE', 'CN', 'DE', 'ID', 'IT', 'JP', 'NL', 'RU', 'CH', 'GB', 'US']
source MITRE
target_categories ['Defense', 'Government', 'Legal', 'Mining', 'NGOs', 'Technology']
Related clusters

To see the related clusters, click here.

TG-0416 - Associated Group

[ThreatStream Evasion Analysis][Anomali Evasive Maneuvers July 2015]

Internal MISP references

UUID 5fdf8c44-69f3-4d9b-9258-0bb7758be2e9 which can be used as unique global reference for TG-0416 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a13f9607-2ef4-43c7-8aa9-26b83c7b0967
Related clusters

To see the related clusters, click here.

Dynamite Panda - Associated Group

[ThreatStream Evasion Analysis][Anomali Evasive Maneuvers July 2015]

Internal MISP references

UUID 637ac710-fc16-472c-a832-4cac678250f8 which can be used as unique global reference for Dynamite Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bb6b1708-cf48-48c7-9f46-ef0a53885d9a
Related clusters

To see the related clusters, click here.

Threat Group-0416 - Associated Group

[ThreatStream Evasion Analysis]

Internal MISP references

UUID 3a92b51b-3fb6-4792-99f3-dfd2e16f9d8b which can be used as unique global reference for Threat Group-0416 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ffe44646-5353-49d5-8e26-410c1ce6df86
Related clusters

To see the related clusters, click here.

APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [Dell Lateral Movement]

Internal MISP references

UUID a0c31021-b281-4c41-9855-436768299fe7 which can be used as unique global reference for APT18 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0026
source MITRE
target_categories ['Government', 'Healthcare', 'Human Rights', 'Manufacturing', 'Pharmaceuticals', 'Technology']
Related clusters

To see the related clusters, click here.

Codoso - Associated Group

[Unit 42 C0d0so0 Jan 2016]

Internal MISP references

UUID 6d83a49f-9211-4cba-ac43-e00ac72377db which can be used as unique global reference for Codoso - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 04c4f789-2393-4714-ab28-06fc38039960
Related clusters

To see the related clusters, click here.

C0d0so0 - Associated Group

[Unit 42 C0d0so0 Jan 2016]

Internal MISP references

UUID 89f839e7-602e-4862-9f93-1092acec19e7 which can be used as unique global reference for C0d0so0 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4addd000-b8b9-4c93-ba5b-378c14c46ae7
Related clusters

To see the related clusters, click here.

Codoso Team - Associated Group

[FireEye APT Groups]

Internal MISP references

UUID e5363e5c-073d-4bb4-9c68-9944251ff7a8 which can be used as unique global reference for Codoso Team - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ace4b025-4fd3-4ddd-af6f-673dea88aa9f
Related clusters

To see the related clusters, click here.

Sunshop Group - Associated Group

[Dark Reading Codoso Feb 2015]

Internal MISP references

UUID 1447143d-e8bf-448d-92df-67f19ac2e850 which can be used as unique global reference for Sunshop Group - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id eb91a5a0-73b5-4552-87a7-2100812fc442
Related clusters

To see the related clusters, click here.

APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [FireEye APT19] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [ICIT China's Espionage Jul 2016] [FireEye APT Groups] [Unit 42 C0d0so0 Jan 2016]

Internal MISP references

UUID 713e2963-fbf4-406f-a8cf-6a4489d90439 which can be used as unique global reference for APT19 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0073
observed_countries ['AU', 'US']
source MITRE
target_categories ['Defense', 'Education', 'Energy', 'Financial Services', 'Legal', 'Manufacturing', 'Pharmaceuticals', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

VIOLIN PANDA - Associated Group

Internal MISP references

UUID 9d19037b-5996-473a-9c75-1896ba436adc which can be used as unique global reference for VIOLIN PANDA - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7446e519-930c-416c-bcf9-55a8819a2630
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

TH3Bug - Associated Group

Internal MISP references

UUID f233d85e-9274-4e5d-9eb8-57fa3dc6bebf which can be used as unique global reference for TH3Bug - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 84038ade-9caf-40f8-9660-cd0459f65d81
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Crawling Taurus - Associated Group

[Unit 42 ATOM Crawling Taurus]

Internal MISP references

UUID c8c1b25e-4066-44c1-bb17-f561c86d8202 which can be used as unique global reference for Crawling Taurus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1fe02736-3a38-4a71-b117-63c5386f15fb
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Twivy - Associated Group

[Mandiant APT Groups List]

Internal MISP references

UUID 276fd84a-14fa-4040-9a98-f5eb09a24f3f which can be used as unique global reference for Twivy - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4812c101-e6cf-48c1-a1cd-640a1131ff22
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

APT20

APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.[Mandiant APT Groups List] Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.[FoxIT Wocao December 2019]

Internal MISP references

UUID 4173c301-0307-458d-89dd-2583e94247ec which can be used as unique global reference for APT20 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G5006
observed_countries ['BR', 'CN', 'FR', 'DE', 'IT', 'MX', 'PT', 'ES', 'GB', 'US']
observed_motivations ['Cyber Espionage']
owner TidalCyberIan
source Tidal Cyber
target_categories ['Aerospace', 'Casinos Gambling', 'Chemical', 'Construction', 'Defense', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Insurance', 'Manufacturing', 'Non Profit', 'Retail', 'Technology', 'Transportation']
Related clusters

To see the related clusters, click here.

IRON TWILIGHT - Associated Group

[Secureworks IRON TWILIGHT Profile][Secureworks IRON TWILIGHT Active Measures March 2017]

Internal MISP references

UUID fc8d868d-e3df-486d-8efb-eed4d3554abe which can be used as unique global reference for IRON TWILIGHT - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6a42e6dd-3e4e-475f-8293-59d9af80e394
Related clusters

To see the related clusters, click here.

Sednit - Associated Group

This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.[FireEye APT28 January 2017][SecureWorks TG-4127][Kaspersky Sofacy][Ars Technica GRU indictment Jul 2018]

Internal MISP references

UUID 78e2b73c-4042-4c78-af27-c289450e9db1 which can be used as unique global reference for Sednit - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 56f38218-30ad-4c58-8943-9b68103d91fa
Related clusters

To see the related clusters, click here.

Sofacy - Associated Group

This designation has been used in reporting both to refer to the threat group and its associated malware.[FireEye APT28][SecureWorks TG-4127][Crowdstrike DNC June 2016][ESET Sednit Part 3][Ars Technica GRU indictment Jul 2018][Talos Seduploader Oct 2017]

Internal MISP references

UUID 8983bc4c-26f9-4d1b-a32d-5b198f90cc24 which can be used as unique global reference for Sofacy - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ebb27272-18c0-4cdb-89f1-6e8e66f6c0eb
Related clusters

To see the related clusters, click here.

Fancy Bear - Associated Group

[Crowdstrike DNC June 2016][Kaspersky Sofacy][ESET Sednit Part 3][Ars Technica GRU indictment Jul 2018][Talos Seduploader Oct 2017][Symantec APT28 Oct 2018][Securelist Sofacy Feb 2018][Cybersecurity Advisory GRU Brute Force Campaign July 2021]

Internal MISP references

UUID 78894876-29d5-4feb-9afa-d7ab2955b81b which can be used as unique global reference for Fancy Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ebcc547a-c3b7-4673-801f-4409511f6dd2
Related clusters

To see the related clusters, click here.

SNAKEMACKEREL - Associated Group

[Accenture SNAKEMACKEREL Nov 2018]

Internal MISP references

UUID 7f58eb05-a22c-4df9-a8ad-6e3dfa97e511 which can be used as unique global reference for SNAKEMACKEREL - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 75a22116-0f97-4563-b49e-73ede9f679a0
Related clusters

To see the related clusters, click here.

Swallowtail - Associated Group

[Symantec APT28 Oct 2018]

Internal MISP references

UUID 7f1b55a8-6645-4262-ba7f-8f3e9d372f10 which can be used as unique global reference for Swallowtail - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9e03a6df-6398-48c9-acae-cdadb68ed5ae
Related clusters

To see the related clusters, click here.

Group 74 - Associated Group

[Talos Seduploader Oct 2017]

Internal MISP references

UUID cf66714e-7dc7-44dc-b594-c7ee99610bc2 which can be used as unique global reference for Group 74 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2d20b321-5edf-4bc7-915b-98eadcbf90a5
Related clusters

To see the related clusters, click here.

Pawn Storm - Associated Group

[SecureWorks TG-4127][ESET Sednit Part 3][TrendMicro Pawn Storm Dec 2020]

Internal MISP references

UUID c9b8f211-b713-4e51-8442-e494c4c56e8b which can be used as unique global reference for Pawn Storm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id faedc5a2-750e-4f7e-b219-caa2867c4cb6
Related clusters

To see the related clusters, click here.

STRONTIUM - Associated Group

[Kaspersky Sofacy][ESET Sednit Part 3][Microsoft STRONTIUM Aug 2019][Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020][TrendMicro Pawn Storm Dec 2020][Cybersecurity Advisory GRU Brute Force Campaign July 2021]

Internal MISP references

UUID f7c8de7a-3322-48b4-917c-e2ffd433890b which can be used as unique global reference for STRONTIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7b2468c3-ef9b-422b-8700-f2d9230115c9
Related clusters

To see the related clusters, click here.

Forest Blizzard - Associated Group

[U.S. Federal Bureau of Investigation 2 27 2024]

Internal MISP references

UUID 5ef741d0-4089-4ca7-aed9-da91b36b75c9 which can be used as unique global reference for Forest Blizzard - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9fe69ea1-4c35-4322-8029-b5ce381f8d94
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Tsar Team - Associated Group

[ESET Sednit Part 3][Talos Seduploader Oct 2017][Talos Seduploader Oct 2017]

Internal MISP references

UUID afa355ce-eb36-498d-b9e4-e0d6bce1573f which can be used as unique global reference for Tsar Team - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7003a53f-b1ba-44d0-8a04-bd1766e4865c
Related clusters

To see the related clusters, click here.

Threat Group-4127 - Associated Group

[SecureWorks TG-4127]

Internal MISP references

UUID f31dcaf0-e808-4073-9b57-88030e5842bb which can be used as unique global reference for Threat Group-4127 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b8651331-b87b-4ea6-934b-f170c3dc7303
Related clusters

To see the related clusters, click here.

TG-4127 - Associated Group

[SecureWorks TG-4127]

Internal MISP references

UUID 8d33359e-a3fc-4423-a84a-82081e99fb82 which can be used as unique global reference for TG-4127 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 55adb620-5d68-4583-87db-f1d920d5d875
Related clusters

To see the related clusters, click here.

APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[NSA/FBI Drovorub August 2020][Cybersecurity Advisory GRU Brute Force Campaign July 2021] This group has been active since at least 2004.[DOJ GRU Indictment Jul 2018][Ars Technica GRU indictment Jul 2018][Crowdstrike DNC June 2016][FireEye APT28][SecureWorks TG-4127][FireEye APT28 January 2017][GRIZZLY STEPPE JAR][Sofacy DealersChoice][Palo Alto Sofacy 06-2018][Symantec APT28 Oct 2018][ESET Zebrocy May 2019]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [Crowdstrike DNC June 2016] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[US District Court Indictment GRU Oct 2018] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Internal MISP references

UUID 5b1a5b9e-4722-41fc-a15d-196a549e3ac5 which can be used as unique global reference for APT28 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0007
observed_countries ['AF', 'AM', 'AU', 'AZ', 'BY', 'BE', 'BR', 'BG', 'CA', 'CL', 'CN', 'HR', 'CY', 'CZ', 'FR', 'GE', 'DE', 'HU', 'IN', 'IR', 'IQ', 'IT', 'JP', 'JO', 'KZ', 'KR', 'KG', 'LV', 'LT', 'MY', 'MX', 'MN', 'ME', 'NL', 'NO', 'PK', 'PL', 'RO', 'SK', 'ZA', 'ES', 'SE', 'CH', 'TJ', 'TH', 'TR', 'UG', 'UA', 'AE', 'GB', 'US', 'UZ']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'a98d7a43-f227-478e-81de-e7299639a355', '916ea1e8-d117-45a4-8564-0597a02b06e4', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'f01290d9-7160-44cb-949f-ee4947d04b6f', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852']
target_categories ['Aerospace', 'Chemical', 'Defense', 'Education', 'Energy', 'Government', 'Hospitality Leisure', 'Manufacturing', 'Media', 'NGOs', 'Retail', 'Technology', 'Transportation', 'Utilities']
Related clusters

To see the related clusters, click here.

StellarParticle - Associated Group

[CrowdStrike SUNSPOT Implant January 2021][CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID 573520e2-7034-4610-b254-f58fd4330e9c which can be used as unique global reference for StellarParticle - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 79985683-2fe1-408f-a947-cc7556185242
Related clusters

To see the related clusters, click here.

NOBELIUM - Associated Group

[MSTIC NOBELIUM Mar 2021][MSTIC NOBELIUM May 2021][MSTIC Nobelium Toolset May 2021][MSRC Nobelium June 2021]

Internal MISP references

UUID a51f4654-cba5-4052-8d79-a8671339eb9e which can be used as unique global reference for NOBELIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e574f72a-e781-4170-9917-a417bd72e79e
Related clusters

To see the related clusters, click here.

Cozy Bear - Associated Group

[Crowdstrike DNC June 2016][ESET Dukes October 2019][NCSC APT29 July 2020][Cybersecurity Advisory SVR TTP May 2021][CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID 0742ac72-9dc7-40ba-b568-1185187d93a8 which can be used as unique global reference for Cozy Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 44087a77-831c-4dc4-af9d-8a6aa4ef4fc8
Related clusters

To see the related clusters, click here.

IRON HEMLOCK - Associated Group

[Secureworks IRON HEMLOCK Profile]

Internal MISP references

UUID 1e5b89db-5d7c-40f0-86a2-ab7affabd6c3 which can be used as unique global reference for IRON HEMLOCK - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3cb3858f-3e99-4ab0-ab04-6a2ff3e7d5cc
Related clusters

To see the related clusters, click here.

Dark Halo - Associated Group

[Volexity SolarWinds]

Internal MISP references

UUID c0b8d1d5-4412-44b7-ba21-d2f0c96be941 which can be used as unique global reference for Dark Halo - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 72249657-2665-4406-8486-35016b132f8a
Related clusters

To see the related clusters, click here.

The Dukes - Associated Group

[F-Secure The Dukes][ESET Dukes October 2019][NCSC APT29 July 2020][Cybersecurity Advisory SVR TTP May 2021]

Internal MISP references

UUID b9af22de-f6b0-4b07-9182-1d43179e1d31 which can be used as unique global reference for The Dukes - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 530f67f9-ace5-4ac2-8b37-bd2a3865d690
Related clusters

To see the related clusters, click here.

SolarStorm - Associated Group

[Unit 42 SolarStorm December 2020]

Internal MISP references

UUID 7a10ed9e-6744-5657-bc4f-dfea05a89105 which can be used as unique global reference for SolarStorm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d23fdc45-3325-519e-85e8-55353eec7d71
Related clusters

To see the related clusters, click here.

Blue Kitsune - Associated Group

[PWC WellMess July 2020][PWC WellMess C2 August 2020]

Internal MISP references

UUID e6294fb3-cd59-57de-a0a6-d19f4d2a1560 which can be used as unique global reference for Blue Kitsune - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 59d76b12-0ee2-5427-aee0-8f4fda583f25
Related clusters

To see the related clusters, click here.

UNC3524 - Associated Group

[Mandiant APT29 Eye Spy Email Nov 22]

Internal MISP references

UUID d381c0b3-36d6-5619-9111-e392345eb22d which can be used as unique global reference for UNC3524 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3ccd8900-e251-540a-8206-4ebd1eec00c8
Related clusters

To see the related clusters, click here.

Midnight Blizzard - Associated Group

[Microsoft Midnight Blizzard January 19 2024]

Internal MISP references

UUID 4f1c2576-e3bb-4cd0-8d9f-df4cde4db79d which can be used as unique global reference for Midnight Blizzard - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 05b6f671-7e22-4422-99b6-7438b6fc654b
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

IRON RITUAL - Associated Group

[Secureworks IRON RITUAL Profile]

Internal MISP references

UUID f26c70ba-7879-4083-bfd0-ec34bdb80416 which can be used as unique global reference for IRON RITUAL - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3f6b0598-3a33-4726-aaed-a81e323f08b6
Related clusters

To see the related clusters, click here.

NobleBaron - Associated Group

[SentinelOne NobleBaron June 2021]

Internal MISP references

UUID 7a8aa751-21a3-4fdc-b19b-2810ffb4f44f which can be used as unique global reference for NobleBaron - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 82c24d84-98b7-4ea9-af12-e863506a0b62
Related clusters

To see the related clusters, click here.

UNC2452 - Associated Group

[FireEye SUNBURST Backdoor December 2020]

Internal MISP references

UUID b9ef525d-16a2-4896-8205-6da397b37245 which can be used as unique global reference for UNC2452 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5f3029c0-da2e-45ee-bda4-5afe70c098fa
Related clusters

To see the related clusters, click here.

YTTRIUM - Associated Group

[Microsoft Unidentified Dec 2018]

Internal MISP references

UUID f60a21a2-2a87-4e54-99df-f78ab1a7fd26 which can be used as unique global reference for YTTRIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1c164198-c984-4371-b0ab-54f0e7d8c6fd
Related clusters

To see the related clusters, click here.

CozyDuke - Associated Group

[Crowdstrike DNC June 2016]

Internal MISP references

UUID c71bf5f1-a297-4b10-8d66-3f61bd0b2a25 which can be used as unique global reference for CozyDuke - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8d921cec-57e9-4a0e-95c8-0f220bf75771
Related clusters

To see the related clusters, click here.

APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[White House Imposing Costs RU Gov April 2021][UK Gov Malign RIS Activity April 2021] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[F-Secure The Dukes][GRIZZLY STEPPE JAR][Crowdstrike DNC June 2016][UK Gov UK Exposes Russia SolarWinds April 2021]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[NSA Joint Advisory SVR SolarWinds April 2021][UK NSCS Russia SolarWinds April 2021] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[FireEye SUNBURST Backdoor December 2020][MSTIC NOBELIUM Mar 2021][CrowdStrike SUNSPOT Implant January 2021][Volexity SolarWinds][Cybersecurity Advisory SVR TTP May 2021][Unit 42 SolarStorm December 2020]

Internal MISP references

UUID 4c3e48b9-4426-4271-a7af-c3dfad79f447 which can be used as unique global reference for APT29 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0016
observed_countries ['AU', 'AT', 'AZ', 'BY', 'BE', 'BR', 'BG', 'CA', 'CN', 'CY', 'CZ', 'FR', 'GE', 'DE', 'HU', 'IN', 'IE', 'IL', 'JP', 'KZ', 'KR', 'KG', 'LV', 'LB', 'LT', 'LU', 'MX', 'ME', 'NL', 'NZ', 'NO', 'PL', 'PT', 'RO', 'RU', 'SK', 'SI', 'ES', 'TR', 'UG', 'UA', 'GB', 'US', 'UZ']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '08809fa0-61b6-4394-b103-1c4d19a5be16', '4a457eb3-e404-47e5-b349-8b1f743dc657', '15f2277a-a17e-4d85-8acd-480bf84f16b4', 'f2ae2283-f94d-4f8f-bbde-43f2bed66c55', '33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa']
target_categories ['Aerospace', 'Commercial', 'Defense', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Insurance', 'Legal', 'Manufacturing', 'Media', 'NGOs', 'Non Profit', 'Pharmaceuticals', 'Technology', 'Telecommunications', 'Think Tanks', 'Video Games']
Related clusters

To see the related clusters, click here.

Gothic Panda - Associated Group

[PWC Pirpi Scanbox] [Recorded Future APT3 May 2017] [Symantec Buckeye]

Internal MISP references

UUID d447bfdc-0a5c-4651-9070-2b3b87ac2128 which can be used as unique global reference for Gothic Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id be611484-9a2e-4588-b8fa-c0508d5b6664
Related clusters

To see the related clusters, click here.

Pirpi - Associated Group

[PWC Pirpi Scanbox]

Internal MISP references

UUID feff078c-cd96-4e56-90a7-4310ae8e48cb which can be used as unique global reference for Pirpi - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6d48e081-6e08-46c1-9540-4040930dcb84
Related clusters

To see the related clusters, click here.

UPS Team - Associated Group

[FireEye Clandestine Wolf] [Recorded Future APT3 May 2017] [Symantec Buckeye]

Internal MISP references

UUID bceffa47-b63a-4ebf-bded-33cb633c5ea7 which can be used as unique global reference for UPS Team - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 12d12339-8efc-4730-8987-71c5a15de637
Related clusters

To see the related clusters, click here.

Buckeye - Associated Group

[Symantec Buckeye]

Internal MISP references

UUID 4149bb91-e34b-4d22-80f1-e8adfab0d17f which can be used as unique global reference for Buckeye - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bd9c167a-8dc3-4476-a119-d919c905cd26
Related clusters

To see the related clusters, click here.

Threat Group-0110 - Associated Group

[Recorded Future APT3 May 2017] [Symantec Buckeye]

Internal MISP references

UUID 9eac64b2-f6ac-4a34-98c9-b159337fbea8 which can be used as unique global reference for Threat Group-0110 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 04676dcd-f1cb-4333-8be5-430590252412
Related clusters

To see the related clusters, click here.

TG-0110 - Associated Group

[Recorded Future APT3 May 2017] [Symantec Buckeye]

Internal MISP references

UUID a62a6f94-d301-4cf8-b67e-662fd7f91d73 which can be used as unique global reference for TG-0110 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id daf15744-3090-430a-86b5-573037ff5654
Related clusters

To see the related clusters, click here.

APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[FireEye Clandestine Wolf][Recorded Future APT3 May 2017] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[FireEye Clandestine Wolf][FireEye Operation Double Tap] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[Symantec Buckeye]

In 2017, MITRE developed an APT3 Adversary Emulation Plan.[APT3 Adversary Emulation Plan]

Internal MISP references

UUID 9da726e6-af02-49b8-8ebe-7ea4235513c9 which can be used as unique global reference for APT3 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0022
observed_countries ['BE', 'HK', 'IT', 'LU', 'PH', 'SE', 'GB', 'US', 'VN']
source MITRE
Related clusters

To see the related clusters, click here.

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[FireEye APT30][Baumgartner Golovkin Naikon 2015]

Internal MISP references

UUID be45ff95-6c74-4000-bc39-63044673d82f which can be used as unique global reference for APT30 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0013
observed_countries ['BT', 'BN', 'KH', 'IN', 'ID', 'JP', 'KR', 'LA', 'MY', 'MM', 'NP', 'PH', 'SA', 'SG', 'TH', 'US', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government', 'Media']
Related clusters

To see the related clusters, click here.

OceanLotus - Associated Group

[FireEye APT32 May 2017][Volexity OceanLotus Nov 2017][Cybereason Oceanlotus May 2017][ESET OceanLotus Mar 2019][Amnesty Intl. Ocean Lotus February 2021]

Internal MISP references

UUID 60ed0464-1075-4f6d-b72d-4aaa2892d2c9 which can be used as unique global reference for OceanLotus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 44190852-882a-4342-a5c8-f02ca889a229
Related clusters

To see the related clusters, click here.

APT-C-00 - Associated Group

[ESET OceanLotus][Cybereason Oceanlotus May 2017][ESET OceanLotus Mar 2019][Amnesty Intl. Ocean Lotus February 2021]

Internal MISP references

UUID 6be3ad40-e776-4127-81d2-c24a7e2b6778 which can be used as unique global reference for APT-C-00 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9a219fab-e9e1-4f04-98ef-baeb7710139d
Related clusters

To see the related clusters, click here.

SeaLotus - Associated Group

[Cybereason Oceanlotus May 2017]

Internal MISP references

UUID 510b8ec4-efad-41e0-8f0b-68c70a3d92e0 which can be used as unique global reference for SeaLotus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3666201a-e438-4c28-b130-b4dfe67854c2
Related clusters

To see the related clusters, click here.

APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[FireEye APT32 May 2017][Volexity OceanLotus Nov 2017][ESET OceanLotus]

Internal MISP references

UUID c0fe9859-e8de-4ce1-bc3c-b489e914a145 which can be used as unique global reference for APT32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country VN
group_attack_id G0050
observed_countries ['KH', 'CN', 'DE', 'LA', 'PH', 'US', 'VN']
source MITRE
tags ['115113f0-5876-4aa5-b731-5ad46f60c069']
target_categories ['Automotive', 'Energy', 'Entertainment', 'Financial Services', 'Government', 'Hospitality Leisure', 'Insurance', 'Manufacturing', 'Media', 'NGOs', 'Non Profit', 'Retail', 'Technology']
Related clusters

To see the related clusters, click here.

HOLMIUM - Associated Group

[Microsoft Holmium June 2020]

Internal MISP references

UUID 51ec6111-08b2-4294-a3a6-6d3f04161b62 which can be used as unique global reference for HOLMIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a7af6a75-ed87-42d6-a011-92ab54eb977c
Related clusters

To see the related clusters, click here.

Elfin - Associated Group

[Symantec Elfin Mar 2019]

Internal MISP references

UUID b757d8cd-0b22-4604-81a6-1cd3dd53084c which can be used as unique global reference for Elfin - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 36a6c829-fbff-4c14-bb51-749cb5850af8
Related clusters

To see the related clusters, click here.

Peach Sandstorm - Associated Group

[Microsoft Peach Sandstorm September 14 2023]

Internal MISP references

UUID 5d178cb0-a072-4b2f-9c28-13642fb30c03 which can be used as unique global reference for Peach Sandstorm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4526a53c-a0c4-4554-8d6c-c30f1a5db7a0
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [FireEye APT33 Sept 2017] [FireEye APT33 Webinar Sept 2017]

Internal MISP references

UUID 99bbbe25-45af-492f-a7ff-7cbc57828bac which can be used as unique global reference for APT33 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0064
observed_countries ['IR', 'IQ', 'IL', 'KR', 'SA', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Energy']
Related clusters

To see the related clusters, click here.

InkySquid - Associated Group

[Volexity InkySquid BLUELIGHT August 2021]

Internal MISP references

UUID 81c1b801-4fc4-4602-89c0-91f59afd3f67 which can be used as unique global reference for InkySquid - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 95339824-c45f-45f9-9cc7-ee155ee0adff
Related clusters

To see the related clusters, click here.

ScarCruft - Associated Group

[Securelist ScarCruft Jun 2016][FireEye APT37 Feb 2018][Securelist ScarCruft May 2019]

Internal MISP references

UUID 83962063-25d5-498b-8d40-168df6e8e85a which can be used as unique global reference for ScarCruft - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 97656f0d-503e-4c1a-b13d-e3234bc03039
Related clusters

To see the related clusters, click here.

Reaper - Associated Group

[FireEye APT37 Feb 2018]

Internal MISP references

UUID 0e5a5a21-ca65-4b92-91d8-c6ffe8d39dd8 which can be used as unique global reference for Reaper - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 03c73305-1b06-4c25-9ccf-79882636896a
Related clusters

To see the related clusters, click here.

Group123 - Associated Group

[FireEye APT37 Feb 2018]

Internal MISP references

UUID 1cbfa64f-c394-402f-9c1f-d66e33b2b2f7 which can be used as unique global reference for Group123 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 254122d6-138a-4a88-ac3e-529ecdc3903e
Related clusters

To see the related clusters, click here.

TEMP.Reaper - Associated Group

[FireEye APT37 Feb 2018]

Internal MISP references

UUID 66d651c2-e379-45a4-a7eb-4e838f8b2819 which can be used as unique global reference for TEMP.Reaper - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3e47382e-8271-42c3-ae3e-cf1cd3e2a158
Related clusters

To see the related clusters, click here.

Ricochet Chollima - Associated Group

[CrowdStrike Richochet Chollima September 2021]

Internal MISP references

UUID 62533eef-3762-5920-b3da-392fcd2d4d02 which can be used as unique global reference for Ricochet Chollima - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e8f786f6-7d73-5703-923b-e35d928b9b63
Related clusters

To see the related clusters, click here.

APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[FireEye APT37 Feb 2018][Securelist ScarCruft Jun 2016][Talos Group123]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Internal MISP references

UUID 013fdfdc-aa32-4779-8f6e-7920615cbf66 which can be used as unique global reference for APT37 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KP
group_attack_id G0067
observed_countries ['CN', 'IN', 'JP', 'KR', 'KW', 'NP', 'RO', 'RU', 'VN']
source MITRE
target_categories ['Aerospace', 'Automotive', 'Education', 'Financial Services', 'Government', 'Healthcare', 'Human Rights', 'Manufacturing', 'Media', 'NGOs', 'Technology']
Related clusters

To see the related clusters, click here.

Stardust Chollima - Associated Group

[CrowdStrike Stardust Chollima Profile April 2018][CrowdStrike GTR 2021 June 2021]

Internal MISP references

UUID dd64bbe7-4d35-4622-a92f-23255765c525 which can be used as unique global reference for Stardust Chollima - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9ebcd096-5e63-48f1-9a67-d80859a8fcc5
Related clusters

To see the related clusters, click here.

NICKEL GLADSTONE - Associated Group

[SecureWorks NICKEL GLADSTONE profile Sept 2021]

Internal MISP references

UUID 25b6512f-c60e-480f-81a0-c2ec4ba31ac8 which can be used as unique global reference for NICKEL GLADSTONE - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id df049954-1069-4ccc-8491-19c279452c1d
Related clusters

To see the related clusters, click here.

BeagleBoyz - Associated Group

[CISA AA20-239A BeagleBoyz August 2020]

Internal MISP references

UUID b8b8afb0-04b2-41b3-b756-d652b65c530d which can be used as unique global reference for BeagleBoyz - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ba2dea9a-8870-4c63-a164-1fb2cc270edf
Related clusters

To see the related clusters, click here.

Bluenoroff - Associated Group

[Kaspersky Lazarus Under The Hood Blog 2017]

Internal MISP references

UUID cf196249-7d25-4d5a-b2c9-2b34f045feba which can be used as unique global reference for Bluenoroff - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4e2a5cca-f160-4ca7-a9bf-e2232436aef1
Related clusters

To see the related clusters, click here.

APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[CISA AA20-239A BeagleBoyz August 2020] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.[CISA AA20-239A BeagleBoyz August 2020][FireEye APT38 Oct 2018][DOJ North Korea Indictment Feb 2021][Kaspersky Lazarus Under The Hood Blog 2017]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Internal MISP references

UUID dfbce236-735c-436d-b433-933bd6eae17b which can be used as unique global reference for APT38 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KP
group_attack_id G0082
observed_countries ['AR', 'BD', 'BA', 'BR', 'BG', 'CL', 'CR', 'EC', 'GH', 'IN', 'ID', 'JP', 'JO', 'KE', 'KR', 'KW', 'MY', 'MT', 'MX', 'MZ', 'NP', 'NI', 'NG', 'PK', 'PA', 'PE', 'PH', 'PL', 'RU', 'SG', 'ZA', 'ES', 'TW', 'TZ', 'TG', 'TR', 'UG', 'US', 'UY', 'VN', 'ZM']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Banks', 'Casinos Gambling', 'Credit Unions', 'Financial Services', 'Government', 'Hospitality Leisure', 'Media']
Related clusters

To see the related clusters, click here.

ITG07 - Associated Group

[FBI FLASH APT39 September 2020][Dept. of Treasury Iran Sanctions September 2020][DOJ Iran Indictments September 2020]

Internal MISP references

UUID 6ca4e51d-aa35-4a77-b3ba-7eb8634808f7 which can be used as unique global reference for ITG07 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0d240614-12ee-43dd-bebb-81e485f62c6b
Related clusters

To see the related clusters, click here.

Chafer - Associated Group

Activities associated with APT39 largely align with a group publicly referred to as Chafer.[FireEye APT39 Jan 2019][Symantec Chafer Dec 2015][Dark Reading APT39 JAN 2019][FBI FLASH APT39 September 2020][Dept. of Treasury Iran Sanctions September 2020][DOJ Iran Indictments September 2020]

Internal MISP references

UUID d9944d22-b092-4f28-a27d-328d77ad7790 which can be used as unique global reference for Chafer - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 704993e6-2034-4ca1-bba0-53bd8dbd174c
Related clusters

To see the related clusters, click here.

Remix Kitten - Associated Group

[Crowdstrike GTR2020 Mar 2020]

Internal MISP references

UUID 94ad9c24-d673-4f4c-8d3d-eb57a3d6aa6a which can be used as unique global reference for Remix Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 502e332b-f839-45bc-a2e1-9832af325c42
Related clusters

To see the related clusters, click here.

APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[FireEye APT39 Jan 2019][Symantec Chafer Dec 2015][FBI FLASH APT39 September 2020][Dept. of Treasury Iran Sanctions September 2020][DOJ Iran Indictments September 2020]

Internal MISP references

UUID a57b52c7-9f64-4ffe-a7c3-0de738fb2af1 which can be used as unique global reference for APT39 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0087
observed_countries ['IL', 'JO', 'KW', 'SA', 'ES', 'TR', 'AE', 'US']
source MITRE
target_categories ['Education', 'Hospitality Leisure', 'Telecommunications', 'Travel Services']
Related clusters

To see the related clusters, click here.

Wicked Panda - Associated Group

[Crowdstrike GTR2020 Mar 2020]

Internal MISP references

UUID 160cc195-b382-4bb1-807c-2e1592fbe105 which can be used as unique global reference for Wicked Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 152c96c0-7f83-4104-9f5f-b73487734fad
Related clusters

To see the related clusters, click here.

APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[FireEye APT41 Aug 2019][Group IB APT 41 June 2021]

Internal MISP references

UUID 502223ee-8947-42f8-a532-a3b3da12b7d9 which can be used as unique global reference for APT41 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0096
observed_countries ['AU', 'BH', 'BR', 'CA', 'CL', 'DK', 'FI', 'FR', 'GE', 'HK', 'IN', 'ID', 'IT', 'JP', 'KR', 'MY', 'MX', 'MM', 'NL', 'PK', 'PH', 'PL', 'QA', 'SA', 'SG', 'ZA', 'SE', 'CH', 'TW', 'TH', 'TR', 'AE', 'GB', 'US', 'VN']
observed_motivations ['Cyber Espionage', 'Financial Gain']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', 'a98d7a43-f227-478e-81de-e7299639a355']
target_categories ['Aerospace', 'Automotive', 'Education', 'Energy', 'Financial Services', 'Healthcare', 'High Tech', 'Media', 'Pharmaceuticals', 'Retail', 'Telecommunications', 'Travel Services', 'Video Games']
Related clusters

To see the related clusters, click here.

Blind Eagle - Associated Group

[QiAnXin APT-C-36 Feb2019]

Internal MISP references

UUID 3a48eb6e-2b44-4004-af10-459f5ee4352a which can be used as unique global reference for Blind Eagle - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c42ea733-327b-447b-b530-b5eb87fb98d5
Related clusters

To see the related clusters, click here.

APT-C-36

APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.[QiAnXin APT-C-36 Feb2019]

Internal MISP references

UUID 153c14a6-31b7-44f2-892e-6d9fdc152267 which can be used as unique global reference for APT-C-36 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0099
observed_countries ['CO']
source MITRE
target_categories ['Banks', 'Energy', 'Financial Services', 'Government', 'Manufacturing']
Related clusters

To see the related clusters, click here.

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[CrowdStrike AQUATIC PANDA December 2021]

Internal MISP references

UUID b8a349a6-cde1-4d95-b20f-44c62bbfc786 which can be used as unique global reference for Aquatic Panda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0143
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government', 'Technology', 'Telecommunications']

Group 72 - Associated Group

[Cisco Group 72]

Internal MISP references

UUID a975effb-1b65-4dd5-85ba-b0d12d94b7a8 which can be used as unique global reference for Group 72 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 61037820-7b66-46bf-8bfd-06cdb81e9b52
Related clusters

To see the related clusters, click here.

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[Kaspersky Winnti April 2013][Kaspersky Winnti June 2015][Novetta Winnti April 2015]

Internal MISP references

UUID 90f4d3f9-3fe3-4a64-8dc1-172c6d037dca which can be used as unique global reference for Axiom in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0001
observed_countries ['JP', 'KR', 'TW', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Defense', 'Energy', 'Government', 'Manufacturing', 'Non Profit', 'Pharmaceuticals', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[ESET BackdoorDiplomacy Jun 2021]

Internal MISP references

UUID e5b0da2b-12bc-4113-9459-9c51329c9ae0 which can be used as unique global reference for BackdoorDiplomacy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0135
observed_countries ['AL', 'AT', 'HR', 'GE', 'DE', 'GH', 'IN', 'LY', 'NA', 'NG', 'PL', 'QA', 'SA', 'ZA', 'AE', 'GB', 'UZ']
source MITRE
target_categories ['Government', 'Non Profit', 'Telecommunications']

BianLian Ransomware Group

BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.[U.S. CISA BianLian Ransomware May 2023]

Related Vulnerabilities: CVE-2020-1472[U.S. CISA BianLian Ransomware May 2023], CVE-2021-34473[BianLian Ransomware Gang Gives It a Go! | [redacted]], CVE-2021-34523[BianLian Ransomware Gang Gives It a Go! | [redacted]], CVE-2021-31207[BianLian Ransomware Gang Gives It a Go! | [redacted]]

PulseDive (IOCs): https://pulsedive.com/threat/BianLian

Internal MISP references

UUID a2add2a0-2b54-4623-a380-a9ad91f1f2dd which can be used as unique global reference for BianLian Ransomware Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5000
observed_countries ['AU', 'CA', 'FR', 'DE', 'IN', 'ES', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'd713747c-2d53-487e-9dac-259230f04460', '964c2590-4b52-48c6-afff-9a6d72e68908', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Automotive', 'Casinos Gambling', 'Construction', 'Education', 'Financial Services', 'Government', 'Healthcare', 'Legal', 'Manufacturing', 'Media', 'Mining', 'Retail', 'Technology']

T-APT-17 - Associated Group

[Cisco Talos Bitter Bangladesh May 2022]

Internal MISP references

UUID fd4b4e28-6f0c-43a5-b42d-6d2488d1ff93 which can be used as unique global reference for T-APT-17 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f4e52f24-5321-41c6-b198-c118b9c7abd6
Related clusters

To see the related clusters, click here.

BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[Cisco Talos Bitter Bangladesh May 2022][Forcepoint BITTER Pakistan Oct 2016]

Internal MISP references

UUID 3a02aa1b-851a-43e1-b83b-58037f3c7025 which can be used as unique global reference for BITTER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1002
source MITRE
Related clusters

To see the related clusters, click here.

Bl00dy Ransomware Gang

Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.[U.S. CISA PaperCut May 2023]

Related Vulnerabilities: CVE-2023-27350[U.S. CISA PaperCut May 2023]

Internal MISP references

UUID 393da13e-016c-41a3-9d89-b33173adecbf which can be used as unique global reference for Bl00dy Ransomware Gang in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5002
observed_countries ['US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Education', 'Healthcare', 'High Tech', 'Manufacturing', 'Technology']

BlackCat Ransomware Actors & Affiliates

This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.

Researchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[FBI BlackCat April 19 2022] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the ransomwatch project and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[GitHub ransomwatch] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[BlackBerry BlackCat Threat Overview]

BlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[X-Force BlackCat May 30 2023][FBI BlackCat April 19 2022] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[Caesars Scattered Spider September 13 2023][BushidoToken Scattered Spider August 16 2023]

Internal MISP references

UUID 33159d02-a1ce-49ec-a381-60b069db66f7 which can be used as unique global reference for BlackCat Ransomware Actors & Affiliates in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5005
observed_countries ['AU', 'AT', 'BO', 'BR', 'CA', 'CL', 'CN', 'CO', 'CZ', 'EC', 'EG', 'FR', 'DE', 'GR', 'HK', 'HU', 'IN', 'ID', 'IE', 'IL', 'IT', 'JM', 'JP', 'KE', 'LU', 'MY', 'MX', 'NL', 'NG', 'PA', 'PH', 'RO', 'SA', 'ES', 'CH', 'TH', 'TN', 'TR', 'AE', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '7140a6ea-2c03-4028-9da9-21d6157fdb13', '963e4802-3d3f-4e4b-b258-0b36020997b9', 'a58fbc12-8068-4eba-89f0-64c9d5a7aaf8', 'b0098999-7465-42a0-ac7d-a55001c4e79f', '33d22eff-59a1-47e0-b9eb-615dee314595', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', 'e401022a-36ac-486d-8503-dd531410a927', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Automotive', 'Banks', 'Casinos Gambling', 'Construction', 'Education', 'Electronics', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Hospitality Leisure', 'Insurance', 'Legal', 'Manufacturing', 'Media', 'Pharmaceuticals', 'Retail', 'Technology', 'Telecommunications', 'Transportation']

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. [Securelist BlackOasis Oct 2017] [Securelist APT Trends Q2 2017] A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [CyberScoop BlackOasis Oct 2017]

Internal MISP references

UUID 428dc121-a593-4981-9127-f958ae0a0fdd which can be used as unique global reference for BlackOasis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0063
observed_countries ['AF', 'AO', 'BH', 'IR', 'IQ', 'JO', 'LY', 'NL', 'NG', 'RU', 'SA', 'TN', 'GB']
source MITRE
Related clusters

To see the related clusters, click here.

Palmerworm - Associated Group

[Symantec Palmerworm Sep 2020][IronNet BlackTech Oct 2021]

Internal MISP references

UUID 25cec21f-c276-4d0c-adef-6313bd752e07 which can be used as unique global reference for Palmerworm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f0d645a2-10c4-47ba-93c5-25113f1da1c6
Related clusters

To see the related clusters, click here.

Temp.Overboard - Associated Group

[U.S. CISA BlackTech September 27 2023]

Internal MISP references

UUID e3baf8a3-d4bb-4ef0-add7-39bc238b0c12 which can be used as unique global reference for Temp.Overboard - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0fd0a5c0-8fe5-40b0-aaba-c3407636b6cf
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Circuit Panda - Associated Group

[U.S. CISA BlackTech September 27 2023]

Internal MISP references

UUID c1769626-608d-42b4-b0dc-67520181e8a6 which can be used as unique global reference for Circuit Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a8a9cd0f-96d4-4157-9e52-6d169c2a2f24
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Radio Panda - Associated Group

[U.S. CISA BlackTech September 27 2023]

Internal MISP references

UUID 4e472ebd-7685-409e-a41d-b9034d04583f which can be used as unique global reference for Radio Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0bac0bf4-1488-4b4c-b949-aa2703a1ac95
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[TrendMicro BlackTech June 2017][Symantec Palmerworm Sep 2020][Reuters Taiwan BlackTech August 2020]

Internal MISP references

UUID 528ab2ea-b8f1-44d8-8831-2a89fefd97cb which can be used as unique global reference for BlackTech in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0098
observed_countries ['CN', 'HK', 'JP', 'TW', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Construction', 'Defense', 'Electronics', 'Financial Services', 'Government', 'Media', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[RedCanary Mockingbird May 2020]

Internal MISP references

UUID b82c6ed1-c74a-4128-8b4d-18d1e17e1134 which can be used as unique global reference for Blue Mockingbird in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0108
observed_motivations ['Financial Gain']
source MITRE

REDBALDKNIGHT - Associated Group

[Trend Micro Daserf Nov 2017][Trend Micro Tick November 2019]

Internal MISP references

UUID 84db787e-f59b-4318-be71-17bf3c55effa which can be used as unique global reference for REDBALDKNIGHT - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id dbaaf996-8ef8-4463-9953-4ce480d051cf
Related clusters

To see the related clusters, click here.

Tick - Associated Group

[Trend Micro Daserf Nov 2017][Symantec Tick Apr 2016][Trend Micro Tick November 2019]

Internal MISP references

UUID 19c5a727-c2a1-411d-ad3c-b96b62dd72ea which can be used as unique global reference for Tick - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9e7fe94c-5b33-4fa6-9e42-46b416ff370b
Related clusters

To see the related clusters, click here.

BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[Trend Micro Daserf Nov 2017][Secureworks BRONZE BUTLER Oct 2017][Trend Micro Tick November 2019]

Internal MISP references

UUID 5825a840-5577-4ffc-a08d-3f48d64395cb which can be used as unique global reference for BRONZE BUTLER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0060
observed_countries ['CN', 'HK', 'JP', 'KR', 'RU', 'SG', 'TW', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Chemical', 'Defense', 'Electronics', 'Government', 'Manufacturing']
Related clusters

To see the related clusters, click here.

Anunak - Associated Group

[Fox-It Anunak Feb 2015]

Internal MISP references

UUID 060c0532-780d-4e42-9023-2ac385f369d7 which can be used as unique global reference for Anunak - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 37ca20a9-b364-4370-8da1-7544e1b2a779
Related clusters

To see the related clusters, click here.

Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.[Kaspersky Carbanak][FireEye FIN7 April 2017][Europol Cobalt Mar 2018][Secureworks GOLD NIAGARA Threat Profile][Secureworks GOLD KINGSWOOD Threat Profile]

Internal MISP references

UUID 72d9bea7-9ca1-43e6-8702-2fb7fb1355de which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0008
observed_countries ['AU', 'AT', 'BA', 'BR', 'CA', 'CN', 'FR', 'DE', 'IS', 'IN', 'IT', 'LT', 'MA', 'NP', 'NG', 'PK', 'PL', 'RU', 'SN', 'ES', 'SE', 'CH', 'TW', 'UA', 'GB', 'US']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Financial Services']
Related clusters

To see the related clusters, click here.

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[Cycraft Chimera April 2020][NCC Group Chimera January 2021]

Internal MISP references

UUID ca93af75-0ffa-4df4-b86a-92d4d50e496e which can be used as unique global reference for Chimera in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0114
observed_countries ['TW']
source MITRE
target_categories ['Semi Conductors', 'Travel Services']

Threat Group 2889 - Associated Group

[Dell Threat Group 2889]

Internal MISP references

UUID 91b42715-7646-497a-a146-50bdffad8f71 which can be used as unique global reference for Threat Group 2889 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a307544f-424d-42a3-bb60-af98da937af7
Related clusters

To see the related clusters, click here.

TG-2889 - Associated Group

[Dell Threat Group 2889]

Internal MISP references

UUID 18e47f6e-b3e3-40e9-8cc1-589f3b8dca36 which can be used as unique global reference for TG-2889 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id eeee1c2a-3bb5-40cf-93b6-98b1043ec89c
Related clusters

To see the related clusters, click here.

Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [Cylance Cleaver] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [Dell Threat Group 2889]

Internal MISP references

UUID c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07 which can be used as unique global reference for Cleaver in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0003
observed_countries ['CA', 'CN', 'FR', 'DE', 'IN', 'IL', 'KR', 'KW', 'MX', 'NL', 'PK', 'QA', 'SA', 'TR', 'AE', 'GB', 'US']
source MITRE
target_categories ['Aerospace', 'Chemical', 'Defense', 'Education', 'Energy', 'Government', 'Healthcare', 'Manufacturing', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

GOLD KINGSWOOD - Associated Group

[Secureworks GOLD KINGSWOOD September 2018]

Internal MISP references

UUID 14e60fe8-a70e-4b49-9e0c-d0417e2a8a2e which can be used as unique global reference for GOLD KINGSWOOD - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4a04ccc8-b838-4e29-bdf3-258a2cf04ff1
Related clusters

To see the related clusters, click here.

Cobalt Gang - Associated Group

[Talos Cobalt Group July 2018] [Crowdstrike Global Threat Report Feb 2018][Morphisec Cobalt Gang Oct 2018]

Internal MISP references

UUID 497264f0-60ec-4515-b123-4d17701d4bd8 which can be used as unique global reference for Cobalt Gang - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6b90d9bd-8c90-4afe-8fb3-feda0ca1b5dc
Related clusters

To see the related clusters, click here.

Cobalt Spider - Associated Group

[Crowdstrike Global Threat Report Feb 2018]

Internal MISP references

UUID 5d356315-296c-4c79-b2e4-d4dcdcf59551 which can be used as unique global reference for Cobalt Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 13e2fb7f-2628-4461-a391-b966890b30c7
Related clusters

To see the related clusters, click here.

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[Talos Cobalt Group July 2018][PTSecurity Cobalt Group Aug 2017][PTSecurity Cobalt Dec 2016][Group IB Cobalt Aug 2017][Proofpoint Cobalt June 2017][RiskIQ Cobalt Nov 2017][RiskIQ Cobalt Jan 2018] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[Europol Cobalt Mar 2018]

Internal MISP references

UUID 58db02e6-d908-47c2-bc82-ed58ada61331 which can be used as unique global reference for Cobalt Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0080
observed_countries ['AR', 'AZ', 'BY', 'CA', 'CN', 'KZ', 'KG', 'MD', 'RU', 'TJ', 'GB', 'US', 'VN']
observed_motivations ['Financial Gain']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', '57859162-d54e-4f4a-a89c-3ae374f09516']
target_categories ['Banks', 'Financial Services']
Related clusters

To see the related clusters, click here.

Confucius APT - Associated Group

Internal MISP references

UUID f223d10c-171d-4aa7-ab2c-7ff2acaf88f1 which can be used as unique global reference for Confucius APT - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6d0045e9-37fd-4d43-8306-09da90621953
Related clusters

To see the related clusters, click here.

Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[TrendMicro Confucius APT Feb 2018][TrendMicro Confucius APT Aug 2021][Uptycs Confucius APT Jan 2021]

Internal MISP references

UUID d0f29889-7a9c-44d8-abdc-480b371f7b2b which can be used as unique global reference for Confucius in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0142
observed_countries ['PK']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government']
Related clusters

To see the related clusters, click here.

CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[ClearSky CopyKittens March 2017][ClearSky Wilted Tulip July 2017][CopyKittens Nov 2015]

Internal MISP references

UUID 6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b which can be used as unique global reference for CopyKittens in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0052
observed_countries ['DE', 'IL', 'JO', 'SA', 'TR', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Education', 'Government', 'Technology']
Related clusters

To see the related clusters, click here.

CURIUM

CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[Microsoft Iranian Threat Actor Trends November 2021]

Internal MISP references

UUID ab15a328-c41e-5701-993f-3cab29ac4544 which can be used as unique global reference for CURIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1012
source MITRE

CyberAv3ngers

CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[U.S. CISA IRGC-Affiliated PLC Activity December 2023]

Internal MISP references

UUID 44a9c8ac-c287-45d2-9ebc-2c8a7d0a1f57 which can be used as unique global reference for CyberAv3ngers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G5016
observed_countries ['IL', 'US']
observed_motivations ['Destruction']
owner TidalCyberIan
source Tidal Cyber
tags ['841ce707-a678-4bcf-86ff-7feeacd37e55', '15787198-6c8b-4f79-bf50-258d55072fee']
target_categories ['Energy', 'Utilities']

Daixin Team

Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.

Many of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[U.S. CISA Daixin Team October 2022] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[GitHub ransomwatch]

Internal MISP references

UUID 07bdadce-905e-4337-898a-13e88cfb5a61 which can be used as unique global reference for Daixin Team in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5015
observed_countries ['CA', 'DE', 'ID', 'MY', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', 'a2e000da-8181-4327-bacd-32013dbd3654', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Aerospace', 'Healthcare', 'Manufacturing', 'Media', 'Retail', 'Technology', 'Transportation', 'Utilities']

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [Lookout Dark Caracal Jan 2018]

Internal MISP references

UUID 7ad94dbf-9909-42dd-8b62-a435481bdb14 which can be used as unique global reference for Dark Caracal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country LB
group_attack_id G0070
observed_countries ['CN', 'FR', 'DE', 'IN', 'IT', 'JO', 'KR', 'LB', 'NP', 'NL', 'PK', 'PH', 'QA', 'RU', 'SA', 'CH', 'SY', 'TH', 'US', 'VE', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
Related clusters

To see the related clusters, click here.

DUBNIUM - Associated Group

[Microsoft Digital Defense FY20 Sept 2020][Microsoft DUBNIUM June 2016][Microsoft DUBNIUM Flash June 2016][Microsoft DUBNIUM July 2016]

Internal MISP references

UUID c110892f-9eae-4ffe-bf16-55437d814f3a which can be used as unique global reference for DUBNIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ecad4acb-5585-4ff1-9ada-3c187672f17b
Related clusters

To see the related clusters, click here.

Darkhotel

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[Kaspersky Darkhotel][Securelist Darkhotel Aug 2015][Microsoft Digital Defense FY20 Sept 2020]

Internal MISP references

UUID efa1d922-8f48-43a6-89fe-237e1f3812c8 which can be used as unique global reference for Darkhotel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0012
observed_countries ['BD', 'CN', 'DE', 'HK', 'IN', 'ID', 'IE', 'JP', 'KP', 'KR', 'MZ', 'RU', 'TW', 'TH', 'US']
source MITRE
target_categories ['Defense', 'Government', 'Healthcare', 'NGOs', 'Non Profit']
Related clusters

To see the related clusters, click here.

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [Unit 42 DarkHydrus July 2018] [Unit 42 Playbook Dec 2017]

Internal MISP references

UUID f2b31240-0b4a-4fa4-82a4-6bb00e146e75 which can be used as unique global reference for DarkHydrus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0079
source MITRE
target_categories ['Education', 'Government']
Related clusters

To see the related clusters, click here.

DarkVishnya

DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[Securelist DarkVishnya Dec 2018]

Internal MISP references

UUID d428f9be-6faf-4d57-b677-4a927fea5f7e which can be used as unique global reference for DarkVishnya in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0105
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Banks', 'Financial Services']

WebMasters - Associated Group

[RSA Shell Crew]

Internal MISP references

UUID cf629343-dce6-40db-b07e-e9667c7fe3a1 which can be used as unique global reference for WebMasters - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 62b1680d-0ef6-474c-be65-6297564095d2
Related clusters

To see the related clusters, click here.

PinkPanther - Associated Group

[RSA Shell Crew]

Internal MISP references

UUID 07485906-ee31-42d3-aa65-60f8c8715978 which can be used as unique global reference for PinkPanther - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 37fb329c-eda8-4f9e-9bbe-89eab6780749
Related clusters

To see the related clusters, click here.

Shell Crew - Associated Group

[RSA Shell Crew]

Internal MISP references

UUID d2cec0e9-74c2-4095-a6d5-9996d8ad24a0 which can be used as unique global reference for Shell Crew - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7417fef0-7078-4023-aba0-d60274f30c80
Related clusters

To see the related clusters, click here.

KungFu Kittens - Associated Group

[RSA Shell Crew]

Internal MISP references

UUID b7f392bf-d2bb-4074-bcfd-68a459d04a7a which can be used as unique global reference for KungFu Kittens - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 47bbdec2-9f63-4388-a4cb-2f1124ecb3b4
Related clusters

To see the related clusters, click here.

Black Vine - Associated Group

[Symantec Black Vine]

Internal MISP references

UUID 55740e18-3c5e-4481-95ec-e2cc8810d3ee which can be used as unique global reference for Black Vine - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a3a4a987-f3b4-413b-a51e-75e7cb66f716
Related clusters

To see the related clusters, click here.

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [Alperovitch 2014] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [ThreatConnect Anthem] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [RSA Shell Crew] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [Symantec Black Vine] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [ICIT China's Espionage Jul 2016]

Internal MISP references

UUID 43f826a1-e8c8-47b8-9b00-38e1b3e4293b which can be used as unique global reference for Deep Panda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0009
observed_countries ['AU', 'CA', 'CN', 'DK', 'IN', 'IT', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Agriculture', 'Defense', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Berserk Bear - Associated Group

[Gigamon Berserk Bear October 2021][DOJ Russia Targeting Critical Infrastructure March 2022][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID 3209f44c-6706-4886-aee8-91f2ab14b10d which can be used as unique global reference for Berserk Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 606860a6-d7f2-44ec-b728-5bf509e302db
Related clusters

To see the related clusters, click here.

Crouching Yeti - Associated Group

[Secureworks IRON LIBERTY July 2019][Gigamon Berserk Bear October 2021][DOJ Russia Targeting Critical Infrastructure March 2022][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID 8e8f69f2-0bc1-4090-965b-1ee0e1e3cca9 which can be used as unique global reference for Crouching Yeti - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3d9d0d2d-ee9d-4367-bdf2-d690574f024d
Related clusters

To see the related clusters, click here.

Energetic Bear - Associated Group

[Symantec Dragonfly][Secureworks IRON LIBERTY July 2019][Secureworks MCMD July 2019][Secureworks Karagany July 2019][Gigamon Berserk Bear October 2021][DOJ Russia Targeting Critical Infrastructure March 2022][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID acc95a06-1553-4f73-a582-f40dc1187b58 which can be used as unique global reference for Energetic Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e668617b-973b-4869-ad59-f34975d77cfe
Related clusters

To see the related clusters, click here.

TEMP.Isotope - Associated Group

[Mandiant Ukraine Cyber Threats January 2022][Gigamon Berserk Bear October 2021]

Internal MISP references

UUID 2e1aa161-b0c0-431a-b974-735bb781c05a which can be used as unique global reference for TEMP.Isotope - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 949d3580-ee7a-4867-8875-323a417e689c
Related clusters

To see the related clusters, click here.

DYMALLOY - Associated Group

[Dragos DYMALLOY ][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID a9bba2d1-7fc8-43a0-8442-a12cde99329e which can be used as unique global reference for DYMALLOY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b59b1051-2d8d-4b44-8b89-36fce85042cd
Related clusters

To see the related clusters, click here.

TG-4192 - Associated Group

[Secureworks IRON LIBERTY July 2019][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID 5d23fa1e-ece1-4111-a5e3-7d9eb3a8c214 which can be used as unique global reference for TG-4192 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5bac4d4f-82e4-452c-9552-a65131d02d00
Related clusters

To see the related clusters, click here.

IRON LIBERTY - Associated Group

[Secureworks IRON LIBERTY July 2019][Secureworks MCMD July 2019][Secureworks Karagany July 2019][UK GOV FSB Factsheet April 2022]

Internal MISP references

UUID 8e252d57-69fb-4e48-a094-838e24fe620e which can be used as unique global reference for IRON LIBERTY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f28310cb-19c5-41a1-8021-9bd81bc2919d
Related clusters

To see the related clusters, click here.

Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[DOJ Russia Targeting Critical Infrastructure March 2022][UK GOV FSB Factsheet April 2022] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[Symantec Dragonfly][Secureworks IRON LIBERTY July 2019][Symantec Dragonfly Sept 2017][Fortune Dragonfly 2.0 Sept 2017][Gigamon Berserk Bear October 2021][CISA AA20-296A Berserk Bear December 2020][Symantec Dragonfly 2.0 October 2017]

Internal MISP references

UUID 472080b0-e3d4-4546-9272-c4359fe856e1 which can be used as unique global reference for Dragonfly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0035
observed_countries ['CA', 'FR', 'DE', 'GR', 'IT', 'NO', 'PL', 'RO', 'RU', 'RS', 'ES', 'TR', 'UA', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
target_categories ['Energy', 'Government', 'Travel Services']
Related clusters

To see the related clusters, click here.

DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [Operation Quantum Entanglement] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [New DragonOK]

Internal MISP references

UUID f2c2db08-624c-46b9-b7ed-b22c21b81813 which can be used as unique global reference for DragonOK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0017
observed_countries ['KH', 'JP', 'RU', 'TW']
source MITRE
target_categories ['Manufacturing', 'Technology']
Related clusters

To see the related clusters, click here.

TAG-22 - Associated Group

[Recorded Future TAG-22 July 2021]

Internal MISP references

UUID f52f1ae7-3df5-479c-b487-b214c2946fe3 which can be used as unique global reference for TAG-22 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e6b6aa2b-5da1-4cbf-9622-8d38a8b4433d
Related clusters

To see the related clusters, click here.

Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[TrendMicro EarthLusca 2022]

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[TrendMicro EarthLusca 2022]

Internal MISP references

UUID 646e35d2-75de-4c1d-8ad3-616d3e155c5e which can be used as unique global reference for Earth Lusca in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1006
source MITRE
Related clusters

To see the related clusters, click here.

Elderwood Gang - Associated Group

[Symantec Elderwood Sept 2012] [CSM Elderwood Sept 2012]

Internal MISP references

UUID 512f83c6-b369-4d53-82b6-5b27f60e970e which can be used as unique global reference for Elderwood Gang - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 54f3da5e-7868-4b0b-892a-86ee9356e5a5
Related clusters

To see the related clusters, click here.

Beijing Group - Associated Group

[CSM Elderwood Sept 2012]

Internal MISP references

UUID a34e5489-2c79-4363-8cbb-2073f310cadc which can be used as unique global reference for Beijing Group - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8c302bb7-2c76-43dc-a048-7fbc713ca7e7
Related clusters

To see the related clusters, click here.

Sneaky Panda - Associated Group

[CSM Elderwood Sept 2012]

Internal MISP references

UUID 54369a73-2715-48b3-8897-26380a48683e which can be used as unique global reference for Sneaky Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cd3eeeed-e0ef-49f7-9eb9-df6a53a43256
Related clusters

To see the related clusters, click here.

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [Security Affairs Elderwood Sept 2012] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [Symantec Elderwood Sept 2012] [CSM Elderwood Sept 2012]

Internal MISP references

UUID 51146bb6-7478-44a3-8f08-19adcdceffca which can be used as unique global reference for Elderwood in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0066
observed_countries ['BE', 'CN', 'DE', 'ID', 'IT', 'JP', 'NL', 'RU', 'CH', 'GB', 'US']
source MITRE
target_categories ['Defense', 'Human Rights', 'Manufacturing', 'NGOs', 'Technology']
Related clusters

To see the related clusters, click here.

Saint Bear - Associated Group

[CrowdStrike Ember Bear Profile March 2022]

Internal MISP references

UUID 58a29d72-e635-443b-868d-5970497a02be which can be used as unique global reference for Saint Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d0beeeee-3a20-4b98-bc97-0df121eae455
Related clusters

To see the related clusters, click here.

Lorec53 - Associated Group

[CrowdStrike Ember Bear Profile March 2022]

Internal MISP references

UUID 458c2ae1-5ddf-40d6-9f57-e38ce07f7af0 which can be used as unique global reference for Lorec53 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 89dfab4b-1037-4f17-85cb-f232291f8d6a
Related clusters

To see the related clusters, click here.

UNC2589 - Associated Group

[Mandiant UNC2589 March 2022]

Internal MISP references

UUID d3f83fae-e133-4e00-a53b-f881f0a1f6e0 which can be used as unique global reference for UNC2589 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9fba3deb-1539-42b6-b10a-b12309cf0726
Related clusters

To see the related clusters, click here.

UAC-0056 - Associated Group

[CrowdStrike Ember Bear Profile March 2022]

Internal MISP references

UUID 00c980c7-47ad-409d-bb62-374e5a078de8 which can be used as unique global reference for UAC-0056 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4f5d4021-268c-4677-9063-0a06648c3851
Related clusters

To see the related clusters, click here.

Lorec Bear - Associated Group

[CrowdStrike Ember Bear Profile March 2022]

Internal MISP references

UUID 8196a760-2ea4-40a0-8229-405f43247543 which can be used as unique global reference for Lorec Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2968e855-2fc6-4dd3-bf3b-244016608413
Related clusters

To see the related clusters, click here.

Bleeding Bear - Associated Group

[CrowdStrike Ember Bear Profile March 2022]

Internal MISP references

UUID 097d6980-041e-42b0-b1b0-219f70381167 which can be used as unique global reference for Bleeding Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cef9334a-c8c2-4e6f-9d1f-69885568a767
Related clusters

To see the related clusters, click here.

Ember Bear

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[CrowdStrike Ember Bear Profile March 2022][Mandiant UNC2589 March 2022][Palo Alto Unit 42 OutSteel SaintBot February 2022 ]

Internal MISP references

UUID 407274be-1820-4a84-939e-629313f4de1d which can be used as unique global reference for Ember Bear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1003
source MITRE
Related clusters

To see the related clusters, click here.

Equation

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [Kaspersky Equation QA]

Internal MISP references

UUID a4704485-65b5-49ec-bebe-5cc932362dd2 which can be used as unique global reference for Equation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0020
observed_countries ['AF', 'BD', 'BE', 'BR', 'EC', 'FR', 'DE', 'HK', 'IN', 'IR', 'IQ', 'KZ', 'LB', 'LY', 'MY', 'ML', 'MX', 'NG', 'PK', 'PS', 'PH', 'QA', 'RU', 'SG', 'SO', 'ZA', 'SD', 'CH', 'SY', 'AE', 'GB', 'US', 'YE']
source MITRE
tags ['a98d7a43-f227-478e-81de-e7299639a355']
target_categories ['Aerospace', 'Defense', 'Energy', 'Financial Services', 'Government', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Evilnum

Evilnum is a financially motivated threat group that has been active since at least 2018.[ESET EvilNum July 2020]

Internal MISP references

UUID 4bdc62c9-af6a-4377-8431-58a6f39235dd which can be used as unique global reference for Evilnum in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0120
observed_countries ['AU', 'CA', 'GB']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Financial Services']

EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[Google EXOTIC LILY March 2022]

Internal MISP references

UUID 396a4361-3e84-47bc-9544-58e287c05799 which can be used as unique global reference for EXOTIC LILY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1011
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']

Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[Kaspersky Ferocious Kitten Jun 2021]

Internal MISP references

UUID 275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb which can be used as unique global reference for Ferocious Kitten in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0137
observed_countries ['IR']
source MITRE

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [FireEye FIN10 June 2017]

Internal MISP references

UUID 345e553a-164d-4c9d-8bf9-19fcf8a51533 which can be used as unique global reference for FIN10 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0051
observed_countries ['CA', 'US']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Casinos Gambling', 'Hospitality Leisure', 'Mining']
Related clusters

To see the related clusters, click here.

Pistachio Tempest - Associated Group

[CERTFR-2023-CTI-007]

Internal MISP references

UUID 4a4dfd05-0243-4a4d-a4f5-043a8098034d which can be used as unique global reference for Pistachio Tempest - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 57ff5c34-56d3-4499-a0ba-05a8bee6e810
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

FIN12

FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[Mandiant FIN12 Group Profile October 07 2021]

FIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[Mandiant FIN12 Group Profile October 07 2021][CERTFR-2023-CTI-007]

Related Vulnerabilities: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[CERTFR-2023-CTI-007]

Internal MISP references

UUID 6d6ed42c-760c-4964-a81e-1d4df06a8800 which can be used as unique global reference for FIN12 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5008
observed_countries ['AU', 'CA', 'CO', 'FR', 'ID', 'KR', 'NZ', 'PG', 'PH', 'ES', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['2743d495-7728-4a75-9e5f-b64854039792', 'ecd84106-2a5b-4d25-854e-b8d1f57f6b75', 'a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', 'd385b541-4033-48df-93cd-237ca6e46f36']
target_categories ['Education', 'Financial Services', 'Government', 'Healthcare', 'Manufacturing', 'Technology']
Related clusters

To see the related clusters, click here.

Elephant Beetle - Associated Group

[Sygnia Elephant Beetle Jan 2022]

Internal MISP references

UUID 0bf8168b-e8b6-547b-ba47-a500a4f64a5b which can be used as unique global reference for Elephant Beetle - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f6570076-cfe5-5979-8e8a-ff8a17ca18b7
Related clusters

To see the related clusters, click here.

FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[Mandiant FIN13 Aug 2022][Sygnia Elephant Beetle Jan 2022]

Internal MISP references

UUID 570198e3-b59c-5772-b1ee-15d7ea14d48a which can be used as unique global reference for FIN13 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1016
observed_countries ['MX']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Commercial', 'Financial Services', 'Hospitality Leisure', 'Retail']
Related clusters

To see the related clusters, click here.

FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[FireEye Hacking FIN4 Dec 2014][FireEye FIN4 Stealing Insider NOV 2014] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[FireEye Hacking FIN4 Dec 2014][FireEye Hacking FIN4 Video Dec 2014]

Internal MISP references

UUID 4b6531dc-5b29-4577-8b54-fa99229ab0ca which can be used as unique global reference for FIN4 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0085
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Financial Services', 'Healthcare', 'Pharmaceuticals']
Related clusters

To see the related clusters, click here.

FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [FireEye Respond Webinar July 2017] [Mandiant FIN5 GrrCON Oct 2016] [DarkReading FireEye FIN5 Oct 2015]

Internal MISP references

UUID 7902f5cc-d6a5-4a57-8d54-4c75e0c58b83 which can be used as unique global reference for FIN5 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0053
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Entertainment', 'Hospitality Leisure']
Related clusters

To see the related clusters, click here.

Skeleton Spider - Associated Group

[Crowdstrike Global Threat Report Feb 2018]

Internal MISP references

UUID b7091e08-25be-44de-a445-d81ca9fdc073 which can be used as unique global reference for Skeleton Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9f03f902-385c-4206-84f9-8b400d46f8c6
Related clusters

To see the related clusters, click here.

Magecart Group 6 - Associated Group

[Security Intelligence ITG08 April 2020]

Internal MISP references

UUID 5b35e532-aaed-4e3b-bb9f-452e3c7fa8bb which can be used as unique global reference for Magecart Group 6 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 49613f19-cdb5-4063-a2b3-df60c9750723
Related clusters

To see the related clusters, click here.

ITG08 - Associated Group

[Security Intelligence More Eggs Aug 2019]

Internal MISP references

UUID 6e65d12f-a1d8-4f49-9e47-c6a58f950e7f which can be used as unique global reference for ITG08 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 81937cf7-c508-4b03-a184-2ed3bf2b153d
Related clusters

To see the related clusters, click here.

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[FireEye FIN6 April 2016][FireEye FIN6 Apr 2019]

Internal MISP references

UUID fcaadc12-7c17-4946-a9dc-976ed610854c which can be used as unique global reference for FIN6 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0037
observed_countries ['US']
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Financial Services', 'Hospitality Leisure', 'Retail']
Related clusters

To see the related clusters, click here.

GOLD NIAGARA - Associated Group

[Secureworks GOLD NIAGARA Threat Profile]

Internal MISP references

UUID 89f19c2d-3449-4c67-9f1b-710217bc2a6f which can be used as unique global reference for GOLD NIAGARA - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 35eb1977-d260-4526-8248-289aa4a8a67a
Related clusters

To see the related clusters, click here.

ITG14 - Associated Group

ITG14 shares campaign overlap with FIN7.[IBM Ransomware Trends September 2020]

Internal MISP references

UUID f67c4cea-6f4e-43c9-ab46-2075a57c4aaf which can be used as unique global reference for ITG14 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c91ddd70-0a48-4185-bc9c-bb3ca66bf365
Related clusters

To see the related clusters, click here.

Carbon Spider - Associated Group

[CrowdStrike Carbon Spider August 2021]

Internal MISP references

UUID 7bdc9be3-109a-42e5-88ff-6260c6407478 which can be used as unique global reference for Carbon Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 02638e6a-1ed5-4ada-88f8-fd5cea55c5c1
Related clusters

To see the related clusters, click here.

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[FireEye FIN7 March 2017][FireEye FIN7 April 2017][FireEye CARBANAK June 2017][FireEye FIN7 Aug 2018][CrowdStrike Carbon Spider August 2021][Mandiant FIN7 Apr 2022]

Internal MISP references

UUID 4348c510-50fc-4448-ab8d-c8cededd19ff which can be used as unique global reference for FIN7 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0046
observed_countries ['BG', 'CZ', 'FR', 'DE', 'IE', 'KW', 'LB', 'NO', 'PL', 'RO', 'RU', 'ES', 'AE', 'GB', 'US', 'YE']
observed_motivations ['Financial Gain']
source MITRE
tags ['33d22eff-59a1-47e0-b9eb-615dee314595', 'f2ae2283-f94d-4f8f-bbde-43f2bed66c55', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Agriculture', 'Automotive', 'Education', 'Electronics', 'Financial Services', 'Government', 'Healthcare', 'Hospitality Leisure', 'Legal', 'Manufacturing', 'Media', 'Retail', 'Technology', 'Transportation']
Related clusters

To see the related clusters, click here.

Syssphinx - Associated Group

[Symantec FIN8 Jul 2023]

Internal MISP references

UUID 5cd4a69b-7a62-5091-be06-e73477878441 which can be used as unique global reference for Syssphinx - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8c20b2f1-4787-59dc-9c08-3412f337ea42
Related clusters

To see the related clusters, click here.

FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[FireEye Obfuscation June 2017][FireEye Fin8 May 2016][Bitdefender Sardonic Aug 2021][Symantec FIN8 Jul 2023]

Internal MISP references

UUID b3061284-0335-4dcb-9f8e-a3b0412fd46f which can be used as unique global reference for FIN8 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0061
observed_countries ['CA', 'IT', 'ZA', 'US']
observed_motivations ['Financial Gain']
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Chemical', 'Hospitality Leisure', 'Insurance', 'Retail', 'Technology']
Related clusters

To see the related clusters, click here.

Pioneer Kitten - Associated Group

[CrowdStrike PIONEER KITTEN August 2020][CISA AA20-259A Iran-Based Actor September 2020]

Internal MISP references

UUID 70b3c377-6e46-45d1-bc24-edb920ad535d which can be used as unique global reference for Pioneer Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0977cc1e-b932-405f-9b3e-5794f433168b
Related clusters

To see the related clusters, click here.

UNC757 - Associated Group

[CISA AA20-259A Iran-Based Actor September 2020][CrowdStrike PIONEER KITTEN August 2020]

Internal MISP references

UUID 89d106ad-e7dc-4b3c-8bbb-b8acbf45d47e which can be used as unique global reference for UNC757 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4ffe9f06-3d82-4a4e-98a9-4fc684ece5da
Related clusters

To see the related clusters, click here.

Parisite - Associated Group

[Dragos PARISITE ][ClearkSky Fox Kitten February 2020][CrowdStrike PIONEER KITTEN August 2020]

Internal MISP references

UUID 580af0b1-0ed3-461e-8144-c95364116faa which can be used as unique global reference for Parisite - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5bdaf4d6-1877-49a3-b180-f7e7839501ae
Related clusters

To see the related clusters, click here.

Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[ClearkSky Fox Kitten February 2020][CrowdStrike PIONEER KITTEN August 2020][Dragos PARISITE ][ClearSky Pay2Kitten December 2020]

Internal MISP references

UUID 7094468a-2310-48b5-ad24-e669152bd66d which can be used as unique global reference for Fox Kitten in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0117
observed_countries ['AU', 'AT', 'FI', 'FR', 'DE', 'HU', 'IE', 'IL', 'IT', 'KW', 'LB', 'MY', 'PL', 'SA', 'TR', 'AE', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['291c006e-f77a-4c9c-ae7e-084974c0e1eb']
target_categories ['Aerospace', 'Chemical', 'Defense', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Insurance', 'Manufacturing', 'Media', 'Retail', 'Technology', 'Telecommunications', 'Utilities']
Related clusters

To see the related clusters, click here.

Operation Soft Cell - Associated Group

[Cybereason Soft Cell June 2019]

Internal MISP references

UUID 90e2eeaa-23b5-4bc5-a277-af26f9ee2326 which can be used as unique global reference for Operation Soft Cell - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f62031bd-1f41-469e-8e5e-eef621fc4eac
Related clusters

To see the related clusters, click here.

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[Cybereason Soft Cell June 2019][Microsoft GALLIUM December 2019][Unit 42 PingPull Jun 2022]

Internal MISP references

UUID 15ff1ce0-44f0-4f1d-a4ef-83444570e572 which can be used as unique global reference for GALLIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0093
source MITRE
target_categories ['Telecommunications']
Related clusters

To see the related clusters, click here.

Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[Symantec Gallmaker Oct 2018]

Internal MISP references

UUID cd483597-4eda-4e16-bb58-353488511410 which can be used as unique global reference for Gallmaker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0084
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government']

Primitive Bear - Associated Group

[Unit 42 Gamaredon February 2022]

Internal MISP references

UUID 24e4dcfa-128c-455f-9eb9-088ec37b31ca which can be used as unique global reference for Primitive Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 05e88887-5044-47d5-a5f0-a13f316f8e5b
Related clusters

To see the related clusters, click here.

Shuckworm - Associated Group

[Symantec Shuckworm January 2022]

Internal MISP references

UUID a5b946ca-ce53-4011-bf46-975390ab31d0 which can be used as unique global reference for Shuckworm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 51829cc6-51c3-4dfc-bc75-a9d3252d7734
Related clusters

To see the related clusters, click here.

IRON TILDEN - Associated Group

[Secureworks IRON TILDEN Profile]

Internal MISP references

UUID 27cc58cd-ad07-4921-9dcc-bd3d81ab4164 which can be used as unique global reference for IRON TILDEN - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6d5abd74-b676-43d9-b9d2-7832d668fa75
Related clusters

To see the related clusters, click here.

ACTINIUM - Associated Group

[Microsoft Actinium February 2022]

Internal MISP references

UUID 42979c45-dfcb-4be8-8c6b-2428f87fb96b which can be used as unique global reference for ACTINIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 21677f2b-d795-4f85-ae84-14a413f3659a
Related clusters

To see the related clusters, click here.

Armageddon - Associated Group

[Symantec Shuckworm January 2022]

Internal MISP references

UUID c06e119e-26b7-46f1-bf6c-35b68f091152 which can be used as unique global reference for Armageddon - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b9bccf61-d9c9-47e6-8de1-f79b9ac68e62
Related clusters

To see the related clusters, click here.

DEV-0157 - Associated Group

[Microsoft Actinium February 2022]

Internal MISP references

UUID 5c73e944-4ec1-4b9f-92c6-134952b224cd which can be used as unique global reference for DEV-0157 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e35e0af5-656b-4227-956b-eb666edaff13
Related clusters

To see the related clusters, click here.

Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.[Palo Alto Gamaredon Feb 2017][TrendMicro Gamaredon April 2020][ESET Gamaredon June 2020][Symantec Shuckworm January 2022][Microsoft Actinium February 2022]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia's Federal Security Service (FSB) Center 18.[Bleepingcomputer Gamardeon FSB November 2021][Microsoft Actinium February 2022]

Internal MISP references

UUID 41e8b4a4-2d31-46ee-bc56-12375084d067 which can be used as unique global reference for Gamaredon Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0047
observed_countries ['AL', 'AU', 'AT', 'BD', 'BR', 'CA', 'CL', 'CN', 'CO', 'HR', 'DK', 'GE', 'DE', 'GT', 'HN', 'IN', 'ID', 'IR', 'IL', 'IT', 'JP', 'KZ', 'KR', 'LV', 'MY', 'NL', 'NG', 'NO', 'PK', 'PG', 'PL', 'PT', 'RO', 'RU', 'ZA', 'ES', 'SE', 'TR', 'UA', 'GB', 'US', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'NGOs', 'Non Profit']
Related clusters

To see the related clusters, click here.

GCMAN

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. [Securelist GCMAN]

Internal MISP references

UUID dbc85db0-937d-47d7-9002-7364d41be48a which can be used as unique global reference for GCMAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0036
observed_motivations ['Financial Gain']
source MITRE
target_categories ['Financial Services']
Related clusters

To see the related clusters, click here.

Pinchy Spider - Associated Group

[CrowdStrike Evolution of Pinchy Spider July 2021]

Internal MISP references

UUID 7f1fa605-10cc-5317-a88c-b174f3ad7596 which can be used as unique global reference for Pinchy Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 01341fff-9dbd-5a1e-ae91-18fb56f2d943
Related clusters

To see the related clusters, click here.

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[Secureworks REvil September 2019][Secureworks GandCrab and REvil September 2019][Secureworks GOLD SOUTHFIELD][CrowdStrike Evolution of Pinchy Spider July 2021]

Internal MISP references

UUID b4d068ac-9b68-4cd8-bf0c-019f910ef8e3 which can be used as unique global reference for GOLD SOUTHFIELD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0115
observed_motivations ['Financial Gain']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
Related clusters

To see the related clusters, click here.

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [Unit 42 Gorgon Group Aug 2018]

Internal MISP references

UUID efb3b5ac-cd86-44a2-9de1-02e4612b8cc2 which can be used as unique global reference for Gorgon Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country PK
group_attack_id G0078
observed_countries ['RU', 'ES', 'GB', 'US']
source MITRE
target_categories ['Government']
Related clusters

To see the related clusters, click here.

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [Citizen Lab Group5]

Internal MISP references

UUID fcc6d937-8cd6-4f2c-adb8-48caedbde70a which can be used as unique global reference for Group5 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0043
source MITRE
Related clusters

To see the related clusters, click here.

Operation Exchange Marauder - Associated Group

[Volexity Exchange Marauder March 2021]

Internal MISP references

UUID 956cc6a9-b4e2-40ec-aa22-5dc90e2ab2d0 which can be used as unique global reference for Operation Exchange Marauder - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id df9d2cd4-0d5d-4c66-8fe6-4268d17dd35d
Related clusters

To see the related clusters, click here.

HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[Microsoft HAFNIUM March 2020][Volexity Exchange Marauder March 2021]

Internal MISP references

UUID 1bcc9382-ccfe-4b04-91f3-ef1250df5e5b which can be used as unique global reference for HAFNIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0125
observed_countries ['US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Education', 'Legal', 'NGOs', 'Think Tanks']
Related clusters

To see the related clusters, click here.

Lyceum - Associated Group

[SecureWorks August 2019]

Internal MISP references

UUID 140137f2-039a-4ade-a043-039b2093e25e which can be used as unique global reference for Lyceum - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e623a904-bd7d-4c22-a6d2-73172e6905b2
Related clusters

To see the related clusters, click here.

Siamesekitten - Associated Group

[ClearSky Siamesekitten August 2021]

Internal MISP references

UUID 05b6f4a6-e54d-42db-a47e-4bcfae56c0f6 which can be used as unique global reference for Siamesekitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 10fda21c-e31e-4336-ad27-f8fc56af4286
Related clusters

To see the related clusters, click here.

Spirlin - Associated Group

[Accenture Lyceum Targets November 2021]

Internal MISP references

UUID 16662d03-d9bf-448d-9fef-40af53a2bc76 which can be used as unique global reference for Spirlin - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 19a29b1a-d82e-47cd-930c-2af4f66d918e
Related clusters

To see the related clusters, click here.

HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[Dragos Hexane][Kaspersky Lyceum October 2021][ClearSky Siamesekitten August 2021][Accenture Lyceum Targets November 2021]

Internal MISP references

UUID eecf7289-294f-48dd-a747-7705820f4735 which can be used as unique global reference for HEXANE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1001
source MITRE
Related clusters

To see the related clusters, click here.

Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[Malwarebytes Higaisa 2020][Zscaler Higaisa 2020][PTSecurity Higaisa 2020]

Internal MISP references

UUID f1477581-d485-403f-a95f-c56bf88c5d1e which can be used as unique global reference for Higaisa in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KR
group_attack_id G0126
observed_countries ['CN', 'JP', 'KP', 'PL', 'RU']
source MITRE
target_categories ['Government']

Inception Framework - Associated Group

[Symantec Inception Framework March 2018]

Internal MISP references

UUID 42936511-3367-4000-b700-cba2ed0a5c6c which can be used as unique global reference for Inception Framework - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e5049581-6e7a-4ef4-a437-b6505b51faa0
Related clusters

To see the related clusters, click here.

Cloud Atlas - Associated Group

[Kaspersky Cloud Atlas December 2014]

Internal MISP references

UUID ec26e42e-45f7-4d88-ae4b-f141dd03e192 which can be used as unique global reference for Cloud Atlas - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 66df8607-fd7c-49d8-b6f5-5519a200077b
Related clusters

To see the related clusters, click here.

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.[Unit 42 Inception November 2018][Symantec Inception Framework March 2018][Kaspersky Cloud Atlas December 2014]

Internal MISP references

UUID d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6 which can be used as unique global reference for Inception in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0100
observed_countries ['BE', 'BG', 'FR', 'GE', 'IR', 'KE', 'MY', 'MD', 'RU', 'ZA', 'SR', 'TR', 'UA', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['291c006e-f77a-4c9c-ae7e-084974c0e1eb']
target_categories ['Aerospace', 'Defense', 'Energy', 'Government', 'Media']
Related clusters

To see the related clusters, click here.

IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[HackerNews IndigoZebra July 2021][Checkpoint IndigoZebra July 2021][Securelist APT Trends Q2 2017]

Internal MISP references

UUID 988f5312-834e-48ea-93b7-e6e01ee0938d which can be used as unique global reference for IndigoZebra in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0136
observed_countries ['AF', 'KG', 'UZ']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government']

Evil Corp - Associated Group

[Crowdstrike EvilCorp March 2021][Treasury EvilCorp Dec 2019]

Internal MISP references

UUID bc61566f-d467-43bd-bea8-b04d6eb26318 which can be used as unique global reference for Evil Corp - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c7f362ba-2ba3-4adc-bae7-186cebe57a17
Related clusters

To see the related clusters, click here.

Indrik Spider

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[Crowdstrike Indrik November 2018][Crowdstrike EvilCorp March 2021][Treasury EvilCorp Dec 2019]

Internal MISP references

UUID 3c7ad595-1940-40fc-b9ca-3e649c1e5d87 which can be used as unique global reference for Indrik Spider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0119
observed_countries ['GB', 'US']
observed_motivations ['Financial Gain']
source MITRE
tags ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Healthcare', 'Insurance']
Related clusters

To see the related clusters, click here.

Vixen Panda - Associated Group

[NCC Group APT15 Alive and Strong][APT15 Intezer June 2018]

Internal MISP references

UUID 3c0dfd27-fc7a-48c5-a431-6f62f3f9319a which can be used as unique global reference for Vixen Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 54d5de05-eb9c-43ed-a842-9ea5febf0f07
Related clusters

To see the related clusters, click here.

Playful Dragon - Associated Group

[NCC Group APT15 Alive and Strong][APT15 Intezer June 2018]

Internal MISP references

UUID 6231a5a9-ca9a-435e-abf3-a78478484513 which can be used as unique global reference for Playful Dragon - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9d256af2-5d63-46f0-8955-d92fa9de9fad
Related clusters

To see the related clusters, click here.

APT15 - Associated Group

[NCC Group APT15 Alive and Strong]

Internal MISP references

UUID fa320745-a2e5-4f54-8cb6-c0056e18805e which can be used as unique global reference for APT15 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 85d2f1ad-bd89-4bd4-96b9-59372240393c
Related clusters

To see the related clusters, click here.

Mirage - Associated Group

[NCC Group APT15 Alive and Strong]

Internal MISP references

UUID 95a17f0a-d6ca-4d82-add7-96f97104a471 which can be used as unique global reference for Mirage - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6269d7b4-0684-40b5-b50d-2ec1208f2283
Related clusters

To see the related clusters, click here.

GREF - Associated Group

[NCC Group APT15 Alive and Strong]

Internal MISP references

UUID 85d23b10-4d88-41b5-a1e6-628faf4dfcdd which can be used as unique global reference for GREF - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 80510930-523c-4f80-8be0-f150a2811b06
Related clusters

To see the related clusters, click here.

RoyalAPT - Associated Group

[APT15 Intezer June 2018]

Internal MISP references

UUID 53e4969e-6d5f-447a-b589-cf4ec546985b which can be used as unique global reference for RoyalAPT - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5ea8cd55-276b-4ef0-bfcd-cab7fc2f6e3d
Related clusters

To see the related clusters, click here.

NICKEL - Associated Group

[Microsoft NICKEL December 2021]

Internal MISP references

UUID dac81780-75d0-4e20-91a5-d6f9f4e21de3 which can be used as unique global reference for NICKEL - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 852e49f7-6e42-4cc9-b642-4033cf7731c2
Related clusters

To see the related clusters, click here.

Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[Mandiant Operation Ke3chang November 2014][NCC Group APT15 Alive and Strong][APT15 Intezer June 2018][Microsoft NICKEL December 2021]

Internal MISP references

UUID 26c0925f-1a3c-4df6-b27a-62b9731299b8 which can be used as unique global reference for Ke3chang in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0004
observed_countries ['AF', 'AR', 'BB', 'BE', 'BA', 'BR', 'BG', 'CL', 'CN', 'CO', 'HR', 'CZ', 'DO', 'EC', 'EG', 'SV', 'FR', 'GT', 'HN', 'HU', 'IN', 'ID', 'IR', 'IT', 'JM', 'KZ', 'KW', 'MY', 'ML', 'MX', 'ME', 'PK', 'PA', 'PE', 'PT', 'SA', 'SK', 'CH', 'SY', 'TT', 'TR', 'GB', 'US', 'UZ', 'VE']
source MITRE
target_categories ['Defense', 'Energy', 'Government', 'Media', 'NGOs']
Related clusters

To see the related clusters, click here.

Killnet

Killnet is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) attacks in support of its ideology, which appears to largely align with Russian state interests. The group emerged in October 2021, initially offering DDoS capabilities as a for-hire service. However, after the February 2022 Russian invasion of Ukraine, Killnet explicitly pledged allegiance to Russia and began to threaten and claim responsibility for attacks on targets in Ukraine and in countries perceived to support Ukraine. To date, the group has claimed and is believed to be responsible for a considerable number of DDoS attacks on government and private sector targets in a range of sectors, using a variety of discrete techniques to carry them out. It is also believed to be behind a smaller number of data exfiltration-focused attacks, and it has promoted the use of defacement tools in its communication channels with supporters.[Flashpoint Glossary Killnet]

In October 2023, following a series of air- and land-based attacks in the Gaza Strip, researchers observed Killnet claiming responsibility for disruptive attacks against computer networks in Israel and pledging explicit support for Palestinian interests.[RyanW3stman Tweet October 10 2023]

Internal MISP references

UUID 35fb7663-5c5d-43fe-a507-49612aa7960e which can be used as unique global reference for Killnet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5009
observed_countries ['BE', 'CZ', 'EE', 'DE', 'IT', 'LT', 'PL', 'RO', 'UA', 'GB', 'US']
owner TidalCyberIan
source Tidal Cyber
tags ['62bde669-3020-4682-be68-36c83b2588a4']
target_categories ['Aerospace', 'Banks', 'Energy', 'Government', 'Healthcare', 'Media', 'Transportation']

STOLEN PENCIL - Associated Group

[Netscout Stolen Pencil Dec 2018]

Internal MISP references

UUID 11901dae-ceb9-4469-8529-f517d6489ca8 which can be used as unique global reference for STOLEN PENCIL - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 48a0ecdd-62c2-45bf-897d-ebb600c024e8
Related clusters

To see the related clusters, click here.

Thallium - Associated Group

[Cybereason Kimsuky November 2020][Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID c6cbcc71-4931-460b-8676-b638be841995 which can be used as unique global reference for Thallium - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e873e5fe-ed66-45ce-9268-fe13de26cbfd
Related clusters

To see the related clusters, click here.

Black Banshee - Associated Group

[Cybereason Kimsuky November 2020][Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID 983f8775-5730-4400-92b3-ef3643b2b33c which can be used as unique global reference for Black Banshee - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7e398a52-c8ba-44be-ac42-e8c002cb7833
Related clusters

To see the related clusters, click here.

Velvet Chollima - Associated Group

[Zdnet Kimsuky Dec 2018][ThreatConnect Kimsuky September 2020][Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID 983d7efc-068e-41b2-96da-524af88985a8 which can be used as unique global reference for Velvet Chollima - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 132b93a4-31e4-4ddf-9138-1c14b8405ece
Related clusters

To see the related clusters, click here.

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.[EST Kimsuky April 2019][BRI Kimsuky April 2019][Cybereason Kimsuky November 2020][Malwarebytes Kimsuky June 2021][CISA AA20-301A Kimsuky]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[Netscout Stolen Pencil Dec 2018][EST Kimsuky SmokeScreen April 2019][AhnLab Kimsuky Kabar Cobra Feb 2019]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Internal MISP references

UUID 37f317d8-02f0-43d4-8a7d-7a65ce8aadf1 which can be used as unique global reference for Kimsuky in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KP
group_attack_id G0094
observed_countries ['JP', 'KR', 'RU', 'TH', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Education', 'Energy', 'Government', 'Media', 'NGOs', 'Pharmaceuticals', 'Think Tanks']
Related clusters

To see the related clusters, click here.

DEV-0537 - Associated Group

[MSTIC DEV-0537 Mar 2022]

Internal MISP references

UUID fc95e9b7-ae40-4a2f-b1f6-a42facc3c237 which can be used as unique global reference for DEV-0537 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0c1bf460-0c44-4fd4-94e3-4f6dbf3c3595
Related clusters

To see the related clusters, click here.

LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[BBC LAPSUS Apr 2022][MSTIC DEV-0537 Mar 2022][UNIT 42 LAPSUS Mar 2022]

Internal MISP references

UUID 0060bb76-6713-4942-a4c0-d4ae01ec2866 which can be used as unique global reference for LAPSUS$ in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1004
source MITRE
tags ['2e5f6e4a-4579-46f7-9997-6923180815dd', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'a2e000da-8181-4327-bacd-32013dbd3654', '5e7433ad-a894-4489-93bc-41e90da90019']
Related clusters

To see the related clusters, click here.

HIDDEN COBRA - Associated Group

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.[US-CERT HIDDEN COBRA June 2017][US-CERT HOPLIGHT Apr 2019]

Internal MISP references

UUID df5caef8-2e25-4ddd-ae58-2c9ad119834d which can be used as unique global reference for HIDDEN COBRA - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6d6d0a15-350e-442b-bbe8-cfc28f40b9e0
Related clusters

To see the related clusters, click here.

Labyrinth Chollima - Associated Group

[CrowdStrike Labyrinth Chollima Feb 2022]

Internal MISP references

UUID a7be1337-efab-48a8-9bf4-6f300291d150 which can be used as unique global reference for Labyrinth Chollima - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2a2d3baf-5277-43cc-9209-abffd7cc4529
Related clusters

To see the related clusters, click here.

Guardians of Peace - Associated Group

[US-CERT HIDDEN COBRA June 2017]

Internal MISP references

UUID 618bd388-b295-4076-a63e-c1e2515dab4e which can be used as unique global reference for Guardians of Peace - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f01a88d1-c368-48ca-a8f6-30286ed86e4b
Related clusters

To see the related clusters, click here.

ZINC - Associated Group

[Microsoft ZINC disruption Dec 2017]

Internal MISP references

UUID 4fc58da4-8398-43f9-b037-fd873ed5864e which can be used as unique global reference for ZINC - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 63a91edc-9911-42e9-9970-a3f77fda65a9
Related clusters

To see the related clusters, click here.

NICKEL ACADEMY - Associated Group

[Secureworks NICKEL ACADEMY Dec 2017]

Internal MISP references

UUID b7b671c3-2339-4521-a12d-b57821ad5c12 which can be used as unique global reference for NICKEL ACADEMY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 00f50f21-fee3-4328-b628-5e0096489cea
Related clusters

To see the related clusters, click here.

Diamond Sleet - Associated Group

Internal MISP references

UUID 972c0eea-6037-4aac-ac22-e1e991898dcb which can be used as unique global reference for Diamond Sleet - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 142273a2-ed90-4ba2-8375-bdc3398a7db5
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[US-CERT HIDDEN COBRA June 2017][Treasury North Korean Cyber Groups September 2019] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [Novetta Blockbuster]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.

Internal MISP references

UUID 0bc66e95-de93-4de7-b415-4041b7191f08 which can be used as unique global reference for Lazarus Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country KP
group_attack_id G0032
observed_countries ['AU', 'IN', 'IL', 'KR', 'RU', 'US']
observed_motivations ['Cyber Espionage', 'Destruction', 'Financial Gain']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
target_categories ['Aerospace', 'Casinos Gambling', 'Defense', 'Entertainment', 'Financial Services', 'Government', 'Infrastructure']
Related clusters

To see the related clusters, click here.

LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[MalwareBytes LazyScripter Feb 2021]

Internal MISP references

UUID 12279b62-289e-49ee-97cb-c780edd3d091 which can be used as unique global reference for LazyScripter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0140
source MITRE
target_categories ['Travel Services']

Raspite - Associated Group

[Dragos Raspite Aug 2018]

Internal MISP references

UUID 044d8fd0-faad-4e9f-bc5a-807e7147a331 which can be used as unique global reference for Raspite - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8f5e7cb9-6aa8-4115-ab23-fbc6bf4fc287
Related clusters

To see the related clusters, click here.

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [Symantec Leafminer July 2018]

Internal MISP references

UUID b5c28235-d441-40d9-8da2-d49ba2f2568b which can be used as unique global reference for Leafminer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0077
observed_countries ['IL', 'KW', 'LB', 'SA', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Construction', 'Energy', 'Financial Services', 'Government', 'Telecommunications', 'Transportation', 'Utilities']
Related clusters

To see the related clusters, click here.

Kryptonite Panda - Associated Group

[CISA AA21-200A APT40 July 2021][Crowdstrike KRYPTONITE PANDA August 2018]

Internal MISP references

UUID e7a109ad-fa21-4fcf-a1fb-2a497146db2b which can be used as unique global reference for Kryptonite Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bb7b96da-5773-4314-af76-c9125e49ec76
Related clusters

To see the related clusters, click here.

BRONZE MOHAWK - Associated Group

[CISA AA21-200A APT40 July 2021][SecureWorks BRONZE MOHAWK n.d.]

Internal MISP references

UUID 5b71f978-8056-47a9-b4f9-d2520fc396a0 which can be used as unique global reference for BRONZE MOHAWK - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bf460be9-8968-4e1e-ad4e-8217a9878636
Related clusters

To see the related clusters, click here.

APT40 - Associated Group

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[CISA AA21-200A APT40 July 2021][Proofpoint Leviathan Oct 2017][FireEye Periscope March 2018][FireEye APT40 March 2019]

Internal MISP references

UUID 06d1c9bb-8951-4e14-a775-9a248d6390cf which can be used as unique global reference for APT40 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 156ac67f-c989-40a6-80bd-2273bae6e46e
Related clusters

To see the related clusters, click here.

MUDCARP - Associated Group

[CISA AA21-200A APT40 July 2021][Accenture MUDCARP March 2019]

Internal MISP references

UUID 97a136d2-2bb1-44ed-a33b-cf87374b24a7 which can be used as unique global reference for MUDCARP - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c86cf832-0c84-4960-a735-26c763fb9d37
Related clusters

To see the related clusters, click here.

Gadolinium - Associated Group

[CISA AA21-200A APT40 July 2021][MSTIC GADOLINIUM September 2020]

Internal MISP references

UUID 82ac97dc-8c3e-4fd1-a7a1-76b8513143e1 which can be used as unique global reference for Gadolinium - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a028aacc-e48b-4418-ba6b-7e7d52e4bebb
Related clusters

To see the related clusters, click here.

TEMP.Jumper - Associated Group

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[CISA AA21-200A APT40 July 2021][FireEye APT40 March 2019]

Internal MISP references

UUID c9c9a804-2635-4a47-b63c-9ad5363454a3 which can be used as unique global reference for TEMP.Jumper - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 100c99e9-8cd0-4b27-8707-c42ca0b70acb
Related clusters

To see the related clusters, click here.

TEMP.Periscope - Associated Group

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[CISA AA21-200A APT40 July 2021][FireEye Periscope March 2018][FireEye APT40 March 2019]

Internal MISP references

UUID 58f19fca-8c3b-424a-8e1d-cb3996f36417 which can be used as unique global reference for TEMP.Periscope - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 327de388-915c-4457-9508-99fb0916a1cd
Related clusters

To see the related clusters, click here.

Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[CISA AA21-200A APT40 July 2021] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[CISA AA21-200A APT40 July 2021][Proofpoint Leviathan Oct 2017][FireEye Periscope March 2018]

Internal MISP references

UUID eadd78e3-3b5d-430a-b994-4360b172c871 which can be used as unique global reference for Leviathan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0065
observed_countries ['BE', 'KH', 'CA', 'DE', 'HK', 'MY', 'NO', 'PH', 'SA', 'CH', 'GB', 'US']
source MITRE
tags ['931d2342-5165-41cf-a5a9-8308d9c9f7ed']
target_categories ['Aerospace', 'Defense', 'Education', 'Government', 'Healthcare', 'Manufacturing', 'Maritime', 'Transportation']
Related clusters

To see the related clusters, click here.

Water Selkie - Associated Group

[Trend Micro LockBit Spotlight February 08 2023]

Internal MISP references

UUID d35be61a-d6d9-4572-8d1f-60367e982f88 which can be used as unique global reference for Water Selkie - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b2f86534-0c1e-4c6a-81af-7c4f9f9bc3dc
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

LockBit Ransomware Actors & Affiliates

This object represents the LockBit Ransomware-as-a-Service ("RaaS") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.

Ransomware labeled "LockBit" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency ("CISA"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[U.S. CISA Understanding LockBit June 2023]

Since emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[U.S. CISA Understanding LockBit June 2023] According to data collected by the ransomwatch project and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[GitHub ransomwatch] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[U.S. CISA Understanding LockBit June 2023]

LockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.

Related Vulnerabilities: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID d0f3353c-fbdd-4bd5-8793-a42e1f319b59 which can be used as unique global reference for LockBit Ransomware Actors & Affiliates in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5004
observed_countries ['AR', 'AU', 'AT', 'BE', 'BR', 'CA', 'CO', 'EG', 'FR', 'DE', 'HK', 'IN', 'ID', 'IL', 'IT', 'JP', 'KW', 'MY', 'MX', 'MA', 'NL', 'NZ', 'NO', 'PE', 'PH', 'PL', 'PT', 'RO', 'SG', 'ZA', 'ES', 'SE', 'CH', 'TW', 'TH', 'AE', 'GB', 'US', 'VE', 'VN']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['793f4441-3916-4b3d-a3fd-686a59dc3de2', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'c79f7ba7-a2f2-43ff-8c78-521807ef6c92', '3535caad-a155-4996-b986-70bc3cd5ce1e', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '4fb4824e-1995-4c65-8c71-e818c0aa1086', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'ecd84106-2a5b-4d25-854e-b8d1f57f6b75', '2743d495-7728-4a75-9e5f-b64854039792', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e401022a-36ac-486d-8503-dd531410a927', '1a7cb7b6-d151-4fc6-8de1-78f244ac9f72', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Agriculture', 'Automotive', 'Banks', 'Casinos Gambling', 'Construction', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'High Tech', 'Hospitality Leisure', 'Insurance', 'Legal', 'Manufacturing', 'Maritime', 'Media', 'Non Profit', 'Pharmaceuticals', 'Retail', 'Technology', 'Telecommunications', 'Transportation', 'Utilities']
Related clusters

To see the related clusters, click here.

Spring Dragon - Associated Group

[Spring Dragon Jun 2015][Accenture Dragonfish Jan 2018]

Internal MISP references

UUID 68a87557-6166-4fd7-8a18-4a4e43f9b949 which can be used as unique global reference for Spring Dragon - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id aa9a2a90-7816-42c8-841d-b74d5dbefbc0
Related clusters

To see the related clusters, click here.

DRAGONFISH - Associated Group

[Accenture Dragonfish Jan 2018]

Internal MISP references

UUID e2890e51-1bc8-4302-9251-149a3f547d36 which can be used as unique global reference for DRAGONFISH - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cbe77f7b-df76-434a-a3f4-a62ac9e13f57
Related clusters

To see the related clusters, click here.

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. [Lotus Blossom Jun 2015]

Internal MISP references

UUID 2849455a-cf39-4a9f-bd89-c2b3c1e5dd52 which can be used as unique global reference for Lotus Blossom in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0030
observed_countries ['HK', 'ID', 'PH', 'TW', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government']
Related clusters

To see the related clusters, click here.

LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[Kaspersky LuminousMoth July 2021][Bitdefender LuminousMoth July 2021]

Internal MISP references

UUID b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a which can be used as unique global reference for LuminousMoth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1014
source MITRE

APT-C-43 - Associated Group

[360 Machete Sep 2020]

Internal MISP references

UUID 4656c093-80f5-4f33-a695-09180101d3d9 which can be used as unique global reference for APT-C-43 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2ad95cd1-e04c-4bad-877c-c96c5424cd7e
Related clusters

To see the related clusters, click here.

El Machete - Associated Group

[Cylance Machete Mar 2017]

Internal MISP references

UUID b5f7c7c6-f079-4e6e-95a5-4fde667b9705 which can be used as unique global reference for El Machete - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4ab530f5-0f57-47da-8e9b-c887220ed1ac
Related clusters

To see the related clusters, click here.

Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[Cylance Machete Mar 2017][Securelist Machete Aug 2014][ESET Machete July 2019][360 Machete Sep 2020]

Internal MISP references

UUID a3be79a2-3d4f-4697-a8a1-83f0884220af which can be used as unique global reference for Machete in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0095
observed_countries ['AR', 'BE', 'BO', 'BR', 'CA', 'CN', 'CO', 'CU', 'DO', 'EC', 'FR', 'DE', 'GT', 'MY', 'MX', 'NI', 'PE', 'RU', 'ES', 'SE', 'UA', 'GB', 'US', 'VE']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government', 'Telecommunications', 'Utilities']
Related clusters

To see the related clusters, click here.

Phosphorus - Associated Group

[Microsoft Phosphorus Mar 2019][Microsoft Phosphorus Oct 2020][US District Court of DC Phosphorus Complaint 2019][Certfa Charming Kitten January 2021][Proofpoint TA453 March 2021][Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID 618f578f-a73b-4f47-b123-8c3877325675 which can be used as unique global reference for Phosphorus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d6773afc-0476-408e-957a-ba7b97b41c58
Related clusters

To see the related clusters, click here.

TA453 - Associated Group

[Proofpoint TA453 March 2021][Proofpoint TA453 July2021][Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID 69d9316e-daa7-4fe4-86e0-c79c4ab27c5e which can be used as unique global reference for TA453 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d939cf61-8fab-4172-9244-8c5f5b43f17d
Related clusters

To see the related clusters, click here.

Charming Kitten - Associated Group

[ClearSky Charming Kitten Dec 2017][Eweek Newscaster and Charming Kitten May 2014][ClearSky Kittens Back 2 Oct 2019][ClearSky Kittens Back 3 August 2020][Proofpoint TA453 March 2021][Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID 2a379f9c-0c8b-4066-8131-dfc6aad03b30 which can be used as unique global reference for Charming Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4610784d-876d-46e5-ac9c-d8c40456706b
Related clusters

To see the related clusters, click here.

Newscaster - Associated Group

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[Unit 42 Magic Hound Feb 2017][FireEye APT35 2018]

Internal MISP references

UUID 1701d47b-d0ad-47dd-965e-0f50737c34ef which can be used as unique global reference for Newscaster - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 70db62b8-2214-4532-9880-4d8c7aabcdd4
Related clusters

To see the related clusters, click here.

COBALT ILLUSION - Associated Group

[Secureworks COBALT ILLUSION Threat Profile]

Internal MISP references

UUID 9a6d6b98-17f3-445d-94dc-fb6e942245c3 which can be used as unique global reference for COBALT ILLUSION - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1b2d8360-2a44-4d81-bd85-a2d6d3881254
Related clusters

To see the related clusters, click here.

ITG18 - Associated Group

[IBM ITG18 2020]

Internal MISP references

UUID ae8cdb8b-d572-427b-93ad-195a3d41a08a which can be used as unique global reference for ITG18 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f9671b18-8de3-430b-9531-99bfab0e1f72
Related clusters

To see the related clusters, click here.

APT35 - Associated Group

[FireEye APT35 2018][Certfa Charming Kitten January 2021][Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID b908442f-7e76-48d9-ba6f-448ce1e8b071 which can be used as unique global reference for APT35 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 118c430f-24db-40e0-8a54-5015c59ea151
Related clusters

To see the related clusters, click here.

Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[FireEye APT35 2018][ClearSky Kittens Back 3 August 2020][Certfa Charming Kitten January 2021][Secureworks COBALT ILLUSION Threat Profile][Proofpoint TA453 July2021]

Internal MISP references

UUID 7a9d653c-8812-4b96-81d1-b0a27ca918b4 which can be used as unique global reference for Magic Hound in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0059
observed_countries ['AF', 'CA', 'EG', 'IR', 'IQ', 'IL', 'JO', 'KW', 'MA', 'PK', 'SA', 'ES', 'SY', 'TR', 'AE', 'GB', 'US', 'VE', 'YE']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Construction', 'Defense', 'Education', 'Energy', 'Entertainment', 'Government', 'Human Rights', 'Media', 'Telecommunications']
Related clusters

To see the related clusters, click here.

MedusaLocker Ransomware Actors

MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[HC3 Analyst Note MedusaLocker Ransomware February 2023]

This object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the "MedusaLocker Ransomware" Software object.

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker

Internal MISP references

UUID 55b20209-c04a-47ab-805d-ace83522ef6a which can be used as unique global reference for MedusaLocker Ransomware Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5003
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Healthcare']

Medusa Ransomware Actors

Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named "MedusaLocker" operation.[Bleeping Computer Medusa Ransomware March 12 2023]

According to data collected by the ransomwatch project and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.[GitHub ransomwatch]

Internal MISP references

UUID 316a49d5-5fe0-4e0b-a276-f955f4277162 which can be used as unique global reference for Medusa Ransomware Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5007
observed_countries ['CA', 'CL', 'CY', 'CZ', 'FR', 'PF', 'IN', 'ID', 'KE', 'MX', 'MA', 'CH', 'TO', 'AE', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Aerospace', 'Automotive', 'Casinos Gambling', 'Education', 'Electronics', 'Energy', 'Financial Services', 'Healthcare', 'Hospitality Leisure', 'Insurance', 'Legal', 'Media', 'Pharmaceuticals', 'Retail', 'Telecommunications', 'Transportation']

Stone Panda - Associated Group

[Palo Alto menuPass Feb 2017][Accenture Hogfish April 2018][DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018][Symantec Cicada November 2020]

Internal MISP references

UUID 54b7d2ff-e1e3-49f7-8cb5-a9089b9f9807 which can be used as unique global reference for Stone Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c383f724-e2b5-4640-8666-5800c101664a
Related clusters

To see the related clusters, click here.

CVNX - Associated Group

[PWC Cloud Hopper April 2017][DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018]

Internal MISP references

UUID 3eb5f80a-0069-4f3f-9c25-6139254b307c which can be used as unique global reference for CVNX - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0f8db655-40d1-4c0a-98d0-b84195a72934
Related clusters

To see the related clusters, click here.

Cicada - Associated Group

[Symantec Cicada November 2020]

Internal MISP references

UUID f7cac76e-8c1f-43ca-8769-9fb573fe6328 which can be used as unique global reference for Cicada - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ce558501-8ee1-4825-b389-3bcf229c3379
Related clusters

To see the related clusters, click here.

POTASSIUM - Associated Group

[DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018]

Internal MISP references

UUID 30f0cb4f-7bb5-4794-8843-bd925bafeb59 which can be used as unique global reference for POTASSIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 742b6e73-305f-4556-849a-0985bfa780f2
Related clusters

To see the related clusters, click here.

APT10 - Associated Group

[Palo Alto menuPass Feb 2017][Accenture Hogfish April 2018][FireEye APT10 Sept 2018][DOJ APT10 Dec 2018][Symantec Cicada November 2020]

Internal MISP references

UUID f18b971c-5d70-4884-8069-983324946274 which can be used as unique global reference for APT10 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c687c273-9b3a-4225-8228-525794fcac77
Related clusters

To see the related clusters, click here.

Red Apollo - Associated Group

[PWC Cloud Hopper April 2017][DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018]

Internal MISP references

UUID 31fc92e8-3de5-47a2-a63e-37cb82fd8bdb which can be used as unique global reference for Red Apollo - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4478e90a-a153-4092-9694-758921bb949b
Related clusters

To see the related clusters, click here.

HOGFISH - Associated Group

[Accenture Hogfish April 2018]

Internal MISP references

UUID cdd6a361-e7b5-48a0-a866-96ccc79f9dda which can be used as unique global reference for HOGFISH - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d41f86bc-0492-40ae-9234-0c38c720300a
Related clusters

To see the related clusters, click here.

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[Palo Alto menuPass Feb 2017][Crowdstrike CrowdCast Oct 2013][FireEye Poison Ivy][PWC Cloud Hopper April 2017][FireEye APT10 April 2017][DOJ APT10 Dec 2018][District Court of NY APT10 Indictment December 2018]

Internal MISP references

UUID fb93231d-2ae4-45da-9dea-4c372a11f322 which can be used as unique global reference for menuPass in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0045
observed_countries ['AU', 'BE', 'BR', 'CA', 'CN', 'FI', 'FR', 'DE', 'HK', 'IN', 'IL', 'IT', 'JP', 'KR', 'ME', 'NL', 'NO', 'PH', 'SG', 'ZA', 'SE', 'CH', 'TW', 'TH', 'TR', 'AE', 'GB', 'US', 'VN']
observed_motivations ['Cyber Espionage', 'Financial Gain']
source MITRE
target_categories ['Aerospace', 'Construction', 'Defense', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Manufacturing', 'Maritime', 'Mining', 'Pharmaceuticals', 'Technology']
Related clusters

To see the related clusters, click here.

Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[SentinelLabs Metador Sept 2022]

Internal MISP references

UUID a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b which can be used as unique global reference for Metador in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1013
source MITRE

Moafee

Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. [Haq 2014]

Internal MISP references

UUID 4510ce41-27b9-479c-9bf3-a328b77bae29 which can be used as unique global reference for Moafee in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0002
observed_countries ['JP', 'TW', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government', 'Manufacturing']
Related clusters

To see the related clusters, click here.

Mofang

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.[FOX-IT May 2016 Mofang]

Internal MISP references

UUID 8bc69792-c26d-4493-87e3-d8e47605fed8 which can be used as unique global reference for Mofang in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0103
observed_countries ['CA', 'DE', 'IN', 'KR', 'MM', 'SG', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Automotive', 'Defense', 'Government', 'Infrastructure']

Operation Molerats - Associated Group

[FireEye Operation Molerats][Cybereason Molerats Dec 2020]

Internal MISP references

UUID d33e9c35-2176-44c8-8d5e-77ed5de472b2 which can be used as unique global reference for Operation Molerats - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 346086f7-4510-43de-bb11-09b3679f2862
Related clusters

To see the related clusters, click here.

Gaza Cybergang - Associated Group

[DustySky][Kaspersky MoleRATs April 2019][Cybereason Molerats Dec 2020]

Internal MISP references

UUID 7399d632-1b1d-47da-8f8e-0f8decd62bf7 which can be used as unique global reference for Gaza Cybergang - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ddbfe002-11d9-470f-89b3-1952ecfff3f9
Related clusters

To see the related clusters, click here.

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[DustySky][DustySky2][Kaspersky MoleRATs April 2019][Cybereason Molerats Dec 2020]

Internal MISP references

UUID 679b7b6b-9659-4e56-9ffd-688a6fab01b6 which can be used as unique global reference for Molerats in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0021
observed_countries ['EG', 'IQ', 'IL', 'PS', 'SA', 'TR', 'AE', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Banks', 'Government', 'Media', 'NGOs']
Related clusters

To see the related clusters, click here.

Moses Staff

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[Checkpoint MosesStaff Nov 2021]

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[Cybereason StrifeWater Feb 2022]

Internal MISP references

UUID a41725c5-eb3a-4772-8d1e-17c3bbade79c which can be used as unique global reference for Moses Staff in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G1009
observed_countries ['CL', 'DE', 'IN', 'IL', 'IT', 'TR', 'AE', 'US']
observed_motivations ['Cyber Espionage', 'Destruction']
source MITRE
target_categories ['Energy', 'Financial Services', 'Government', 'Manufacturing', 'Travel Services', 'Utilities']

MoustachedBouncer

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[MoustachedBouncer ESET August 2023]

Internal MISP references

UUID f31df12e-66ea-5a49-87bc-2bc1756a89fc which can be used as unique global reference for MoustachedBouncer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1019
observed_countries ['BY']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government']

Static Kitten - Associated Group

[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID ac24e233-2250-477b-a4cb-6ae018d5836b which can be used as unique global reference for Static Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 46251839-ff6e-430e-91e4-a8cb848c1127
Related clusters

To see the related clusters, click here.

TEMP.Zagros - Associated Group

[FireEye MuddyWater Mar 2018][Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID b4215569-ec22-43ad-839a-67cd09030e2e which can be used as unique global reference for TEMP.Zagros - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f8f99bfa-5f93-4ddc-a72e-fc572a47719e
Related clusters

To see the related clusters, click here.

MERCURY - Associated Group

[Anomali Static Kitten February 2021]

Internal MISP references

UUID d4cd493f-b88d-4687-b040-60be94e42a65 which can be used as unique global reference for MERCURY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 201ec12b-c81a-4473-8afa-a3d57f552f59
Related clusters

To see the related clusters, click here.

Seedworm - Associated Group

[Symantec MuddyWater Dec 2018][Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 9c03d056-8c91-43c9-a9e9-ef7c82b12bca which can be used as unique global reference for Seedworm - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e5ab4f29-3271-4072-be1a-afc001347179
Related clusters

To see the related clusters, click here.

Earth Vetala - Associated Group

[Trend Micro Muddy Water March 2021]

Internal MISP references

UUID a862ce87-d79a-485a-8ba2-c7c843e60422 which can be used as unique global reference for Earth Vetala - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 97647729-3b4c-4d11-a9e7-7a3f4a561ef1
Related clusters

To see the related clusters, click here.

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[CYBERCOM Iranian Intel Cyber January 2022] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.[Unit 42 MuddyWater Nov 2017][Symantec MuddyWater Dec 2018][ClearSky MuddyWater Nov 2018][ClearSky MuddyWater June 2019][Reaqta MuddyWater November 2017][DHS CISA AA22-055A MuddyWater February 2022][Talos MuddyWater Jan 2022]

Internal MISP references

UUID dcb260d8-9d53-404f-9ff5-dbee2c6effe6 which can be used as unique global reference for MuddyWater in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0069
observed_countries ['AF', 'AM', 'AT', 'AZ', 'BH', 'BY', 'EG', 'GE', 'IN', 'IR', 'IQ', 'IL', 'JO', 'KW', 'LA', 'LB', 'ML', 'NL', 'OM', 'PK', 'RU', 'SA', 'TJ', 'TH', 'TN', 'TR', 'UA', 'AE', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Education', 'Energy', 'Government', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

TA416 - Associated Group

[Proofpoint TA416 November 2020]

Internal MISP references

UUID 04d6b7f4-19e6-41a7-b76a-2e82a7d69e3e which can be used as unique global reference for TA416 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a2ae73f8-b7b2-49dd-a5e6-391f1e5d5d84
Related clusters

To see the related clusters, click here.

RedDelta - Associated Group

[Recorded Future REDDELTA July 2020][Proofpoint TA416 Europe March 2022]

Internal MISP references

UUID 6e798bec-4713-4242-88ec-e4a77b29db22 which can be used as unique global reference for RedDelta - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1ecf0133-b10d-4621-819d-6efa12db1726
Related clusters

To see the related clusters, click here.

BRONZE PRESIDENT - Associated Group

[Secureworks BRONZE PRESIDENT December 2019]

Internal MISP references

UUID ed80cd5e-afc8-4f59-b567-ec97fdc37a37 which can be used as unique global reference for BRONZE PRESIDENT - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e8305088-3e86-4126-b24b-fa810d7fc9f0
Related clusters

To see the related clusters, click here.

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[Crowdstrike MUSTANG PANDA June 2018][Anomali MUSTANG PANDA October 2019][Secureworks BRONZE PRESIDENT December 2019]

Internal MISP references

UUID 4a4641b1-7686-49da-8d83-00d8013f4b47 which can be used as unique global reference for Mustang Panda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0129
observed_countries ['AU', 'BD', 'BE', 'CN', 'CY', 'ET', 'DE', 'GR', 'HK', 'IN', 'ID', 'KR', 'MN', 'MM', 'NP', 'PK', 'RU', 'SG', 'ZA', 'SS', 'TW', 'GB', 'US', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government', 'NGOs', 'Non Profit', 'Think Tanks', 'Travel Services']
Related clusters

To see the related clusters, click here.

Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[CameraShy] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[CameraShy][Baumgartner Naikon 2015]

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[Baumgartner Golovkin Naikon 2015]

Internal MISP references

UUID a80c00b2-b8b6-4780-99bb-df8fe921947d which can be used as unique global reference for Naikon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0019
observed_countries ['AU', 'BN', 'KH', 'CN', 'IN', 'ID', 'KR', 'LA', 'MY', 'MM', 'NP', 'PH', 'SA', 'SG', 'TH', 'US', 'VN']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government']
Related clusters

To see the related clusters, click here.

NEODYMIUM

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. [Microsoft NEODYMIUM Dec 2016] [Microsoft SIR Vol 21] NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [CyberScoop BlackOasis Oct 2017]

Internal MISP references

UUID 3a660ef3-9954-4252-8946-f903f3f42d0c which can be used as unique global reference for NEODYMIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0055
observed_countries ['TR']
observed_motivations ['Cyber Espionage']
source MITRE
Related clusters

To see the related clusters, click here.

DustSquad - Associated Group

[Security Affairs DustSquad Oct 2018][Securelist Octopus Oct 2018][SecurityWeek Nomadic Octopus Oct 2018]

Internal MISP references

UUID 2e09d081-dcb5-4b3e-8dca-2b64dc37cc2b which can be used as unique global reference for DustSquad - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9179b832-142b-401f-95c0-907544b71dad
Related clusters

To see the related clusters, click here.

Nomadic Octopus

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[Security Affairs DustSquad Oct 2018][Securelist Octopus Oct 2018][ESET Nomadic Octopus 2018]

Internal MISP references

UUID 5f8c6ee0-f302-403b-b712-f1e3df064c0c which can be used as unique global reference for Nomadic Octopus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0133
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government']
Related clusters

To see the related clusters, click here.

IRN2 - Associated Group

[Crowdstrike Helix Kitten Nov 2018]

Internal MISP references

UUID d840e923-ef0c-45d6-926f-e12016d1fe54 which can be used as unique global reference for IRN2 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 951b761f-1c6f-4321-8c37-84c857408b06
Related clusters

To see the related clusters, click here.

APT34 - Associated Group

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.[Unit 42 QUADAGENT July 2018][FireEye APT34 Dec 2017][Check Point APT34 April 2021]

Internal MISP references

UUID 17ac9e60-dfad-4ee5-a61c-7b7ee6686a73 which can be used as unique global reference for APT34 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6c8291a4-b1f2-4ba7-b803-4a0c211169e9
Related clusters

To see the related clusters, click here.

COBALT GYPSY - Associated Group

[Secureworks COBALT GYPSY Threat Profile]

Internal MISP references

UUID e8d4a791-a117-4e1e-8a7a-8a90422d4a90 which can be used as unique global reference for COBALT GYPSY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d5f99e60-e704-4e97-824e-cc3b42236f66
Related clusters

To see the related clusters, click here.

Helix Kitten - Associated Group

[Unit 42 QUADAGENT July 2018][Crowdstrike Helix Kitten Nov 2018]

Internal MISP references

UUID 8779d808-ed34-44bc-a3e3-8b0954bc8022 which can be used as unique global reference for Helix Kitten - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3babdce3-2d7b-4f15-971d-d1272690e9f4
Related clusters

To see the related clusters, click here.

Evasive Serpens - Associated Group

[Unit42 OilRig Playbook 2023]

Internal MISP references

UUID 9cbeb785-fe7e-5bf7-b860-bf1bf8bf7f09 which can be used as unique global reference for Evasive Serpens - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 20f00c34-6797-5a00-b03f-80d47bc6a650
Related clusters

To see the related clusters, click here.

OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[Palo Alto OilRig April 2017][ClearSky OilRig Jan 2017][Palo Alto OilRig May 2016][Palo Alto OilRig Oct 2016][Unit42 OilRig Playbook 2023][FireEye APT34 Dec 2017][Unit 42 QUADAGENT July 2018]

Internal MISP references

UUID d01abdb1-0378-4654-aa38-1a4a292703e2 which can be used as unique global reference for OilRig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0049
observed_countries ['AZ', 'IQ', 'IL', 'KW', 'LB', 'MU', 'PK', 'QA', 'SA', 'TR', 'AE', 'GB', 'US']
source MITRE
target_categories ['Banks', 'Chemical', 'Energy', 'Financial Services', 'Government', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[Symantec Orangeworm April 2018]

Internal MISP references

UUID 863b7013-133d-4a82-93d2-51b53a8fd30e which can be used as unique global reference for Orangeworm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0071
observed_countries ['BE', 'BR', 'CA', 'CL', 'CN', 'FR', 'DE', 'HK', 'HU', 'IN', 'JP', 'MY', 'NL', 'NO', 'PH', 'PL', 'PT', 'SA', 'ES', 'SE', 'CH', 'TR', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Healthcare', 'Pharmaceuticals']

Chinastrats - Associated Group

[Securelist Dropping Elephant]

Internal MISP references

UUID 938d3a61-cb8b-4ec3-9bf0-f27833a0f96f which can be used as unique global reference for Chinastrats - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 77abe6f0-7cf8-4dd5-8856-b75d1372ddd9
Related clusters

To see the related clusters, click here.

MONSOON - Associated Group

MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. [Forcepoint Monsoon] [PaloAlto Patchwork Mar 2018]

Internal MISP references

UUID 23ef9d36-8cb3-4992-abda-709777b97cc3 which can be used as unique global reference for MONSOON - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6f6fbe52-56f6-4475-a705-76931c425513
Related clusters

To see the related clusters, click here.

Operation Hangover - Associated Group

It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. [Forcepoint Monsoon] [Operation Hangover May 2013]

Internal MISP references

UUID 364de163-80dc-4f0f-8b42-837ae97a2088 which can be used as unique global reference for Operation Hangover - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9e9ba191-f9e6-441e-83bd-6c91051f1c4d
Related clusters

To see the related clusters, click here.

Hangover Group - Associated Group

Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.[PaloAlto Patchwork Mar 2018][Unit 42 BackConfig May 2020][Forcepoint Monsoon]

Internal MISP references

UUID 2c043629-b8f6-475f-a436-abc01aad9421 which can be used as unique global reference for Hangover Group - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 65af7d73-1452-4c1c-bf48-344adc7e2bde
Related clusters

To see the related clusters, click here.

Dropping Elephant - Associated Group

[Symantec Patchwork] [Securelist Dropping Elephant] [PaloAlto Patchwork Mar 2018] [Volexity Patchwork June 2018]

Internal MISP references

UUID 8f4890c6-6db0-4536-8624-35cb02bb94a7 which can be used as unique global reference for Dropping Elephant - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 68d9b964-3996-43b9-aabc-e3b3a8a8f4ce
Related clusters

To see the related clusters, click here.

Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[Cymmetria Patchwork] [Symantec Patchwork][TrendMicro Patchwork Dec 2017][Volexity Patchwork June 2018]

Internal MISP references

UUID 32385eba-7bbf-439e-acf2-83040e97165a which can be used as unique global reference for Patchwork in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0040
observed_countries ['CN', 'JP', 'GB', 'US']
source MITRE
target_categories ['Defense', 'Energy', 'Financial Services', 'Government', 'NGOs', 'Technology', 'Think Tanks']
Related clusters

To see the related clusters, click here.

PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[Bizeul 2014][Villeneuve 2014]

Internal MISP references

UUID 60936d3c-37ed-4116-a407-868da3aa4446 which can be used as unique global reference for PittyTiger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0011
observed_countries ['TW']
source MITRE
target_categories ['Defense', 'Energy', 'Telecommunications']
Related clusters

To see the related clusters, click here.

PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID f036b992-4c3f-47b7-a458-94ac133bce74 which can be used as unique global reference for PLATINUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0068
observed_countries ['CN', 'IN', 'ID', 'MY', 'SG', 'TH']
source MITRE
target_categories ['Defense', 'Education', 'Government', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Play Ransomware Actors

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

Play is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[Trend Micro Play Playbook September 06 2022] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[GitHub ransomwatch]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.play

PulseDive (IOCs): https://pulsedive.com/threat/PlayCrypt

Internal MISP references

UUID 6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3 which can be used as unique global reference for Play Ransomware Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5018
observed_countries ['AR', 'BE', 'CA', 'CZ', 'FR', 'DE', 'IT', 'KR', 'NO', 'SE', 'AE', 'GB', 'US', 'VE']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', '2743d495-7728-4a75-9e5f-b64854039792']
target_categories ['Automotive', 'Construction', 'Energy', 'Financial Services', 'Government', 'Legal', 'Media', 'Non Profit', 'Retail', 'Technology', 'Transportation']

POLONIUM

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 7fbd7514-76e9-4696-8c66-9f95546e3315 which can be used as unique global reference for POLONIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1005
source MITRE

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [Kaspersky Poseidon Group]

Internal MISP references

UUID 553e2b7b-170c-4eb5-812b-ea33fe1dd4a0 which can be used as unique global reference for Poseidon Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0033
observed_countries ['BR', 'FR', 'IN', 'KZ', 'RU', 'AE', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Energy', 'Entertainment', 'Financial Services', 'Manufacturing', 'Utilities']
Related clusters

To see the related clusters, click here.

StrongPity - Associated Group

The name StrongPity has also been used to describe the group and the malware used by the group.[Bitdefender StrongPity June 2020][Talos Promethium June 2020]

Internal MISP references

UUID aa5e87f3-6e59-4abf-aeba-a49eb9d495f3 which can be used as unique global reference for StrongPity - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 225f451f-621e-406d-94ee-bcff9ee39367
Related clusters

To see the related clusters, click here.

PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[Microsoft NEODYMIUM Dec 2016][Microsoft SIR Vol 21][Talos Promethium June 2020]

Internal MISP references

UUID cc798766-8662-4b55-8536-6d057fbc58f0 which can be used as unique global reference for PROMETHIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0056
observed_countries ['TR']
observed_motivations ['Cyber Espionage']
source MITRE
Related clusters

To see the related clusters, click here.

APT2 - Associated Group

[Cylance Putter Panda]

Internal MISP references

UUID bab4d1df-a6c6-40ae-b583-83c4492cbbd2 which can be used as unique global reference for APT2 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d55c62a4-1477-4a32-a669-7bc113e52f95
Related clusters

To see the related clusters, click here.

MSUpdater - Associated Group

[CrowdStrike Putter Panda]

Internal MISP references

UUID 9975905f-c429-4911-800d-d21e9a29b3f8 which can be used as unique global reference for MSUpdater - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b80baeda-6ed3-413d-9412-1d49e035a898
Related clusters

To see the related clusters, click here.

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [CrowdStrike Putter Panda]

Internal MISP references

UUID 6005f4a9-fe26-4237-a44e-3f6cbb1fe75c which can be used as unique global reference for Putter Panda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0024
observed_countries ['JP', 'US']
source MITRE
target_categories ['Aerospace', 'Defense', 'Government', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [Rancor Unit42 June 2018]

Internal MISP references

UUID 021b3c71-6467-4e46-a413-8b726f066f2c which can be used as unique global reference for Rancor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0075
observed_countries ['KH', 'SG']
observed_motivations ['Cyber Espionage']
source MITRE
Related clusters

To see the related clusters, click here.

Rhysida Ransomware Actors

This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service ("RaaS") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[HC3 Analyst Note Rhysida Ransomware August 2023]

Related Vulnerabilities: CVE-2020-1472[U.S. CISA Rhysida Ransomware November 15 2023]

Internal MISP references

UUID 0610cd57-2511-467a-97e3-3c810384074f which can be used as unique global reference for Rhysida Ransomware Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5013
observed_countries ['AU', 'AT', 'BR', 'CA', 'FR', 'DE', 'IN', 'ID', 'IL', 'IT', 'KE', 'NL', 'QA', 'SG', 'ES', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Banks', 'Education', 'Government', 'Healthcare', 'Insurance', 'Manufacturing', 'Technology', 'Utilities']

Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[Talos Rocke August 2018]

Internal MISP references

UUID 71222310-2807-4599-bb92-248eaf2e03ab which can be used as unique global reference for Rocke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0106
observed_motivations ['Financial Gain']
source MITRE

Royal Ransomware Actors

Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[Kroll Royal Deep Dive February 2023]

The Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the ransomwatch project suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[GitHub ransomwatch][CISA Royal AA23-061A March 2023]

Internal MISP references

UUID 86b97a39-49c3-431e-bcc8-f4e13dbfcdf5 which can be used as unique global reference for Royal Ransomware Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5014
observed_countries ['AU', 'BR', 'CA', 'DE', 'IT', 'MX', 'PT', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['d63754b9-0267-4a70-82a3-212ef32fa796', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Agriculture', 'Construction', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'High Tech', 'Hospitality Leisure', 'Insurance', 'Legal', 'Manufacturing', 'Media', 'Non Profit', 'Retail', 'Telecommunications', 'Transportation', 'Utilities']

RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). [ESET RTM Feb 2017]

Internal MISP references

UUID 666ab5f0-3ef1-4e74-8a10-65c60a7d1acd which can be used as unique global reference for RTM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0048
observed_countries ['CZ', 'DE', 'KZ', 'RU', 'UA']
source MITRE
Related clusters

To see the related clusters, click here.

Telebots - Associated Group

[NCSC Sandworm Feb 2020][US District Court Indictment GRU Unit 74455 October 2020][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID 4316121a-b50b-40bc-bb4b-2c6fc9ec127b which can be used as unique global reference for Telebots - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0eb61a7c-2b53-49fe-80d4-6cb9a6b83773
Related clusters

To see the related clusters, click here.

IRON VIKING - Associated Group

[Secureworks IRON VIKING ][US District Court Indictment GRU Unit 74455 October 2020][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID eeb7e31b-93e9-4244-a31a-6ce9116a4b70 which can be used as unique global reference for IRON VIKING - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 44ca1cdb-4402-4542-b820-cafe1540c80b
Related clusters

To see the related clusters, click here.

Voodoo Bear - Associated Group

[CrowdStrike VOODOO BEAR][US District Court Indictment GRU Unit 74455 October 2020][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID 819b7ba2-f3be-4649-b499-525f8c0579eb which can be used as unique global reference for Voodoo Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4fa0ab56-8b04-4947-b54c-f7ce39c47f38
Related clusters

To see the related clusters, click here.

ELECTRUM - Associated Group

[Dragos ELECTRUM][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID 483450ad-d811-4f3e-85db-f2761fa308a6 which can be used as unique global reference for ELECTRUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b976b934-7cdb-4134-b8af-2c99d8fd4ad5
Related clusters

To see the related clusters, click here.

BlackEnergy (Group) - Associated Group

[NCSC Sandworm Feb 2020][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID 42a50ea5-66f1-4802-b2a0-3fe6ea4f42d4 which can be used as unique global reference for BlackEnergy (Group) - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6b447e1c-95ae-4d7b-a46b-021ce5253312
Related clusters

To see the related clusters, click here.

Quedagh - Associated Group

[iSIGHT Sandworm 2014] [F-Secure BlackEnergy 2014][UK NCSC Olympic Attacks October 2020]

Internal MISP references

UUID 5f428057-fad5-4ba5-bd2e-ff0505184371 which can be used as unique global reference for Quedagh - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9fe01b2a-9edb-4fee-b061-f73e977868bd
Related clusters

To see the related clusters, click here.

IRIDIUM - Associated Group

[Microsoft Prestige ransomware October 2022]

Internal MISP references

UUID 84c4e254-d02f-5141-b0c6-d52618177024 which can be used as unique global reference for IRIDIUM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3e832259-e53e-5080-9af4-89c94f5675da
Related clusters

To see the related clusters, click here.

Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[US District Court Indictment GRU Unit 74455 October 2020][UK NCSC Olympic Attacks October 2020] This group has been active since at least 2009.[iSIGHT Sandworm 2014][CrowdStrike VOODOO BEAR][USDOJ Sandworm Feb 2020][NCSC Sandworm Feb 2020]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[US District Court Indictment GRU Unit 74455 October 2020][UK NCSC Olympic Attacks October 2020] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[US District Court Indictment GRU Oct 2018]

Internal MISP references

UUID 16a65ee9-cd60-4f04-ba34-f2f45fcfc666 which can be used as unique global reference for Sandworm Team in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0034
observed_countries ['AZ', 'BY', 'FR', 'GE', 'IR', 'IL', 'KZ', 'KR', 'KG', 'LT', 'PL', 'RU', 'UA', 'US']
observed_motivations ['Destruction']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
target_categories ['Energy', 'Government']
Related clusters

To see the related clusters, click here.

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 6c1bdc51-f633-4512-8b20-04a11c2d97f4 which can be used as unique global reference for Scarlet Mimic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0029
observed_countries ['CN']
source MITRE
target_categories ['Human Rights']
Related clusters

To see the related clusters, click here.

Roasted 0ktapus - Associated Group

[CrowdStrike Scattered Spider BYOVD January 2023]

Internal MISP references

UUID a8be581c-10b8-5d79-b35b-ebc47e511597 which can be used as unique global reference for Roasted 0ktapus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 29f2a6c2-405e-5b7b-8222-cd5bb4c1fc97
Related clusters

To see the related clusters, click here.

Starfraud - Associated Group

[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID 890f22c5-6e7f-461f-8099-bb7d7c062d27 which can be used as unique global reference for Starfraud - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cb9929a9-66f4-4191-9caf-47c211c308b0
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

UNC3944 - Associated Group

[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID d850076d-6caa-46f2-958d-4e93f43b88f6 which can be used as unique global reference for UNC3944 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7b671400-1177-42a2-a5f6-26c0b7e10fed
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Scatter Swine - Associated Group

[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID 36002039-b1dc-46bd-affe-fd37edae375c which can be used as unique global reference for Scatter Swine - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 007713f3-6afe-4398-9e6c-9596be3f4c59
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Muddled Libra - Associated Group

[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID fd282f3e-0aba-4f40-873f-1b1e56f55591 which can be used as unique global reference for Muddled Libra - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 59e6dc0c-ff8f-43bf-8780-90101ab98dbc
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Scattered Spider

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.[CrowdStrike Scattered Spider Profile][CrowdStrike Scattered Spider BYOVD January 2023][Crowdstrike TELCO BPO Campaign December 2022]

Internal MISP references

UUID 3d77fb6c-cfb4-5563-b0be-7aa1ad535337 which can be used as unique global reference for Scattered Spider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1015
observed_countries ['AU', 'BR', 'CA', 'CR', 'DK', 'FR', 'IN', 'IE', 'IL', 'JP', 'SE', 'CH', 'GB', 'US']
observed_motivations ['Financial Gain']
source MITRE
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '2e5f6e4a-4579-46f7-9997-6923180815dd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Aerospace', 'Casinos Gambling', 'Commercial', 'Construction', 'Defense', 'Education', 'Entertainment', 'Financial Services', 'Hospitality Leisure', 'Legal', 'Media', 'Pharmaceuticals', 'Retail', 'Technology', 'Telecommunications', 'Transportation', 'Utilities', 'Video Games']
Related clusters

To see the related clusters, click here.

SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 31bc763e-623f-4870-9780-86e43d732594 which can be used as unique global reference for SideCopy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1008
source MITRE

T-APT-04 - Associated Group

[Cyble Sidewinder September 2020]

Internal MISP references

UUID 3e580fae-6d8a-4c1c-b132-ddf47d0ff6c9 which can be used as unique global reference for T-APT-04 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2520a2c7-38ad-4360-8adc-bc309746ff52
Related clusters

To see the related clusters, click here.

Rattlesnake - Associated Group

[Cyble Sidewinder September 2020]

Internal MISP references

UUID 023a26e3-77a9-44b3-932f-23c82100881c which can be used as unique global reference for Rattlesnake - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b0f3f694-f414-4e42-b95d-1a790b64b6ca
Related clusters

To see the related clusters, click here.

Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[ATT Sidewinder January 2021][Securelist APT Trends April 2018][Cyble Sidewinder September 2020]

Internal MISP references

UUID 44f8bd4e-a357-4a76-b031-b7455a305ef0 which can be used as unique global reference for Sidewinder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IN
group_attack_id G0121
observed_countries ['AF', 'BD', 'CN', 'MM', 'NP', 'PK', 'QA', 'LK']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Energy', 'Government', 'Mining']
Related clusters

To see the related clusters, click here.

Whisper Spider - Associated Group

[Crowdstrike GTR2020 Mar 2020]

Internal MISP references

UUID 4e28aead-8a85-4ae2-88d0-fa21fc7aa6a0 which can be used as unique global reference for Whisper Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5e7bdbc9-27c0-4801-bd67-26a5afa78cc5
Related clusters

To see the related clusters, click here.

Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[Cyber Forensicator Silence Jan 2019][SecureList Silence Nov 2017]

Internal MISP references

UUID b534349f-55a4-41b8-9623-6707765c3c50 which can be used as unique global reference for Silence in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0091
observed_countries ['AZ', 'BY', 'KZ', 'PL', 'RU', 'UA']
observed_motivations ['Financial Gain']
source MITRE
tags ['15787198-6c8b-4f79-bf50-258d55072fee']
target_categories ['Banks', 'Financial Services']
Related clusters

To see the related clusters, click here.

TA407 - Associated Group

[Proofpoint TA407 September 2019][Malwarebytes Silent Librarian October 2020]

Internal MISP references

UUID c39d60d6-bb43-47e5-bc8d-e73fa1ef8c1d which can be used as unique global reference for TA407 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5d46e5fe-8597-4606-bd43-9a0426548854
Related clusters

To see the related clusters, click here.

COBALT DICKENS - Associated Group

[Secureworks COBALT DICKENS August 2018][Secureworks COBALT DICKENS September 2019][Proofpoint TA407 September 2019][Malwarebytes Silent Librarian October 2020]

Internal MISP references

UUID 1a968e44-b931-4373-96f8-ecb976540fd3 which can be used as unique global reference for COBALT DICKENS - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 770197f5-de40-4936-962a-f256e1ee7717
Related clusters

To see the related clusters, click here.

Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[DOJ Iran Indictments March 2018][Phish Labs Silent Librarian][Malwarebytes Silent Librarian October 2020]

Internal MISP references

UUID 0e7bd4da-7974-49c9-b213-116bd7157761 which can be used as unique global reference for Silent Librarian in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country IR
group_attack_id G0122
observed_countries ['AU', 'CA', 'CN', 'FR', 'DE', 'HK', 'IL', 'JP', 'NZ', 'NO', 'OM', 'SA', 'ZA', 'ES', 'SE', 'CH', 'TR', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Education', 'Government']
Related clusters

To see the related clusters, click here.

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[Unit42 SilverTerrier 2018][Unit42 SilverTerrier 2016]

Internal MISP references

UUID e47ae2a7-d34d-4528-ba67-c9c07daa91ba which can be used as unique global reference for SilverTerrier in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country NG
group_attack_id G0083
source MITRE
target_categories ['Education', 'Manufacturing', 'Technology', 'Telecommunications', 'Transportation']

Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [Symantec Sowbug Nov 2017]

Internal MISP references

UUID 6632f07f-7c6b-4d12-8544-82edc6a7a577 which can be used as unique global reference for Sowbug in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0054
observed_countries ['AR', 'BR', 'BN', 'EC', 'MY', 'PE']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government']
Related clusters

To see the related clusters, click here.

Star Blizzard

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

Star Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[U.S. CISA Star Blizzard December 2023]

Internal MISP references

UUID a13bd574-b907-4489-96ab-8d30faf7fca4 which can be used as unique global reference for Star Blizzard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G5017
observed_countries ['GB', 'US']
observed_motivations ['Cyber Espionage']
owner TidalCyberIan
source Tidal Cyber
target_categories ['Defense', 'Education', 'Energy', 'Government', 'NGOs']

Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [Citizen Lab Stealth Falcon May 2016]

Internal MISP references

UUID ca3016f3-642a-4ae0-86bc-7258475d6937 which can be used as unique global reference for Stealth Falcon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0038
observed_countries ['AE']
source MITRE
target_categories ['Entertainment', 'Human Rights']
Related clusters

To see the related clusters, click here.

ProjectSauron - Associated Group

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [Kaspersky ProjectSauron Blog] [Kaspersky ProjectSauron Full Report]

Internal MISP references

UUID bb2eac9b-3dfc-487a-8dff-b8de5f6e3041 which can be used as unique global reference for ProjectSauron - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 081ed982-e5c6-46c4-b84b-c30e6c3f76b0
Related clusters

To see the related clusters, click here.

Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[Symantec Strider Blog][Kaspersky ProjectSauron Blog]

Internal MISP references

UUID deb573c6-071a-4b50-9e92-4aa648d8bdc1 which can be used as unique global reference for Strider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0041
observed_countries ['BE', 'CN', 'IR', 'RU', 'RW', 'SE']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Defense', 'Financial Services', 'Government', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014. [Symantec Suckfly March 2016]

Internal MISP references

UUID 06549082-ff70-43bf-985e-88c695c7113c which can be used as unique global reference for Suckfly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0039
observed_countries ['IN']
observed_motivations ['Cyber Espionage']
source MITRE
Related clusters

To see the related clusters, click here.

TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[Proofpoint TA2541 February 2022][Cisco Operation Layover September 2021]

Internal MISP references

UUID 1bfbb1e1-022c-57e9-b70e-711c601640be which can be used as unique global reference for TA2541 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G1018
observed_countries ['US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Defense', 'Manufacturing', 'Transportation']

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [Proofpoint TA459 April 2017]

Internal MISP references

UUID e343c1f1-458c-467b-bc4a-c1b97b2127e3 which can be used as unique global reference for TA459 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0062
observed_countries ['BY', 'MN', 'RU']
source MITRE
Related clusters

To see the related clusters, click here.

Hive0065 - Associated Group

[IBM TA505 April 2020]

Internal MISP references

UUID 4f21a323-28d3-498d-8cfe-a1835eebd561 which can be used as unique global reference for Hive0065 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1b8be083-5a61-4258-9930-c9af51134220
Related clusters

To see the related clusters, click here.

TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[Proofpoint TA505 Sep 2017][Proofpoint TA505 June 2018][Proofpoint TA505 Jan 2019][NCC Group TA505][Korean FSI TA505 2020]

Internal MISP references

UUID b3220638-6682-4a4e-ab64-e7dc4202a3f1 which can be used as unique global reference for TA505 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0092
observed_countries ['AU', 'CA', 'DE', 'GB', 'US']
observed_motivations ['Financial Gain']
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a98d7a43-f227-478e-81de-e7299639a355']
Related clusters

To see the related clusters, click here.

Shathak - Associated Group

[Unit 42 Valak July 2020][Unit 42 TA551 Jan 2021]

Internal MISP references

UUID 2d829442-7a16-46ab-9d4d-b92cd1f0be7e which can be used as unique global reference for Shathak - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9e152191-3791-4025-bacc-2ce10f849daa
Related clusters

To see the related clusters, click here.

GOLD CABIN - Associated Group

[Secureworks GOLD CABIN]

Internal MISP references

UUID f9c58990-a69d-4edc-ad9d-ec74412da18a which can be used as unique global reference for GOLD CABIN - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 26c30ee4-7bf4-432e-ab46-b0ae9c8eaa51
Related clusters

To see the related clusters, click here.

TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [Secureworks GOLD CABIN] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [Unit 42 TA551 Jan 2021]

Internal MISP references

UUID 8951bff3-c444-4374-8a9e-b2115d9125b2 which can be used as unique global reference for TA551 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0127
observed_motivations ['Financial Gain']
source MITRE
Related clusters

To see the related clusters, click here.

TA577

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

TA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[Proofpoint Ransomware Initial Access June 2021] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[Malwarebytes Pikabot December 15 2023]

Internal MISP references

UUID 28f3dbcc-b248-442f-9ff3-234210bb2f2a which can be used as unique global reference for TA577 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5019
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber

TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[Palo Alto Black-T October 2020][Lacework TeamTNT May 2021][Intezer TeamTNT September 2020][Cado Security TeamTNT Worm August 2020][Unit 42 Hildegard Malware][Trend Micro TeamTNT][ATT TeamTNT Chimaera September 2020][Aqua TeamTNT August 2020][Intezer TeamTNT Explosion September 2021]

Internal MISP references

UUID 325c11be-e1ee-47db-afa6-44ac5d16f0e7 which can be used as unique global reference for TeamTNT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0139
observed_motivations ['Financial Gain']
source MITRE
tags ['efa33611-88a5-40ba-9bc4-3d85c6c8819b', '82009876-294a-4e06-8cfc-3236a429bda4', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', '2e5f6e4a-4579-46f7-9997-6923180815dd']

XENOTIME - Associated Group

The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.[Dragos Xenotime 2018][Pylos Xenotime 2019][FireEye TRITON 2019][FireEye TEMP.Veles 2018]

Internal MISP references

UUID cbba6443-46cd-4602-87ff-1142995202ab which can be used as unique global reference for XENOTIME - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a6810875-326d-4627-8802-75eedd09ad8a
Related clusters

To see the related clusters, click here.

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[FireEye TRITON 2019][FireEye TEMP.Veles 2018][FireEye TEMP.Veles JSON April 2019]

Internal MISP references

UUID 3a54b8dc-a231-4db8-96da-1c0c1aa396f6 which can be used as unique global reference for TEMP.Veles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0088
observed_countries ['SA', 'US']
source MITRE
target_categories ['Infrastructure']
Related clusters

To see the related clusters, click here.

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[Cylance Shaheen Nov 2018]

Internal MISP references

UUID 830079fe-9824-405b-93e0-c28592155c49 which can be used as unique global reference for The White Company in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0089
observed_countries ['PK']
source MITRE
target_categories ['Defense', 'Government']

TG-1314 - Associated Group

[Dell TG-1314]

Internal MISP references

UUID a3bf437b-2805-424a-8122-b1f07f68c3c2 which can be used as unique global reference for TG-1314 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 68535ecf-5a76-42b1-8a2e-e3366b01b95c
Related clusters

To see the related clusters, click here.

Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [Dell TG-1314]

Internal MISP references

UUID 0f86e871-0c6c-4227-ae28-3f3696d6ae9d which can be used as unique global reference for Threat Group-1314 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0028
source MITRE
Related clusters

To see the related clusters, click here.

Earth Smilodon - Associated Group

[Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID acc5d023-b5f9-40c0-9061-8424c14334a4 which can be used as unique global reference for Earth Smilodon - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 161f4194-5138-47c2-9666-d55b5287dc21
Related clusters

To see the related clusters, click here.

TG-3390 - Associated Group

[Dell TG-3390][Nccgroup Emissary Panda May 2018][Hacker News LuckyMouse June 2018]

Internal MISP references

UUID 851cfd6f-8ca5-4048-b5a0-c23729456f12 which can be used as unique global reference for TG-3390 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2bdc8ad0-5eb2-4ec8-8a58-16234a044647
Related clusters

To see the related clusters, click here.

BRONZE UNION - Associated Group

[SecureWorks BRONZE UNION June 2017][Nccgroup Emissary Panda May 2018]

Internal MISP references

UUID 621b8362-b819-40af-8534-80efd9af3fd1 which can be used as unique global reference for BRONZE UNION - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1c394f39-84e0-45b8-a34b-22cf69cf709d
Related clusters

To see the related clusters, click here.

Iron Tiger - Associated Group

[Hacker News LuckyMouse June 2018][Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID 0aec785f-db69-49f4-ad4f-68fe226a5399 which can be used as unique global reference for Iron Tiger - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id af363795-4a49-4c3f-a693-aeb4092dcb87
Related clusters

To see the related clusters, click here.

LuckyMouse - Associated Group

[Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018][Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID 869b23ab-c9a6-4fa3-abc8-2982707e68d7 which can be used as unique global reference for LuckyMouse - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c07fdac7-3f1a-4321-9caf-2e117eefa720
Related clusters

To see the related clusters, click here.

Emissary Panda - Associated Group

[Gallagher 2015][Nccgroup Emissary Panda May 2018][Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018][Unit42 Emissary Panda May 2019][Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID 6892414f-3428-4ff4-bb27-cefb2c7177e4 which can be used as unique global reference for Emissary Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4dd1a6d5-8f50-47ba-9e1d-1ae3f341fe3b
Related clusters

To see the related clusters, click here.

APT27 - Associated Group

[Nccgroup Emissary Panda May 2018][Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018][Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID bc77908c-dcb0-4d07-933d-a1dded911306 which can be used as unique global reference for APT27 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0f5e1d81-0631-4c8d-9021-7d60fd899ba8
Related clusters

To see the related clusters, click here.

Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[Dell TG-3390] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[SecureWorks BRONZE UNION June 2017][Securelist LuckyMouse June 2018][Trend Micro DRBControl February 2020]

Internal MISP references

UUID 79be2f31-5626-425e-844c-fd9c99e38fe5 which can be used as unique global reference for Threat Group-3390 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0027
observed_countries ['AU', 'CA', 'CN', 'DE', 'HK', 'IN', 'IR', 'IL', 'JP', 'KR', 'MN', 'PH', 'RU', 'ES', 'TW', 'TH', 'TR', 'GB', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
target_categories ['Aerospace', 'Automotive', 'Banks', 'Casinos Gambling', 'Defense', 'Education', 'Energy', 'Government', 'Manufacturing', 'Pharmaceuticals', 'Technology']
Related clusters

To see the related clusters, click here.

Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [Symantec Thrip June 2018]

Internal MISP references

UUID a3b39b07-0bfa-4c69-9f01-acf7dc6033b4 which can be used as unique global reference for Thrip in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0076
observed_countries ['US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Telecommunications']
Related clusters

To see the related clusters, click here.

BRONZE HUNTLEY - Associated Group

[Secureworks BRONZE HUNTLEY ]

Internal MISP references

UUID aee5a88d-6695-4221-a4fb-1f7aa1bfdcd4 which can be used as unique global reference for BRONZE HUNTLEY - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b81e735d-40ea-4fc8-a84a-7cf717346155
Related clusters

To see the related clusters, click here.

Karma Panda - Associated Group

[Kaspersky CactusPete Aug 2020][CrowdStrike Manufacturing Threat July 2020]

Internal MISP references

UUID 7e6588d8-8d1e-4ed0-a233-38f3b37c2aad which can be used as unique global reference for Karma Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9ac5e0d4-9387-4111-9b05-15613722fdcc
Related clusters

To see the related clusters, click here.

Earth Akhlut - Associated Group

[TrendMicro Tonto Team October 2020]

Internal MISP references

UUID 9f9382c1-edc9-434c-945a-71bfdf28ca6f which can be used as unique global reference for Earth Akhlut - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 910288bd-71dd-4635-b559-ccb2d7879ab6
Related clusters

To see the related clusters, click here.

CactusPete - Associated Group

[Kaspersky CactusPete Aug 2020]

Internal MISP references

UUID 70c9c7d6-d51a-4c73-823f-fffd0d75f63e which can be used as unique global reference for CactusPete - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d748b970-fab9-4ae3-919b-2188e7f0ad95
Related clusters

To see the related clusters, click here.

Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[Kaspersky CactusPete Aug 2020][ESET Exchange Mar 2021][FireEye Chinese Espionage October 2019][ARS Technica China Hack SK April 2017][Trend Micro HeartBeat Campaign January 2013][Talos Bisonal 10 Years March 2020]

Internal MISP references

UUID 9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c which can be used as unique global reference for Tonto Team in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0131
observed_countries ['IN', 'JP', 'KR', 'MN', 'RU', 'TW', 'US']
source MITRE
target_categories ['Defense', 'Energy', 'Financial Services', 'Government', 'Manufacturing', 'Mining', 'Technology', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Mythic Leopard - Associated Group

[Crowdstrike Mythic Leopard Profile][Kaspersky Transparent Tribe August 2020][Talos Transparent Tribe May 2021]

Internal MISP references

UUID 150aeea7-b49e-49cf-a884-f9e0f69a6742 which can be used as unique global reference for Mythic Leopard - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e41ed1f8-7e23-46d3-ae3b-aed9d2caffda
Related clusters

To see the related clusters, click here.

COPPER FIELDSTONE - Associated Group

[Secureworks COPPER FIELDSTONE Profile]

Internal MISP references

UUID 4db20d24-3005-4fbb-af6e-94bb3841c25b which can be used as unique global reference for COPPER FIELDSTONE - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7411aa5c-b1f3-413c-82bf-c397996b6106
Related clusters

To see the related clusters, click here.

APT36 - Associated Group

[Talos Transparent Tribe May 2021]

Internal MISP references

UUID da9e7789-2d64-4684-87b9-8185f11b7410 which can be used as unique global reference for APT36 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5cfb7f3b-93bf-4430-938b-1d0b5efb721b
Related clusters

To see the related clusters, click here.

ProjectM - Associated Group

[Unit 42 ProjectM March 2016][Kaspersky Transparent Tribe August 2020]

Internal MISP references

UUID 6d979811-8a41-4407-be4b-b657a3bd3d20 which can be used as unique global reference for ProjectM - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id eec8f5d0-a7df-4ace-b82b-1108d5f09fd5
Related clusters

To see the related clusters, click here.

Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020][Talos Transparent Tribe May 2021]

Internal MISP references

UUID 441b91d1-256a-4763-bac6-8f1c76764a25 which can be used as unique global reference for Transparent Tribe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country PK
group_attack_id G0134
observed_countries ['AF', 'AU', 'AT', 'BD', 'BE', 'BW', 'CA', 'CN', 'CZ', 'GE', 'DE', 'IN', 'IR', 'JP', 'KE', 'LI', 'MY', 'MN', 'NP', 'NL', 'OM', 'PK', 'SA', 'ES', 'SE', 'CH', 'TH', 'TR', 'AE', 'GB', 'US']
source MITRE
target_categories ['Defense', 'Government']
Related clusters

To see the related clusters, click here.

KeyBoy - Associated Group

[Unit 42 Tropic Trooper Nov 2016][TrendMicro Tropic Trooper Mar 2018]

Internal MISP references

UUID 72ad17b4-d973-48c4-aae9-5a95aaf2ee88 which can be used as unique global reference for KeyBoy - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id afd6e8f7-62f4-46cd-a366-8bd35da48511
Related clusters

To see the related clusters, click here.

Pirate Panda - Associated Group

[Crowdstrike Pirate Panda April 2020]

Internal MISP references

UUID 7157a2fe-6e59-40ae-a7de-4961444f9c56 which can be used as unique global reference for Pirate Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1fae48a9-1f79-4895-8bcc-e1cdc2b986d4
Related clusters

To see the related clusters, click here.

Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[TrendMicro Tropic Trooper Mar 2018][Unit 42 Tropic Trooper Nov 2016][TrendMicro Tropic Trooper May 2020]

Internal MISP references

UUID 0a245c5e-c1a8-480f-8655-bb2594e3266b which can be used as unique global reference for Tropic Trooper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0081
observed_countries ['HK', 'PH', 'TW']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Government', 'Healthcare', 'High Tech', 'Transportation']
Related clusters

To see the related clusters, click here.

Waterbug - Associated Group

Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.[Symantec Waterbug]

Internal MISP references

UUID 58827a83-6a90-4cee-8b9a-7c033bf90dee which can be used as unique global reference for Waterbug - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id fc87b05b-4404-410c-b27d-7d9b077245f1
Related clusters

To see the related clusters, click here.

WhiteBear - Associated Group

WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.[Securelist WhiteBear Aug 2017][Talos TinyTurla September 2021]

Internal MISP references

UUID 9cea8cef-dd46-4997-baba-d2dea899e193 which can be used as unique global reference for WhiteBear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 201c6a8b-499b-4dc7-a4c4-c23a7355d502
Related clusters

To see the related clusters, click here.

IRON HUNTER - Associated Group

[Secureworks IRON HUNTER Profile]

Internal MISP references

UUID 1bf28831-a2fd-4dc5-885c-9cdf84d43535 which can be used as unique global reference for IRON HUNTER - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 462301bf-d936-436a-95f8-4b7c7b972428
Related clusters

To see the related clusters, click here.

Group 88 - Associated Group

[Leonardo Turla Penquin May 2020]

Internal MISP references

UUID 3cf95a2f-a7b8-4061-b477-16729657f8f3 which can be used as unique global reference for Group 88 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3633bd53-4478-48b2-aadf-5b959bdd8de0
Related clusters

To see the related clusters, click here.

Belugasturgeon - Associated Group

[Accenture HyperStack October 2020]

Internal MISP references

UUID 4087cefb-c0d4-401b-aa6c-dca93aed1c3c which can be used as unique global reference for Belugasturgeon - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id baac52c8-bc05-4e9d-9d5a-2d2f448be346
Related clusters

To see the related clusters, click here.

Snake - Associated Group

[CrowdStrike VENOMOUS BEAR][ESET Turla PowerShell May 2019][Talos TinyTurla September 2021]

Internal MISP references

UUID e934559a-b3c1-4e72-a5c9-e1abd7b2ae78 which can be used as unique global reference for Snake - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f6a74f26-fcd8-4128-9b76-6fbda75ff6a9
Related clusters

To see the related clusters, click here.

Krypton - Associated Group

[CrowdStrike VENOMOUS BEAR]

Internal MISP references

UUID 7a2f17eb-6674-461d-89c4-6f40e1b6cdf5 which can be used as unique global reference for Krypton - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 72100212-b904-45e8-932e-3fc5ab1040df
Related clusters

To see the related clusters, click here.

Venomous Bear - Associated Group

[CrowdStrike VENOMOUS BEAR][Talos TinyTurla September 2021]

Internal MISP references

UUID 3637113f-d45f-4c97-aec0-16eaa7e3fc62 which can be used as unique global reference for Venomous Bear - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 42650149-9fc9-40ab-9780-792825fd8b99
Related clusters

To see the related clusters, click here.

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[Kaspersky Turla][ESET Gazer Aug 2017][CrowdStrike VENOMOUS BEAR][ESET Turla Mosquito Jan 2018][Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023]

Internal MISP references

UUID 47ae4fb1-fc61-4e8e-9310-66dda706e1a2 which can be used as unique global reference for Turla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0010
observed_countries ['AF', 'DZ', 'AR', 'AM', 'AU', 'AT', 'AZ', 'BY', 'BE', 'BO', 'BW', 'BR', 'BG', 'CL', 'CN', 'CY', 'CZ', 'DK', 'EC', 'EE', 'FI', 'FR', 'GE', 'DE', 'HK', 'HU', 'IN', 'ID', 'IR', 'IQ', 'IT', 'JM', 'JO', 'KZ', 'KR', 'KW', 'KG', 'LV', 'LT', 'MX', 'MD', 'ME', 'NL', 'PK', 'PY', 'PL', 'QA', 'RO', 'RU', 'SA', 'RS', 'SG', 'ZA', 'ES', 'SE', 'CH', 'SY', 'TJ', 'TH', 'TN', 'TR', 'TM', 'UA', 'GB', 'US', 'UY', 'UZ', 'VE', 'VN', 'YE']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['a2e000da-8181-4327-bacd-32013dbd3654']
target_categories ['Aerospace', 'Defense', 'Education', 'Government', 'Non Profit', 'Pharmaceuticals', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Vice Society

Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[U.S. CISA Vice Society September 2022]

Related Vulnerabilities: CVE-2021-1675[Unit 42 Vice Society December 6 2022], CVE-2021-34527[Unit 42 Vice Society December 6 2022]

Internal MISP references

UUID 2e2d3e75-1160-4ba5-80cc-8e7685fcfc44 which can be used as unique global reference for Vice Society in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G5012
observed_countries ['AR', 'AU', 'AT', 'BR', 'CA', 'CO', 'FR', 'GF', 'DE', 'GR', 'GL', 'IN', 'ID', 'IT', 'KW', 'LB', 'MY', 'NZ', 'PL', 'PT', 'SA', 'SG', 'ES', 'SE', 'CH', 'TH', 'UA', 'GB', 'US']
observed_motivations ['Financial Gain']
owner TidalCyberIan
source Tidal Cyber
tags ['4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '15787198-6c8b-4f79-bf50-258d55072fee', 'a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530', 'adf0c8d2-f06f-49a5-a3f4-e6cf5f502b1c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Construction', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'High Tech', 'Hospitality Leisure', 'Insurance', 'Legal', 'Manufacturing', 'Media', 'Non Profit', 'Retail', 'Telecommunications', 'Transportation', 'Utilities']

Lebanese Cedar - Associated Group

[ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID 3dc34f21-1b3f-4952-97e9-c9df61379962 which can be used as unique global reference for Lebanese Cedar - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 11222cec-4905-40d8-a9ec-100735108365
Related clusters

To see the related clusters, click here.

Volatile Cedar

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID 7c3ef21c-0e1c-43d5-afb0-3a07c5a66937 which can be used as unique global reference for Volatile Cedar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country LB
group_attack_id G0123
observed_countries ['EG', 'JO', 'KW', 'LB', 'SA', 'TR', 'AE']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Defense', 'Education', 'Government', 'Media', 'Telecommunications']
Related clusters

To see the related clusters, click here.

Volt Typhoon - Tidal

Volt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon's activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.[U.S. CISA Volt Typhoon May 24 2023]

Related Vulnerabilities: CVE-2021-40539, CVE-2021-27860[U.S. CISA Volt Typhoon May 24 2023]

Internal MISP references

UUID 3290dcb9-5781-4b87-8fa0-6ae820e152cd which can be used as unique global reference for Volt Typhoon - Tidal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G5001
observed_countries ['GU', 'US']
observed_motivations ['Cyber Espionage']
owner TidalCyberIan
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '97cc0c9b-3625-42c3-824a-646a91702977', '53331b05-782f-45fc-b925-27c9598dde80']
target_categories ['Construction', 'Education', 'Government', 'Manufacturing', 'Maritime', 'Technology', 'Telecommunications', 'Transportation', 'Utilities']

BRONZE SILHOUETTE - Associated Group

[Secureworks BRONZE SILHOUETTE May 2023]

Internal MISP references

UUID a7d8b128-d997-5d59-9aa2-9db35ff658c7 which can be used as unique global reference for BRONZE SILHOUETTE - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3845a076-bf99-5224-bbe1-7e9e5393a25f
Related clusters

To see the related clusters, click here.

Vanguard Panda - Associated Group

[U.S. CISA Volt Typhoon February 7 2024]

Internal MISP references

UUID 33ec6e60-3e48-4ad8-9960-d59af6260c52 which can be used as unique global reference for Vanguard Panda - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 55384b19-c2c3-4527-b759-d23d61d8014a
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Dev-0391 - Associated Group

[U.S. CISA Volt Typhoon February 7 2024]

Internal MISP references

UUID dba5e3cd-8c54-4129-a4f3-adcb1ded182a which can be used as unique global reference for Dev-0391 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c12f51e2-30ea-4cdd-a2df-abc7d17e961a
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

UNC3236 - Associated Group

[U.S. CISA Volt Typhoon February 7 2024]

Internal MISP references

UUID b38b4cff-e574-4d39-b2c5-365bcb14b7b6 which can be used as unique global reference for UNC3236 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 89106490-5646-4fa6-9bae-c83098e41874
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Voltzite - Associated Group

[U.S. CISA Volt Typhoon February 7 2024]

Internal MISP references

UUID 950dd0a9-0045-4956-bf7b-3b3be491b086 which can be used as unique global reference for Voltzite - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 757b8c7c-9c62-405b-ae3c-37ef25f45144
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Insidious Taurus - Associated Group

[U.S. CISA Volt Typhoon February 7 2024]

Internal MISP references

UUID c93b36a8-c2b7-4f54-830e-86040830a9f5 which can be used as unique global reference for Insidious Taurus - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e8ad4226-71c7-4f9c-a1f7-4fc3e339d2fb
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[Microsoft Volt Typhoon May 2023][Joint Cybersecurity Advisory Volt Typhoon June 2023][Secureworks BRONZE SILHOUETTE May 2023]

Internal MISP references

UUID 4ea1245f-3f35-5168-bd10-1fc49142fd4e which can be used as unique global reference for Volt Typhoon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G1017
observed_countries ['GU', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '97cc0c9b-3625-42c3-824a-646a91702977', '53331b05-782f-45fc-b925-27c9598dde80']
target_categories ['Construction', 'Education', 'Government', 'Manufacturing', 'Maritime', 'Technology', 'Telecommunications', 'Transportation', 'Utilities']
Related clusters

To see the related clusters, click here.

Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[Symantec Whitefly March 2019]

Internal MISP references

UUID f0943620-7bbb-4239-8ed3-c541c36baaa1 which can be used as unique global reference for Whitefly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0107
observed_countries ['SG']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Healthcare', 'Media', 'Telecommunications']

Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.[ESET Windigo Mar 2014][CERN Windigo June 2019]

Internal MISP references

UUID eeb69751-8c22-4a5f-8da2-239cc7d7746c which can be used as unique global reference for Windigo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0124
source MITRE

Bahamut - Associated Group

[SANS Windshift August 2018]

Internal MISP references

UUID 9e192d35-5371-4e21-bc63-62e10a8a5a44 which can be used as unique global reference for Bahamut - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 79b3abef-e42b-40c7-958d-cea379561a78
Related clusters

To see the related clusters, click here.

Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[SANS Windshift August 2018][objective-see windtail1 dec 2018][objective-see windtail2 jan 2019]

Internal MISP references

UUID 4e880d01-313a-4926-8470-78c48824aa82 which can be used as unique global reference for Windshift in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0112
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Government', 'Infrastructure']
Related clusters

To see the related clusters, click here.

Blackfly - Associated Group

[Symantec Suckfly March 2016]

Internal MISP references

UUID 453f7dbf-bde7-4cf3-af5d-a6ac10335980 which can be used as unique global reference for Blackfly - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cd7e1e48-b13a-4124-ad7b-e3c82f563b4c
Related clusters

To see the related clusters, click here.

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[Kaspersky Winnti April 2013][Kaspersky Winnti June 2015][Novetta Winnti April 2015] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[401 TRG Winnti Umbrella May 2018]

Internal MISP references

UUID 6932662a-53a7-4e43-877f-6e940e2d744b which can be used as unique global reference for Winnti Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0044
observed_countries ['BY', 'BR', 'CN', 'DE', 'IN', 'ID', 'JP', 'KR', 'PE', 'PH', 'RU', 'TW', 'TH', 'US', 'VN']
source MITRE
target_categories ['Entertainment']
Related clusters

To see the related clusters, click here.

WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[Lab52 WIRTE Apr 2019][Kaspersky WIRTE November 2021]

Internal MISP references

UUID 73da066d-b25f-45ba-862b-1a69228c6baa which can be used as unique global reference for WIRTE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
group_attack_id G0090
source MITRE
target_categories ['Defense', 'Financial Services', 'Government', 'Legal', 'Technology']

TEMP.MixMaster - Associated Group

[FireEye Ryuk and Trickbot January 2019]

Internal MISP references

UUID 1a9f2244-d35f-45d1-8f53-d1421498006d which can be used as unique global reference for TEMP.MixMaster - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1c33c01b-e230-495e-9dc2-6b0208684b74
Related clusters

To see the related clusters, click here.

Grim Spider - Associated Group

[CrowdStrike Ryuk January 2019][CrowdStrike Grim Spider May 2019]

Internal MISP references

UUID 2924354f-bbaa-4c1b-8af0-a78976b1eff2 which can be used as unique global reference for Grim Spider - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 40656576-ae67-4adf-8478-586f7a8180d7
Related clusters

To see the related clusters, click here.

UNC1878 - Associated Group

[FireEye KEGTAP SINGLEMALT October 2020]

Internal MISP references

UUID e0313186-a5f5-4bb0-94a0-b2b5d496bbc6 which can be used as unique global reference for UNC1878 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 17d304e9-9794-48a5-8297-7543199aa80f
Related clusters

To see the related clusters, click here.

FIN12 - Associated Group

[Mandiant FIN12 Oct 2021]

Internal MISP references

UUID 91e61805-508f-536c-8e8e-89a5a24ae511 which can be used as unique global reference for FIN12 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 77d687c7-fe01-5fd5-9fa5-8c346f92b9d2
Related clusters

To see the related clusters, click here.

GOLD BLACKBURN - Associated Group

[Secureworks Gold Blackburn Mar 2022]

Internal MISP references

UUID c521ebb3-4303-5fef-a1fb-bd0e9f6a79a7 which can be used as unique global reference for GOLD BLACKBURN - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b59c07e6-61eb-5c06-8816-a6606c4767a2
Related clusters

To see the related clusters, click here.

ITG23 - Associated Group

[IBM X-Force ITG23 Oct 2021]

Internal MISP references

UUID e03d13ed-35ac-59e3-afa0-b06cdf5eb534 which can be used as unique global reference for ITG23 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id be36bc98-f462-53fb-9097-80e7a2dec21b
Related clusters

To see the related clusters, click here.

Periwinkle Tempest - Associated Group

[Secureworks Gold Blackburn Mar 2022]

Internal MISP references

UUID c049da64-915b-58ee-abf1-9d485159d2e0 which can be used as unique global reference for Periwinkle Tempest - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e2e61a31-7c55-5633-9b2b-4a67595f3903
Related clusters

To see the related clusters, click here.

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[CrowdStrike Ryuk January 2019][DHS/CISA Ransomware Targeting Healthcare October 2020][CrowdStrike Wizard Spider October 2020]

Internal MISP references

UUID 0b431229-036f-4157-a1da-ff16dfc095f8 which can be used as unique global reference for Wizard Spider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country RU
group_attack_id G0102
observed_countries ['AU', 'BE', 'CA', 'DO', 'FR', 'DE', 'IT', 'JP', 'MX', 'NL', 'NZ', 'NO', 'SG', 'ES', 'CH', 'TW', 'GB', 'US']
observed_motivations ['Financial Gain']
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
target_categories ['Aerospace', 'Agriculture', 'Automotive', 'Chemical', 'Education', 'Energy', 'Financial Services', 'Government', 'Healthcare', 'Hospitality Leisure', 'Insurance', 'Legal', 'Manufacturing', 'Media', 'NGOs', 'Non Profit', 'Pharmaceuticals', 'Retail', 'Technology', 'Telecommunications', 'Transportation', 'Utilities']
Related clusters

To see the related clusters, click here.

APT31 - Associated Group

[Check Point APT31 February 2021]

Internal MISP references

UUID f17739da-dd35-4e1e-ab48-e27d9cd08caf which can be used as unique global reference for APT31 - Associated Group in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id dfb489dd-7b04-4d5a-b3ad-a1e801ade5ca
Related clusters

To see the related clusters, click here.

ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[Microsoft Targeting Elections September 2020][Check Point APT31 February 2021]

Internal MISP references

UUID 5e34409e-2f55-4384-b519-80747d02394c which can be used as unique global reference for ZIRCONIUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
country CN
group_attack_id G0128
observed_countries ['BY', 'CA', 'FI', 'FR', 'MN', 'NO', 'RU', 'US']
observed_motivations ['Cyber Espionage']
source MITRE
target_categories ['Aerospace', 'Construction', 'Defense', 'Education', 'Financial Services', 'Government', 'High Tech', 'Insurance', 'Media', 'Telecommunications']
Related clusters

To see the related clusters, click here.