diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a500a71..a006590 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12,12 +12,38 @@ "Group 3", "TG-8223", "Comment Group", - "Brown Fox" + "Brown Fox", + "GIF89a" ], "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", + "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf", + "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + ], + "cfr-suspected-victims": [ + "United States", + "Taiwan", + "Israel", + "Norway", + "United Arab Emirates", + "United Kingdom", + "Singapore", + "India", + "Belgium", + "South Africa", + "Switzerland", + "Canada", + "France", + "Luxembourg", + "Japan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", @@ -183,7 +209,17 @@ ], "country": "CN", "refs": [ - "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://www.cfr.org/interactive/cyber-operations/putter-panda" + ], + "cfr-suspected-victims": [ + "U.S. satellite and aerospace sector" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", @@ -199,12 +235,24 @@ "Group 6", "UPS Team", "APT3", - "Buckeye" + "Buckeye", + "Boyusec" ], "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.cfr.org/interactive/cyber-operations/apt-3" + ], + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Hong Kong" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "UPS", @@ -219,14 +267,28 @@ "Karba", "Luder", "Nemim", - "Tapaoux" + "Tapaoux", + "Pioneer" ], "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://securelist.com/blog/research/66779/the-darkhotel-apt/", "http://drops.wooyun.org/tips/11726", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", + "https://www.cfr.org/interactive/cyber-operations/darkhotel" + ], + "cfr-suspected-victims": [ + "Japan", + "Russia", + "Taiwan", + "South Korea", + "China" + ], + "cfr-suspected-state-sponsor": "Korea (Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "DarkHotel", @@ -249,7 +311,18 @@ ], "country": "CN", "refs": [ - "http://www.crowdstrike.com/blog/whois-numbered-panda/" + "http://www.crowdstrike.com/blog/whois-numbered-panda/", + "https://www.cfr.org/interactive/cyber-operations/apt-12" + ], + "cfr-suspected-victims": [ + "Taiwan", + "Japan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "China", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -260,7 +333,17 @@ "meta": { "country": "CN", "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", + "https://www.cfr.org/interactive/cyber-operations/apt-16" + ], + "cfr-suspected-victims": [ + "Japan", + "Taiwan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "APT 16", @@ -279,7 +362,18 @@ "country": "CN", "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", + "https://www.cfr.org/interactive/cyber-operations/apt-17" + ], + "cfr-suspected-victims": [ + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "Aurora Panda", @@ -353,7 +447,27 @@ "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", "http://williamshowalter.com/a-universal-windows-bootkit/", - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp", + "https://www.cfr.org/interactive/cyber-operations/axiom" + ], + "cfr-suspected-victims": [ + "United States", + "Netherlands", + "Italy", + "Japan", + "United Kingdom", + "Belgium", + "Russia", + "Indonesia", + "Germany", + "Switzerland", + "China" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Axiom", @@ -375,7 +489,17 @@ "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", + "https://www.cfr.org/interactive/cyber-operations/deep-panda" + ], + "cfr-suspected-victims": [ + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Military" ] }, "description": "Adversary group targeting financial, technology, non-profit organisations.", @@ -390,12 +514,36 @@ "APT30", "Override Panda", "Camerashy", - "APT.Naikon" + "APT.Naikon", + "Lotus Panda" ], "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", + "https://www.cfr.org/interactive/cyber-operations/apt-30" + ], + "cfr-suspected-victims": [ + "India", + "Saudi Arabia", + "Vietnam", + "Myanmar", + "Singapore", + "Thailand", + "Malaysia", + "Cambodia", + "China", + "Phillipines", + "South Korea", + "United States", + "Indonesia", + "Laos" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Naikon", @@ -406,12 +554,28 @@ "meta": { "synonyms": [ "Spring Dragon", - "ST Group" + "ST Group", + "Eslie" ], "country": "CN", "refs": [ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://securelist.com/spring-dragon-updated-activity/79067/" + "https://securelist.com/spring-dragon-updated-activity/79067/", + "https://www.cfr.org/interactive/cyber-operations/lotus-blossom" + ], + "cfr-suspected-victims": [ + "Japan", + "Philippines", + "Hong Kong", + "Indonesia", + "Taiwan", + "Vietnam" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Government" ] }, "value": "Lotus Blossom", @@ -496,17 +660,43 @@ "synonyms": [ "APT10", "APT 10", - "menuPass", + "MenuPass", "happyyongzi", "POTASSIUM", "DustStorm", "Red Apollo", "CVNX", - "HOGFISH" + "HOGFISH", + "Cloud Hopper", + "Stone Panda" ], "country": "CN", "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.cfr.org/interactive/cyber-operations/apt-10" + ], + "cfr-suspected-victims": [ + "Japan", + "India", + "South Africa", + "South Korea", + "Sweden", + "United States", + "Canada", + "Australia", + "France", + "Finland", + "United Kingdom", + "Brazil", + "Thailand", + "Switzerland", + "Norway" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "value": "Stone Panda", @@ -536,10 +726,24 @@ ], "country": "CN", "refs": [ - "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" + "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/", + "https://www.cfr.org/interactive/cyber-operations/hellsing" + ], + "cfr-suspected-victims": [ + "Malaysia", + "Indonesia", + "Philippines", + "United States", + "India" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government" ] }, "value": "Hellsing", + "description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage", "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3" }, { @@ -586,9 +790,23 @@ "ALUMINUM" ], "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" + "http://www.crowdstrike.com/blog/whois-anchor-panda/", + "https://www.cfr.org/interactive/cyber-operations/anchor-panda" ], - "motive": "Espionage" + "motive": "Espionage", + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Germany", + "Australia", + "Sweden" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" + ] }, "value": "Anchor Panda", "description": "PLA Navy", @@ -601,7 +819,31 @@ "APT 21" ], "refs": [ - "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" + "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/", + "https://www.cfr.org/interactive/cyber-operations/nettraveler" + ], + "cfr-suspected-victims": [ + "Mongolia", + "Kazakhstan", + "Tajikstan", + "Germany", + "United Kingdom", + "India", + "Kyrgyzstan", + "South Korea", + "United States", + "Chile", + "Russia", + "China", + "Spain", + "Canada", + "Morocco" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "value": "NetTraveler", @@ -616,11 +858,25 @@ "country": "CN", "refs": [ "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", - "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" + "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/", + "https://www.cfr.org/interactive/cyber-operations/icefog" + ], + "cfr-suspected-victims": [ + "South Korea", + "United States", + "Japan", + "Germany", + "China" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "value": "Ice Fog", - "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.", + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.", "uuid": "32c534b9-abec-4823-b223-a810f897b47b" }, { @@ -652,6 +908,27 @@ "country": "CN", "synonyms": [ "Sneaky Panda" + ], + "cfr-suspected-victims": [ + "United States", + "Canada", + "United Kingdom", + "Switzerland", + "Hong Kong", + "Australia", + "India", + "Taiwan", + "China", + "Denmark" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Civil society" + ], + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/sneaky-panda" ] }, "value": "Beijing Group", @@ -742,10 +1019,22 @@ "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", - "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.cfr.org/interactive/cyber-operations/admin338" + ], + "cfr-suspected-victims": [ + "Hong Kong", + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, - "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", + "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.", "value": "Temper Panda", "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b" }, @@ -772,11 +1061,23 @@ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", - "Group 26" + "Group 26", + "Sayad" ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", - "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" + "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", + "https://www.cfr.org/interactive/cyber-operations/saffron-rose" + ], + "cfr-suspected-victims": [ + "United States", + "Iranian internet activists" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Civil society" ] }, "value": "Flying Kitten", @@ -793,10 +1094,27 @@ "Ghambar" ], "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "https://www.cfr.org/interactive/cyber-operations/itsecteam" + ], + "cfr-suspected-victims": [ + "Bank of America", + "US Bancorp", + "Fifth Third Bank", + "Citigroup", + "PNC", + "BB&T", + "Wells Fargo", + "Capital One", + "HSBC" + ], + "cfr-suspected-state-sponsor": " Iran (Islamic Republic of)", + "cfr-type-of-incident": "Denial of service", + "cfr-target-category": [ + "Private sector" ] }, - "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", + "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ", "value": "Cutting Kitten", "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e" }, @@ -819,7 +1137,21 @@ "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", - "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" + "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks", + "https://www.cfr.org/interactive/cyber-operations/newscaster" + ], + "cfr-suspected-victims": [ + "U.S. government/defense sector websites", + "Saudi Arabia", + "Israel", + "Iraq", + "United Kingdom" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "value": "Charming Kitten", @@ -869,7 +1201,31 @@ "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://en.wikipedia.org/wiki/Rocket_Kitten" + "https://en.wikipedia.org/wiki/Rocket_Kitten", + "https://www.cfr.org/interactive/cyber-operations/rocket-kitten" + ], + "cfr-suspected-victims": [ + "Saudi Arabia", + "Venezuela", + "Afghanistan", + "United Arab Emirates", + "Iran", + "Israel", + "Iraq", + "Kuwait", + "Turkey", + "Canada", + "Yemen", + "United Kingdom", + "Egypt", + "Syria", + "Jordan" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", @@ -887,12 +1243,37 @@ "TG-2889", "Cobalt Gypsy", "Ghambar", - "Cutting Kitten" + "Cutting Kitten", + "Group 41" ], "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.secureworks.com/research/the-curious-case-of-mia-ash", - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "https://www.cfr.org/interactive/cyber-operations/operation-cleaver" + ], + "cfr-suspected-victims": [ + "Canada", + "France", + "Israel", + "Mexico", + "Saudi Arabia", + "China", + "Germany", + "United States", + "Pakistan", + "South Korea", + "United Kingdom", + "India", + "Kuwait", + "Qatar", + "Turkey" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "value": "Cleaver", @@ -1018,11 +1399,35 @@ "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", - "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://www.cfr.org/interactive/cyber-operations/dukes" + ], + "cfr-suspected-victims": [ + "United States", + "China", + "New Zealand", + "Ukraine", + "Romania", + "Georgia", + "Japan", + "South Korea", + "Belgium", + "Kazakhstan", + "Brazil", + "Mexico", + "Turkey", + "Portugal", + "India" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "APT 29", - "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '", + "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a" }, { @@ -1050,9 +1455,33 @@ "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", "https://securelist.com/blog/research/67962/the-penquin-turla-2/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://www.cfr.org/interactive/cyber-operations/turla" ], - "country": "RU" + "country": "RU", + "cfr-suspected-victims": [ + "France", + "Romania", + "Kazakhstan", + "Poland", + "Tajikistan", + "Russia", + "United States", + "Saudi Arabia", + "Germany", + "India", + "Belarus", + "Netherlands", + "Iran", + "Uzbekistan", + "Iraq" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" + ] }, "value": "Turla Group", "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", @@ -1073,7 +1502,26 @@ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", - "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", + "https://www.cfr.org/interactive/cyber-operations/crouching-yeti" + ], + "cfr-suspected-victims": [ + "United States", + "Germany", + "Turkey", + "China", + "Spain", + "France", + "Ireland", + "Japan", + "Italy", + "Poland" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "A Russian group that collects intelligence on the energy industry.", @@ -1096,10 +1544,31 @@ "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-163A", - "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", + "https://www.cfr.org/interactive/cyber-operations/black-energy" + ], + "cfr-suspected-victims": [ + "Russia", + "Lithuania", + "Kyrgyzstan", + "Israel", + "Ukraine", + "Belarus", + "Kazakhstan", + "Georgia", + "Poland", + "Azerbaijan", + "Iran" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "value": "Sandworm", + "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35" }, { @@ -1149,7 +1618,18 @@ ], "country": "RU", "refs": [ - "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", + "https://www.cfr.org/interactive/cyber-operations/team-spy-crew" + ], + "cfr-suspected-victims": [ + "Hungary", + "Belarus" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "TeamSpy Crew", @@ -1251,7 +1731,20 @@ "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318B", - "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", + "https://www.cfr.org/interactive/cyber-operations/lazarus-group" + ], + "cfr-suspected-victims": [ + "South Korea", + "Bangladesh Bank", + "Sony Pictures Entertainment", + "United States" + ], + "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + " Government", + "Private sector" ] }, "value": "Lazarus Group", @@ -1298,6 +1791,7 @@ }, { "value": "SNOWGLOBE", + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", "meta": { "country": "FR", "refs": [ @@ -1305,13 +1799,36 @@ "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" + "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html", + "https://www.cfr.org/interactive/cyber-operations/snowglobe" ], "synonyms": [ "Animal Farm" + ], + "cfr-suspected-victims": [ + "Syria", + "United States", + "Netherlands", + "Russia", + "Spain", + "Iran", + "China", + "Germany", + "Algeria", + "Norway", + "Malaysia", + "Turkey", + "United Kingdom", + "Ivory Coast", + "Greece" + ], + "cfr-suspected-state-sponsor": "France", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab" }, { @@ -1346,15 +1863,25 @@ { "meta": { "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/" + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://www.cfr.org/interactive/cyber-operations/stealth-falcon" ], "synonyms": [ "FruityArmor" ], - "country": "AE" + "country": "AE", + "cfr-suspected-victims": [ + "United Arab Emirates", + "United Kingdom" + ], + "cfr-suspected-state-sponsor": "United Arab Emirates", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Civil society" + ] }, "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents.", + "description": "This threat actor targets civil society groups and Emirati journalists, activists, and dissidents. ", "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0" }, { @@ -1410,6 +1937,17 @@ "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/" + ], + "cfr-suspected-victims": [ + "Bangladesh", + "Sri Lanka", + "Pakistan" + ], + "cfr-suspected-state-sponsor": "India", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Military" ] }, "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", @@ -1461,9 +1999,18 @@ "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", - "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor", + "https://www.cfr.org/interactive/cyber-operations/moafee" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" + ] }, "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "value": "DragonOK", @@ -1477,9 +2024,21 @@ ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "https://attack.mitre.org" + "https://attack.mitre.org", + "https://www.cfr.org/interactive/cyber-operations/emissary-panda" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "France" + ], + "cfr-suspected-state-sponsor": " China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "value": "Threat Group-3390", @@ -1489,10 +2048,26 @@ "meta": { "synonyms": [ "Strider", - "Sauron" + "Sauron", + "Project Sauron" ], "refs": [ - "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" + "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", + "https://www.cfr.org/interactive/cyber-operations/project-sauron" + ], + "cfr-suspected-victims": [ + "Russia", + "Iran", + "Belgium", + "China", + "Sweden", + "Rwanda" + ], + "cfr-suspected-state-sponsor": "United States", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", @@ -1503,12 +2078,35 @@ "meta": { "refs": [ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013" + "https://attack.mitre.org/wiki/Group/G0013", + "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ "APT30" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "India", + "Saudi Arabia", + "Vietnam", + "Myanmar", + "Singapore", + "Thailand", + "Malaysia", + "Cambodia", + "China", + "Phillipines", + "South Korea", + "United States", + "Indonesia", + "Laos" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "value": "APT 30", "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", @@ -1590,12 +2188,30 @@ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", "https://pan-unit42.github.io/playbook_viewer/", - "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json" + "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", + "https://www.cfr.org/interactive/cyber-operations/oilrig" ], "country": "IR", "synonyms": [ "Twisted Kitten", - "Cobalt Gypsy" + "Cobalt Gypsy", + "Crambus" + ], + "cfr-suspected-victims": [ + "Israel", + "Kuwait", + "United States", + "Turkey", + "Saudi Arabia", + "Qatar", + "Lebanon" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "OilRig", @@ -1771,12 +2387,36 @@ "meta": { "country": "US", "refs": [ - "https://en.wikipedia.org/wiki/Equation_Group" + "https://en.wikipedia.org/wiki/Equation_Group", + "https://www.cfr.org/interactive/cyber-operations/equation-group" ], "synonyms": [ "Tilded Team", "Lamberts", "EQGRP" + ], + "cfr-suspected-victims": [ + "Iran", + "Afghanistan", + "Syria", + "Yemen", + "Kenya", + "Russia", + "India", + "Mali", + "Algeria", + "United Kingdom", + "Pakistan", + "China", + "Lebanon", + "United Arab Emirates", + "Libya" + ], + "cfr-suspected-state-sponsor": "United States", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840" @@ -1822,13 +2462,38 @@ "meta": { "country": "IR", "synonyms": [ - "Operation Mermaid" + "Operation Mermaid", + "Prince of Persia" ], "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", + "https://www.cfr.org/interactive/cyber-operations/prince-persia" + ], + "cfr-suspected-victims": [ + "Israel", + "Iran", + "France", + "China", + "Sweden", + "United States", + "United Kingdom", + "Germany", + "Syria", + "Italy", + "Denmark", + "Canada", + "Russia", + "Saudi Arabia", + "Bahrain" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Infy", @@ -1851,11 +2516,22 @@ "meta": { "country": "CN", "synonyms": [ - "Cloudy Omega" + "Cloudy Omega", + "Emdivi" ], "refs": [ "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", - "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" + "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets", + "https://www.cfr.org/interactive/cyber-operations/blue-termite" + ], + "cfr-suspected-victims": [ + "Japan" + ], + "cfr-suspected-state-sponsor": "Unknown", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Blue Termite", @@ -1877,12 +2553,26 @@ "meta": { "refs": [ "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" + "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/", + "https://www.cfr.org/interactive/cyber-operations/longhorn" ], - "country": "US" + "country": "US", + "synonyms": [ + "Lamberts", + "the Lamberts" + ], + "cfr-suspected-victims": [ + "Global" + ], + "cfr-suspected-state-sponsor": "United States", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" + ] }, "value": "Longhorn", - "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.", + "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name \"Vault 7.\"", "uuid": "2f3311cd-8476-4be7-9005-ead920afc781" }, { @@ -1911,7 +2601,23 @@ "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.brighttalk.com/webcast/10703/261205", - "https://github.com/eset/malware-research/tree/master/oceanlotus" + "https://github.com/eset/malware-research/tree/master/oceanlotus", + "https://www.cfr.org/interactive/cyber-operations/ocean-lotus" + ], + "cfr-suspected-victims": [ + "China", + "Germany", + "United States", + "Vietnam", + "Philippines", + "Association of Southeast Asian Nations" + ], + "cfr-suspected-state-sponsor": "Vietnam", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "APT32", @@ -1999,7 +2705,34 @@ "meta": { "refs": [ "https://securelist.com/blog/research/66108/el-machete/", - "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html" + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", + "https://www.cfr.org/interactive/cyber-operations/machete" + ], + "synonyms": [ + "Machete" + ], + "cfr-suspected-victims": [ + "Venezuela", + "Russia", + "Cuba", + "China", + "Belgium", + "Ecuador", + "Brazil", + "Spain", + "Germany", + "France", + "Colombia", + "Peru", + "Sweden", + "United States", + "Malaysia" + ], + "cfr-suspected-state-sponsor": "Unknown", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Government" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3" @@ -2083,17 +2816,31 @@ { "meta": { "synonyms": [ - "Bronze Butler" + "Bronze Butler", + "RedBaldKnight" ], "country": "CN", "refs": [ "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", "https://www.secureworks.jp/resources/rp-bronze-butler", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", + "https://www.cfr.org/interactive/cyber-operations/bronze-butler" + ], + "cfr-suspected-victims": [ + "Japan", + "China", + "Korea (Republic of)", + "Russian Federation" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "Tick", + "description": "This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes.", "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8" }, { @@ -2165,7 +2912,23 @@ "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", - "https://www.threatconnect.com/china-superman-apt/" + "https://www.threatconnect.com/china-superman-apt/", + "https://www.cfr.org/interactive/cyber-operations/mofang" + ], + "cfr-suspected-victims": [ + "Myanmar", + "Germany", + "Singapore", + "Canada", + "India", + "United States", + "South Korea" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Mofang", @@ -2181,7 +2944,22 @@ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", "http://www.clearskysec.com/copykitten-jpost/", - "http://www.clearskysec.com/tulip/" + "http://www.clearskysec.com/tulip/", + "https://www.cfr.org/interactive/cyber-operations/copykittens" + ], + "cfr-suspected-victims": [ + "Israel", + "Jordan", + "Saudi Arabia", + "Germany", + "United States" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "CopyKittens", @@ -2222,7 +3000,20 @@ "country": "IR", "refs": [ "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", - "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/", + "https://www.cfr.org/interactive/cyber-operations/madi" + ], + "cfr-suspected-victims": [ + "Iran", + "Pakistan", + "Israel", + "United States" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Madi", @@ -2257,12 +3048,28 @@ { "meta": { "country": "KP", + "synonyms": [ + "Kimsuky" + ], "refs": [ - "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" + "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/", + "https://www.cfr.org/interactive/cyber-operations/kimsuky" + ], + "cfr-suspected-victims": [ + "Ministry of Unification", + "Sejong Institute", + "Korea Institute for Defense Analyses" + ], + "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Kimsuki", - "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3" + "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "description": "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes." }, { "value": "Snake Wine", @@ -2275,12 +3082,38 @@ }, { "value": "Careto", + "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.", "meta": { "refs": [ - "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" + "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/", + "https://www.cfr.org/interactive/cyber-operations/careto" ], "synonyms": [ - "The Mask" + "The Mask", + "Mask", + "Ugly Face" + ], + "cfr-suspected-victims": [ + "Morocco", + "France", + "Libya", + "Venezuela", + "Poland", + "Brazil", + "Spain", + "United States", + "South Africa", + "Tunisia", + "United Kingdom", + "Switzerland", + "Iran", + "Germany" + ], + "cfr-suspected-state-sponsor": "Spain", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d" @@ -2299,10 +3132,21 @@ "meta": { "country": "KP", "refs": [ - "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" + "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml", + "https://www.cfr.org/interactive/cyber-operations/onion-dog" + ], + "cfr-suspected-victims": [ + "South Korea" + ], + "cfr-suspected-state-sponsor": "Unknown", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "OnionDog", + "description": "This threat actor targets the South Korean government, transportation, and energy sectors.", "uuid": "5898e11e-a023-464d-975c-b36fb1639e69" }, { @@ -2435,10 +3279,23 @@ "country": "IL", "refs": [ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", - "https://archive.org/details/Stuxnet" + "https://archive.org/details/Stuxnet", + "https://www.cfr.org/interactive/cyber-operations/duqu", + "https://www.cfr.org/interactive/cyber-operations/duqu-20" ], "synonyms": [ "Duqu Group" + ], + "cfr-suspected-victims": [ + "Iran", + "Sudan" + ], + "cfr-suspected-state-sponsor": "Israel", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Government", + "Private sector" ] }, "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" @@ -2446,12 +3303,25 @@ { "meta": { "refs": [ - "https://securelist.com/introducing-whitebear/81638/" + "https://securelist.com/introducing-whitebear/81638/", + "https://www.cfr.org/interactive/cyber-operations/whitebears" ], "synonyms": [ "Skipper Turla" ], - "country": "RU" + "country": "RU", + "cfr-suspected-victims": [ + "United States", + "South Korea", + "United Kingdom", + "Uzbekistan" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "value": "White Bear", "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" @@ -2479,7 +3349,21 @@ { "meta": { "refs": [ - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.cfr.org/interactive/cyber-operations/sowbug" + ], + "cfr-suspected-victims": [ + "Argentina", + "Ecuador", + "Brazil", + "Brunei", + "Peru", + "Malaysia" + ], + "cfr-suspected-state-sponsor": "Unknown", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government" ] }, "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", @@ -2489,7 +3373,27 @@ { "meta": { "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cfr.org/interactive/cyber-operations/muddywater" + ], + "synonyms": [ + "TEMP.Zagros" + ], + "cfr-suspected-victims": [ + "Saudi Arabia", + "Georgia", + "Turkey", + "Iraq", + "Israel", + "India", + "United Arab Emirates", + "Pakistan", + "United States" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government" ] }, "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", @@ -2578,12 +3482,25 @@ "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.cfr.org/interactive/cyber-operations/leviathan" ], "synonyms": [ "TEMP.Periscope" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "United States", + "Hong Kong", + "The Philippines", + "Asia Pacific Economic Cooperation" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9" }, @@ -2594,12 +3511,22 @@ "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ", - "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.cfr.org/interactive/cyber-operations/apt-34" ], "synonyms": [ "APT 34" ], - "country": "IR" + "country": "IR", + "cfr-suspected-victims": [ + "Middle East" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda" }, @@ -2719,7 +3646,8 @@ "meta": { "refs": [ "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf" + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://www.cfr.org/interactive/cyber-operations/apt-33" ], "mode-of-operation": "IT network limited, information gathering against industrial orgs", "since": "2016", @@ -2727,6 +3655,16 @@ "victimology": "Petrochemical, Aerospace, Saudi Arabia", "synonyms": [ "APT33" + ], + "cfr-suspected-victims": [ + "United States", + "Saudi Arabia", + "South Korea" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2" @@ -2825,5 +3763,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 45 + "version": 46 }