{ "version": 1, "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "authors": [ "Alexandre Dulaunoy", "Florian Roth", "Thomas Schreck", "Timo Steffens", "Various" ], "type": "threat-actors", "name": "Threat actor", "values": [ { "value": "Comment Crew", "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" ], "country": "CN", "synonyms": [ "Comment Panda", "PLA Unit 61398", "APT 1", "Advanced Persistent Threat 1", "Byzantine Candor", "Group 3", "TG-8223" ] }, { "value": "Stalker Panda", "country": "CN" }, { "synonyms": [ "Covert Grove" ], "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" ], "value": "Nitro", "country": "CN" }, { "synonyms": [ "C0d0so", "Sunshop Group" ], "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "value": "Codoso", "country": "CN" }, { "value": "Dust Storm", "refs": [ "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" ] }, { "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ], "description": "Adversary targeting dissident groups in China and its surroundings.", "value": "Karma Panda", "country": "CN" }, { "value": "Keyhole Panda", "country": "CN" }, { "value": "Wet Panda", "country": "CN" }, { "description": "Adversary group targeting telecommunication and technology organizations.", "value": "Foxy Panda", "country": "CN" }, { "value": "Predator Panda", "country": "CN" }, { "value": "Union Panda", "country": "CN" }, { "value": "Spicy Panda", "country": "CN" }, { "value": "Eloquent Panda", "country": "CN" }, { "value": "Emissary Panda", "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ], "country": "CN" }, { "value": "Dizzy Panda", "synonyms": [ "LadyBoyle" ] }, { "value": "Putter Panda", "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ], "country": "CN", "synonyms": [ "PLA Unit 61486", "APT 2", "Group 36", "APT-2", "MSUpdater", "4HCrew", "SULPHUR", "TG-6952" ] }, { "value": "UPS", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "country": "CN", "synonyms": [ "Gothic Panda", "TG-0110", "APT 3", "Group 6", "UPS Team", "APT3", "Buckeye" ] }, { "value": "darkhotel", "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" ], "synonyms": [ "DUBNIUM" ] }, { "value": "IXESHE", "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/" ], "country": "CN", "synonyms": [ "Numbered Panda", "TG-2754", "BeeBus", "Group 22", "DynCalc", "Crimson Iron", "APT12", "APT 12" ] }, { "value": "APT 16", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" ], "country": "CN" }, { "value": "Aurora Panda", "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "country": "CN", "synonyms": [ "APT 17", "Deputy Dog", "Group 8", "APT17", "Hidden Lynx", "Tailgater Team" ] }, { "value": "Wekby", "refs": [ "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" ], "country": "CN", "synonyms": [ "Dynamite Panda", "TG-0416", "APT 18", "SCANDIUM", "APT18" ] }, { "value": "Axiom", "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", "http://williamshowalter.com/a-universal-windows-bootkit/" ], "country": "CN", "synonyms": [ "Winnti Group", "Tailgater Team", "Group 72", "Group72", "Tailgater", "Ragebeast", "Blackfly" ] }, { "value": "Shell Crew", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ], "country": "CN", "description": "Adversary group targeting financial, technology, non-profit organisations.", "synonyms": [ "Deep Panda", "WebMasters", "APT 19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w" ] }, { "value": "Naikon", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" ], "country": "CN", "synonyms": [ "PLA Unit 78020", "APT 30", "Override Panda", "Camerashy", "APT.Naikon" ] }, { "value": "Lotus Blossom", "refs": [ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/" ], "country": "CN", "synonyms": [ "Spring Dragon", "ST Group" ] }, { "value": "Lotus Panda", "country": "CN", "synonyms": [ "Elise" ] }, { "value": "Hurricane Panda", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ], "country": "CN" }, { "value": "Emissary Panda", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/" ], "country": "CN", "synonyms": [ "TG-3390", "APT 27", "TEMP.Hippo", "Group 35", "HIPPOTeam", "APT27" ] }, { "value": "Stone Panda", "country": "CN", "synonyms": [ "APT10", "APT 10", "menuPass", "happyyongzi", "POTASSIUM" ] }, { "value": "Nightshade Panda", "refs": [ "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" ], "country": "CN", "synonyms": [ "APT 9", "Flowerlady/Flowershow", "Flowerlady", "Flowershow" ] }, { "value": "Hellsing", "refs": [ "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" ], "country": "CN", "synonyms": [ "Goblin Panda", "Cycldek" ] }, { "value": "Night Dragon", "refs": [ "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" ], "country": "CN" }, { "value": "Mirage", "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" ], "country": "CN", "synonyms": [ "Vixen Panda", "Ke3Chang", "GREF", "Playful Dragon", "APT 15" ] }, { "value": "Anchor Panda", "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], "synonyms": [ "APT14", "APT 14", "QAZTeam", "ALUMINUM" ], "country": "CN" }, { "value": "NetTraveler", "refs": [ "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" ], "synonyms": [ "APT 21" ], "country": "CN" }, { "value": "Ice Fog", "refs": [ "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" ], "country": "CN", "synomyns": [ "IceFog", "Dagger Panda" ] }, { "value": "Pitty Panda", "country": "CN", "synonyms": [ "PittyTiger", "MANGANESE" ] }, { "refs": [ "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" ], "value": "Roaming Tiger" }, { "value": "HiddenLynx", "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" ], "country": "CN" }, { "value": "Beijing Group", "synonyms": [ "Sneaky Panda" ], "country": "CN" }, { "value": "Radio Panda", "country": "CN" }, { "value": "Dagger Panda", "country": "CN" }, { "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" ], "country": "CN", "value": "APT.3102" }, { "value": "Samurai Panda", "refs": [ "http://www.crowdstrike.com/blog/whois-samurai-panda/" ], "country": "CN", "synonyms": [ "PLA Navy", "APT4", "APT 4", "Getkys", "SykipotGroup", "Wkysol" ] }, { "value": "Impersonating Panda", "country": "CN" }, { "value": "Violin Panda", "synonyms": [ "APT20", "APT 20", "TH3Bug" ], "country": "CN" }, { "value": "Toxic Panda", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ], "description": "A group targeting dissident groups in China and at the boundaries.", "country": "CN" }, { "value": "Temper Panda", "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "country": "CN", "synonyms": [ "Admin338", "Team338", "MAGNESIUM", "admin@338" ], "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors." }, { "value": "Pirate Panda", "synonyms": [ "APT23", "KeyBoy" ], "country": "CN" }, { "value": "Flying Kitten", "synonyms": [ "SaffronRose", "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26" ], "country": "IR" }, { "value": "Cutting Kitten", "synonyms": [ "ITSecTeam", "Threat Group 2889", "TG-2889", "Ghambar" ], "country": "IR" }, { "value": "Charming Kitten", "synonyms": [ "Newscaster", "Parastoo", "Group 83" ], "country": "IR" }, { "value": "Magic Kitten", "description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ], "synonyms": [ "Group 42" ], "country": "IR" }, { "value": "Rocket Kitten", "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.org/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "country": "IR", "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", "Thamar Reservoir" ] }, { "value": "Cleaver", "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "Operation Cleaver" ], "country": "IR" }, { "value": "Sands Casino", "country": "IR" }, { "value": "Threat Group-2889", "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" ], "synonyms": [ "TG-2889" ], "country": "IR" }, { "value": "Rebel Jackal", "synonyms": [ "FallagaTeam" ], "country": "TN" }, { "value": "Viking Jackal", "synonyms": [ "Vikingdom" ], "country": "AE" }, { "value": "Sofacy", "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", "refs": [ "https://en.wikipedia.org/wiki/Sofacy_Group" ], "country": "RU", "synonyms": [ "APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit", "TsarTeam", "TG-4127", "Group-4127", "STRONTIUM" ] }, { "value": "APT 29", "refs": [ "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" ], "country": "RU", "synonyms": [ "Dukes", "Group 100", "Cozy Duke", "CozyDuke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29", "Cozy Bear", "The Dukes", "Minidionis", "SeaDuke" ] }, { "value": "Turla Group", "country": "RU", "synonyms": [ "Turla", "Snake", "Venomous Bear", "Group 88", "Waterbug", "WRAITH", "Turla Team" ] }, { "value": "Energetic Bear", "description": "A Russian group that collects intelligence on the energy industry.", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ], "country": "RU", "synonyms": [ "Dragonfly", "Crouching Yeti", "Group 24", "Havex", "CrouchingYeti", "Koala Team" ] }, { "value": "Sandworm", "refs": [ "http://www.isightpartners.com/2014/10/cve-2014-4114/" ], "country": "RU", "synonyms": [ "Sandworm Team", "Black Energy", "BlackEnergy", "Quedagh" ] }, { "value": "Anunak", "description": "Groups targeting financial organizations or people with significant financial assets.", "country": "RU", "synonyms": [ "Carbanak", "Carbon Spider" ] }, { "value": "TeamSpy Crew", "refs": [ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" ], "country": "RU", "synonyms": [ "TeamSpy", "Team Bear" ] }, { "value": "BuhTrap", "refs": [ "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" ], "country": "RU" }, { "value": "Berserk Bear", "country": "RU" }, { "value": "Wolf Spider", "country": "RO" }, { "value": "Boulder Bear", "country": "RU" }, { "value": "Shark Spider", "country": "RU" }, { "description": "Adversary targeting manufacturing and industrial organizations.", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ], "country": "RU", "value": "Union Spider" }, { "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ], "value": "Silent Chollima", "synonyms": [ "OperationTroy" ], "country": "KP" }, { "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" ], "synonyms": [ "Operation DarkSeoul" ], "value": "Lazarus Group", "country": "KP" }, { "value": "Viceroy Tiger", "country": "IN", "synonyms": [ "Appin", "OperationHangover" ] }, { "value": "Pizzo Spider", "country": "US", "synonyms": [ "DD4BC", "Ambiorx" ] }, { "value": "Corsair Jackal", "country": "TN", "synonyms": [ "TunisianCyberArmy" ] }, { "synonyms": [ "Animal Farm" ], "value": "SNOWGLOBE", "country": "FR" }, { "value": "Deadeye Jackal", "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", "refs": [ "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" ], "country": "SY", "synonyms": [ "SyrianElectronicArmy", "SEA" ] }, { "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.", "refs": [ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" ], "synonyms": [ "C-Major" ], "value": "Operation C-Major", "country": "PK" }, { "description": "Group targeting Emirati journalists, activists, and dissidents.", "value": "Stealth Falcon", "country": "UAE", "refs": [ "https://citizenlab.org/2016/05/stealth-falcon/" ] }, { "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.", "value": "ScarCruft", "refs": [ "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" ], "synonyms": [ "Operation Daybreak", "Operation Erebus" ] }, { "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", "value": "Pacifier APT", "refs": [ "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ] }, { "country": "CN", "value": "HummingBad", "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", "refs": [ "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" ] }, { "value": "Dropping Elephant", "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" ], "synonyms": [ "Chinastrats", "Patchwork", "Monsoon" ] }, { "value": "Operation Transparent Tribe", "description" : "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ] }, { "value": "Scarlet Mimic", "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", "refs": ["https://attack.mitre.org/wiki/Groups", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"], "country": "CN" }, { "value": "Poseidon Group", "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "refs": ["https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/","https://attack.mitre.org/wiki/Groups"] }, { "value": "DragonOK", "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "country": "CN", "refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups"], "synonyms": [ "Moafee" ] }, { "value": "Threat Group-3390", "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "country": "CN", "refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://attack.mitre.org"] }, { "value": "ProjectSauron", "synonyms": ["Strider", "Sauron"], "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", "refs": ["https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/"] }, { "value": "APT30", "refs": ["https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"] }, { "value": "TA530", "refs": ["https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex"], "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns " }, { "value": "GCMAN", "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "refs": ["https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"] }, { "value": "Suckfly", "description": "Suckfly is a China-based threat group that has been active since at least 2014", "refs": ["http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"] }, { "value": "FIN6", "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", "refs": ["https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"] }, { "value": "Libyan Scorpions", "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "country": "LBY" }, { "value": "StrongPity", "refs": ["https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"] }, { "value": "TeamXRat", "refs": ["https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"], "synonyms": ["CorporacaoXRat","CorporationXRat"] }, { "value": "OilRig", "refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"] }, { "value": "Volatile Cedar", "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "refs": ["https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"] } ] }