{ "authors": [ "Alexandre Dulaunoy", "Florian Roth", "Thomas Schreck", "Timo Steffens", "Various" ], "category": "actor", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.", "name": "Threat Actor", "source": "MISP Project", "type": "threat-actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "values": [ { "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "Taiwan", "Israel", "Norway", "United Arab Emirates", "United Kingdom", "Singapore", "India", "Belgium", "South Africa", "Switzerland", "Canada", "France", "Luxembourg", "Japan" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf", "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/", "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0006/", "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "COMMENT PANDA", "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Group 3", "TG-8223", "Comment Group", "Brown Fox", "GIF89a", "ShadyRAT", "G0006" ] }, "related": [ { "dest-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", "value": "APT1" }, { "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/" ], "synonyms": [ "Covert Grove" ] }, "uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80", "value": "Nitro" }, { "description": "Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.", "meta": { "refs": [ "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", "https://attack.mitre.org/groups/G0031/" ], "synonyms": [ "G0031" ] }, "related": [ { "dest-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", "value": "Dust Storm" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ], "synonyms": [ "Red Chimera" ] }, "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428", "value": "WET PANDA" }, { "description": "Adversary group targeting telecommunication and technology organizations.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd", "value": "FOXY PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f", "value": "PREDATOR PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8", "value": "UNION PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb", "value": "SPICY PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7", "value": "ELOQUENT PANDA" }, { "meta": { "synonyms": [ "LadyBoyle" ] }, "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe", "value": "DIZZY PANDA" }, { "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "U.S. satellite and aerospace sector" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://www.cfr.org/interactive/cyber-operations/putter-panda", "https://attack.mitre.org/groups/G0024", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "PLA Unit 61486", "PUTTER PANDA", "MSUpdater", "4HCrew", "SULPHUR", "SearchFire", "TG-6952", "G0024" ] }, "related": [ { "dest-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", "value": "APT2" }, { "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "United Kingdom", "Hong Kong" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://www.cfr.org/interactive/cyber-operations/apt-3", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "GOTHIC PANDA", "TG-0110", "Group 6", "UPS", "Buckeye", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan" ] }, "related": [ { "dest-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae", "value": "APT3" }, { "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Republic of)", "cfr-suspected-victims": [ "Japan", "Russia", "Taiwan", "South Korea", "China" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "KR", "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://securelist.com/blog/research/66779/the-darkhotel-apt/", "https://securelist.com/the-darkhotel-apt/66779/", "https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", "https://attack.mitre.org/groups/G0012/", "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", "https://www.antiy.cn/research/notice&report/research_report/20200522.html" ], "synonyms": [ "DUBNIUM", "Fallout Team", "Karba", "Luder", "Nemim", "Nemin", "Tapaoux", "Pioneer", "Shadow Crane", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "T-APT-02", "G0012", "ATK52" ] }, "related": [ { "dest-uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0a4ddab3-a1a6-5372-b11f-5edc25c0e548", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", "value": "DarkHotel" }, { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Taiwan", "Japan" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/", "https://www.cfr.org/interactive/cyber-operations/apt-12", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "NUMBERED PANDA", "TG-2754", "BeeBus", "Group 22", "DynCalc", "Calc Team", "DNSCalc", "Crimson Iron", "IXESHE", "BRONZE GLOBE" ] }, "related": [ { "dest-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "48146604-6693-4db1-bd94-159744726514", "value": "APT12" }, { "description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", "Taiwan" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.cfr.org/interactive/cyber-operations/apt-16", "https://attack.mitre.org/groups/G0023", "https://www.mandiant.com/resources/insights/apt-groups", "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ], "synonyms": [ "SVCMONDR", "G0023" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", "value": "APT16" }, { "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "Netherlands", "Italy", "Japan", "United Kingdom", "Belgium", "Russia", "Indonesia", "Germany", "Switzerland", "China" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://attack.mitre.org/groups/G0025/", "https://cfr.org/cyber-operations/axiom", "https://attack.mitre.org/groups/G0001/", "https://www.youtube.com/watch?v=NFJqD-LcpIg", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team", "Dogfish", "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "Axiom", "HELIUM" ] }, "related": [ { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "value": "APT17" }, { "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828", "https://www.cfr.org/interactive/cyber-operations/apt-18", "https://attack.mitre.org/groups/G0026", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "DYNAMITE PANDA", "TG-0416", "SCANDIUM", "PLA Navy", "Wekby", "G0026" ] }, "related": [ { "dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "value": "APT18" }, { "description": "Adversary group targeting financial, technology, non-profit organisations.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Private sector", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", "https://www.cfr.org/interactive/cyber-operations/deep-panda", "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/", "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/", "https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/", "https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/", "https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/", "https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/", "https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/", "https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/", "https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442", "https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html", "https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/", "https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/", "https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html", "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/", "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695", "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://attack.mitre.org/groups/G0009/", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html", "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel", "https://www.youtube.com/watch?v=FC9ARZIZglI" ], "synonyms": [ "DEEP PANDA", "Codoso", "WebMasters", "KungFu Kittens", "Black Vine", "TEMP.Avengers", "Group 13", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "G0009", "G0073", "Pupa", "Sunshop Group" ] }, "related": [ { "dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fe8796a4-2a02-41a0-9d27-7aa1e995feb6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", "value": "APT19" }, { "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "India", "Saudi Arabia", "Vietnam", "Myanmar", "Singapore", "Thailand", "Malaysia", "Cambodia", "China", "Philippines", "South Korea", "United States", "Indonesia", "Laos" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks", "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", "https://threatconnect.com/blog/tag/naikon/", "https://attack.mitre.org/groups/G0019/", "https://www.secureworks.com/research/threat-profiles/bronze-geneva", "https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d", "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon", "BRONZE STERLING", "G0013" ] }, "related": [ { "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "value": "Naikon" }, { "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "South Korea", "Saudi Arabia", "Thailand", "Vietnam", "Malaysia", "India" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Group/G0013", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "G0013" ] }, "related": [ { "dest-uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d3881afe-f781-4c53-9f68-33487a119a59", "value": "APT30" }, { "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", "Philippines", "Hong Kong", "Indonesia", "Taiwan", "Vietnam" ], "cfr-target-category": [ "Military", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://securelist.com/spring-dragon-updated-activity/79067/", "https://www.cfr.org/interactive/cyber-operations/lotus-blossom", "https://unit42.paloaltonetworks.com/operation-lotus-blossom/", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf", "https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/", "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://attack.mitre.org/groups/G0030/", "https://www.secureworks.com/research/threat-profiles/bronze-elgin", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Spring Dragon", "ST Group", "DRAGONFISH", "BRONZE ELGIN", "ATK1", "G0030", "Red Salamander", "Lotus BLossom" ] }, "related": [ { "dest-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", "value": "LOTUS PANDA" }, { "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", "https://www.crowdstrike.com/blog/storm-chasing/", "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ] }, "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb", "value": "HURRICANE PANDA" }, { "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States", "United Kingdom", "France", "Japan", "Taiwan", "India", "Canada", "China", "Thailand", "Israel", "Australia", "Republic of Korea", "Russia", "Iran", "Turkey" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", "https://www.cfr.org/interactive/cyber-operations/iron-tiger", "https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/", "https://www.secureworks.com/research/bronze-union", "http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "https://securelist.com/luckymouse-ndisproxy-driver/87914/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf", "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://attack.mitre.org/groups/G0027/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "GreedyTaotie", "TG-3390", "EMISSARY PANDA", "TEMP.Hippo", "Red Phoenix", "Budworm", "Group 35", "ZipToken", "Iron Tiger", "BRONZE UNION", "Lucky Mouse", "G0027", "Iron Taurus", "Earth Smilodon" ] }, "related": [ { "dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", "value": "APT27" }, { "description": "menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", "India", "South Africa", "South Korea", "Sweden", "United States", "Canada", "Australia", "France", "Finland", "United Kingdom", "Brazil", "Thailand", "Switzerland", "Norway" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.cfr.org/interactive/cyber-operations/apt-10", "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", "https://attack.mitre.org/groups/G0045/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://unit42.paloaltonetworks.com/atoms/granite-taurus", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "STONE PANDAD", "Menupass Team", "happyyongzi", "POTASSIUM", "Red Apollo", "CVNX", "HOGFISH", "Cloud Hopper", "BRONZE RIVERSIDE", "ATK41", "G0045", "Granite Taurus" ] }, "related": [ { "dest-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", "value": "APT10" }, { "description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Malaysia", "Indonesia", "Philippines", "United States", "India" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/hellsing", "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" ] }, "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3", "value": "Hellsing" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://kc.mcafee.com/corporate/index?page=content&id=KB71150", "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", "https://attack.mitre.org/groups/G0014/" ], "synonyms": [ "G0014" ] }, "related": [ { "dest-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", "value": "Night Dragon" }, { "description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "European Union", "India", "United Kingdom" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", "https://github.com/nccgroup/Royal_APT", "https://www.cfr.org/interactive/cyber-operations/mirage", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://attack.mitre.org/groups/G0004/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE PALACE", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "NICKEL", "G0004", "Red Vulture" ] }, "related": [ { "dest-uuid": "66571167-13fe-5817-93e0-54ae8f206fdc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "value": "APT15" }, { "description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "United Kingdom", "Germany", "Australia", "Sweden" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "motive": "Espionage", "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/", "https://www.cfr.org/interactive/cyber-operations/anchor-panda", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "ANCHOR PANDA", "QAZTeam", "ALUMINUM" ] }, "related": [ { "dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "32a67552-3b31-47bb-8098-078099bbc813", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "value": "APT14" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Mongolia", "Kazakhstan", "Tajikistan", "Germany", "United Kingdom", "India", "Kyrgyzstan", "South Korea", "United States", "Chile", "Russia", "China", "Spain", "Canada", "Morocco" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/", "https://www.cfr.org/interactive/cyber-operations/nettraveler", "https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes", "https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary", "https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ] }, "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e", "value": "APT21" }, { "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "South Korea", "United States", "Japan", "Germany", "China" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/", "https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/", "https://www.cfr.org/interactive/cyber-operations/icefog", "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf" ], "synonyms": [ "IceFog", "Trident", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ] }, "uuid": "32c534b9-abec-4823-b223-a810f897b47b", "value": "DAGGER PANDA" }, { "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", "http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", "https://attack.mitre.org/groups/G0011", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "PITTY PANDA", "G0011", "Temp.Pittytiger" ] }, "related": [ { "dest-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", "value": "APT24" }, { "meta": { "refs": [ "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-woodland" ], "synonyms": [ "BRONZE WOODLAND", "Rotten Tomato" ] }, "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d", "value": "Roaming Tiger" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "Canada", "United Kingdom", "Switzerland", "Hong Kong", "Australia", "India", "Taiwan", "China", "Denmark" ], "cfr-target-category": [ "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/sneaky-panda", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", "https://attack.mitre.org/groups/G0066/" ], "synonyms": [ "SNEAKY PANDA", "Elderwood", "Elderwood Gang", "SIG22", "G0066" ] }, "related": [ { "dest-uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", "value": "Beijing Group" }, { "meta": { "attribution-confidence": "50", "country": "CN", "synonyms": [ "Shrouded Crossbow" ] }, "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e", "value": "RADIO PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" ] }, "uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf", "value": "APT.3102" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "United Kingdom", "Hong Kong" ], "cfr-target-category": [ "Private sector", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-samurai-panda/" ], "synonyms": [ "PLA Navy", "Wisp Team" ] }, "related": [ { "dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", "value": "SAMURAI PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN" }, "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1", "value": "IMPERSONATING PANDA" }, { "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf", "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", "value": "APT20" }, { "description": "A group targeting dissident groups in China and at the boundaries.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761", "value": "TOXIC PANDA" }, { "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Hong Kong", "United States" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "https://www.cfr.org/interactive/cyber-operations/admin338", "https://attack.mitre.org/groups/G0018/" ], "synonyms": [ "Admin338", "Team338", "MAGNESIUM", "admin@338", "G0018" ] }, "related": [ { "dest-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", "value": "TEMPER PANDA" }, { "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "https://blog.lookout.com/titan-mobile-threat", "https://attack.mitre.org/groups/G0081/", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "PIRATE PANDA", "KeyBoy", "Tropic Trooper", "BRONZE HOBART", "G0081", "Red Orthrus" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", "value": "APT23" }, { "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "United States", "Iranian internet activists" ], "cfr-target-category": [ "Military", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "https://www.cfr.org/interactive/cyber-operations/saffron-rose" ], "synonyms": [ "SaffronRose", "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad" ] }, "related": [ { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "value": "Flying Kitten" }, { "description": "One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "United States", "Bank of America", "US Bancorp", "Fifth Third Bank", "Citigroup", "PNC", "BB&T", "Wells Fargo", "Capital One", "HSBC", "AT&T", "NYSE" ], "cfr-type-of-incident": [ "Denial of service" ], "country": "IR", "refs": [ "https://www.cfr.org/interactive/cyber-operations/itsecteam", "https://www.justice.gov/usao-sdny/file/835061/download" ], "synonyms": [ "ITsecTeam" ] }, "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "value": "Cutting Kitten" }, { "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "U.S. government/defense sector websites", "Saudi Arabia", "Israel", "Iraq", "United Kingdom" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://en.wikipedia.org/wiki/Operation_Newscaster", "https://iranthreats.github.io/resources/macdownloader-macos-malware/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf", "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", "https://www.cfr.org/interactive/cyber-operations/newscaster", "https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/", "https://securelist.com/freezer-paper-around-free-meat/74503/", "https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/", "http://www.arabnews.com/node/1195681/media", "https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f", "https://blog.certfa.com/posts/the-return-of-the-charming-kitten/", "https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://attack.mitre.org/groups/G0058/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Newscaster", "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058" ] }, "related": [ { "dest-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "value": "Charming Kitten" }, { "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", "meta": { "attribution-confidence": "50", "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "United States", "Saudi Arabia", "South Korea" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "IR", "mode-of-operation": "IT network limited, information gathering against industrial orgs", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", "https://www.brighttalk.com/webcast/10703/275683", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://attack.mitre.org/groups/G0064/", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.cfr.org/interactive/cyber-operations/apt-33", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://dragos.com/adversaries.html" ], "synonyms": [ "APT 33", "Elfin", "MAGNALLIUM", "Refined Kitten", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, "related": [ { "dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f6f8a49-8a22-4494-a4c0-5a341444339a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", "value": "APT33" }, { "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140" ], "synonyms": [ "Group 42", "VOYEUR" ] }, "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4", "value": "Magic Kitten" }, { "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Saudi Arabia", "Venezuela", "Afghanistan", "United Arab Emirates", "Iran", "Israel", "Iraq", "Kuwait", "Turkey", "Canada", "Yemen", "United Kingdom", "Egypt", "Syria", "Jordan" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.ca/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://en.wikipedia.org/wiki/Rocket_Kitten", "https://www.cfr.org/interactive/cyber-operations/rocket-kitten" ], "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm" ] }, "related": [ { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f873db71-3d53-41d5-b141-530675ade27a", "value": "Rocket Kitten" }, { "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Canada", "France", "Israel", "Mexico", "Saudi Arabia", "China", "Germany", "United States", "Pakistan", "South Korea", "United Kingdom", "India", "Kuwait", "Qatar", "Turkey" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://www.secureworks.com/research/the-curious-case-of-mia-ash", "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://attack.mitre.org/groups/G0003/", "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/", "https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles", "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten", "https://www.cfr.org/cyber-operations/operation-cleaver", "https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html", "https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf" ], "synonyms": [ "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy", "G0003" ] }, "related": [ { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "value": "Cleaver" }, { "meta": { "attribution-confidence": "50", "country": "IR" }, "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff", "value": "Sands Casino" }, { "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.", "meta": { "attribution-confidence": "50", "country": "TN", "motive": "Hacktivists-Nationalists", "synonyms": [ "FallagaTeam" ] }, "uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b", "value": "Rebel Jackal" }, { "meta": { "attribution-confidence": "50", "country": "AE", "synonyms": [ "Vikingdom" ] }, "uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1", "value": "Viking Jackal" }, { "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Georgia", "France", "Jordan", "United States", "Hungary", "World Anti-Doping Agency", "Armenia", "Tajikistan", "Japan", "NATO", "Ukraine", "Belgium", "Pakistan", "Asia Pacific Economic Cooperation", "International Association of Athletics Federations", "Turkey", "Mongolia", "OSCE", "United Kingdom", "Germany", "Poland", "European Commission", "Afghanistan", "Kazakhstan", "China" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://attack.mitre.org/groups/G0007/", "https://en.wikipedia.org/wiki/Fancy_Bear", "https://en.wikipedia.org/wiki/Sofacy_Group", "https://www.bbc.com/news/technology-37590375", "https://www.bbc.co.uk/news/technology-45257081", "https://www.cfr.org/interactive/cyber-operations/apt-28", "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630", "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/", "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny", "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", "https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", "https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", "https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/", "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" ], "synonyms": [ "Pawn Storm", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Swallowtail", "IRON TWILIGHT", "Group 74", "SIG40", "Grizzly Steppe", "G0007", "ATK5", "Fighting Ursa", "ITG05", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0028", "FROZENLAKE", "Sofacy" ] }, "related": [ { "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "value": "APT28" }, { "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", "China", "New Zealand", "Ukraine", "Romania", "Georgia", "Japan", "South Korea", "Belgium", "Kazakhstan", "Brazil", "Mexico", "Turkey", "Portugal", "India" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://www.cfr.org/interactive/cyber-operations/dukes", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://attack.mitre.org/groups/G0016", "https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf" ], "synonyms": [ "Group 100", "COZY BEAR", "The Dukes", "Minidionis", "SeaDuke", "YTTRIUM", "IRON HEMLOCK", "Grizzly Steppe", "G0016", "ATK7", "Cloaked Ursa", "TA421", "Blue Kitsune", "ITG11", "BlueBravo" ] }, "related": [ { "dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", "value": "APT29" }, { "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "France", "Romania", "Kazakhstan", "Poland", "Tajikistan", "Russia", "United States", "Saudi Arabia", "Germany", "India", "Belarus", "Netherlands", "Iran", "Uzbekistan", "Iraq" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://www.circl.lu/pub/tr-25/", "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.cfr.org/interactive/cyber-operations/turla", "https://www.nytimes.com/2010/08/26/technology/26cyber.html", "https://securelist.com/blog/research/67962/the-penquin-turla-2/", "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/", "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", "https://attack.mitre.org/groups/G0010/", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "Snake", "VENOMOUS Bear", "Group 88", "Waterbug", "WRAITH", "Uroburos", "Pfinet", "TAG_0530", "KRYPTON", "Hippo Team", "Pacifier APT", "Popeye", "SIG23", "IRON HUNTER", "MAKERSMARK", "ATK13", "G0010", "ITG12", "Blue Python", "SUMMIT", "UNC4210" ] }, "related": [ { "dest-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8d19da8a-d0fa-5194-ad6f-315cc4f36c8b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "value": "Turla" }, { "description": "A Russian group that collects intelligence on the energy industry.", "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", "Germany", "Turkey", "China", "Spain", "France", "Ireland", "Japan", "Italy", "Poland" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet", "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", "https://www.cfr.org/interactive/cyber-operations/crouching-yeti", "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA", "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf", "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html", "https://www.riskiq.com/blog/labs/energetic-bear/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://attack.mitre.org/groups/G0035/", "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", "https://dragos.com/adversaries.html", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://www.cfr.org/interactive/cyber-operations/dymalloy" ], "synonyms": [ "BERSERK BEAR", "ALLANITE", "CASTLE", "DYMALLOY", "TG-4192", "Dragonfly", "Crouching Yeti", "Group 24", "Havex", "Koala Team", "IRON LIBERTY", "G0035", "ATK6", "ITG15", "BROMINE", "Blue Kraken" ] }, "related": [ { "dest-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "45d0f984-2b63-517b-922a-12924bcf4f68", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", "value": "ENERGETIC BEAR" }, { "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", "Lithuania", "Kyrgyzstan", "Israel", "Ukraine", "Belarus", "Kazakhstan", "Georgia", "Poland", "Azerbaijan", "Iran" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-163A", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", "https://attack.mitre.org/groups/G0034", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://dragos.com/adversaries.html", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" ], "synonyms": [ "Quedagh", "VOODOO BEAR", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots", "IRIDIUM", "Blue Echidna", "FROZENBARENTS" ] }, "related": [ { "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b4fbf3b0-1a5e-4bdc-8977-74fff1db19ff", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "0fdab65b-3e2b-5fd8-be36-cc18c7bcc1d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "value": "Sandworm" }, { "description": "Groups targeting financial organizations or people with significant financial assets.", "meta": { "attribution-confidence": "50", "country": "RU", "motive": "Cybercrime", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", "https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf", "https://attack.mitre.org/groups/G0008/", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "https://blog.morphisec.com/fin7-attack-modifications-revealed", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://attack.mitre.org/groups/G0046/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://threatintel.blog/OPBlueRaven-Part1/", "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" ], "synonyms": [ "CARBON SPIDER", "GOLD NIAGARA", "Calcium", "ATK32", "G0046", "G0008", "Coreid", "Carbanak" ] }, "related": [ { "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9471ad21-0553-5483-bf7c-e6ad9c062c79", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "value": "FIN7" }, { "description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Hungary", "Belarus" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", "https://www.cfr.org/interactive/cyber-operations/team-spy-crew", "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/", "https://www.crysys.hu/publications/files/teamspy.pdf", "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf", "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" ], "synonyms": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ] }, "related": [ { "dest-uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445", "value": "TeamSpy Crew" }, { "description": "Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified.\nBuhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses.\nMalicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "value": "BuhTrap" }, { "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "meta": { "attribution-confidence": "50", "country": "RO", "refs": [ "https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623", "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf", "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html", "https://attack.mitre.org/groups/G0085/" ], "synonyms": [ "FIN4", "G0085" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", "value": "WOLF SPIDER" }, { "description": "First observed activity in December 2013.", "meta": { "attribution-confidence": "50", "country": "RU" }, "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0", "value": "Boulder Bear" }, { "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", "meta": { "attribution-confidence": "50", "country": "RU" }, "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4", "value": "SHARK SPIDER" }, { "description": "Adversary targeting manufacturing and industrial organizations.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd", "value": "UNION SPIDER" }, { "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ], "synonyms": [ "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", "value": "Silent Chollima" }, { "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "South Korea", "Bangladesh Bank", "Sony Pictures Entertainment", "United States", "Thailand", "France", "China", "Hong Kong", "United Kingdom", "Guatemala", "Canada", "Bangladesh", "Japan", "India", "Germany", "Brazil", "Thailand", "Australia", "Cryptocurrency exchanges in South Korea" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": [ "Espionage", "Sabotage" ], "country": "KP", "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", "https://www.us-cert.gov/ncas/alerts/TA17-164A", "https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://securelist.com/operation-applejeus/87553/", "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", "https://www.cfr.org/interactive/cyber-operations/lazarus-group", "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret", "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea", "https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/", "https://content.fireeye.com/apt/rpt-apt38", "https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/", "https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack", "https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise", "https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html", "https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov", "https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/", "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/", "https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations", "https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies", "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c", "https://attack.mitre.org/groups/G0032/", "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105", "https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", "https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret", "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/", "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678", "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/", "https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html", "https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/", "https://dragos.com/adversaries.html", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://www.cfr.org/interactive/cyber-operations/covellite", "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://attack.mitre.org/groups/G0082", "https://attack.mitre.org/groups/G0032" ], "synonyms": [ "Operation DarkSeoul", "Dark Seoul", "Hidden Cobra", "Hastati Group", "Andariel", "Unit 121", "Bureau 121", "NewRomanic Cyber Army Team", "Bluenoroff", "Subgroup: Bluenoroff", "Group 77", "Labyrinth Chollima", "Operation Troy", "Operation GhostSecret", "Operation AppleJeus", "APT38", "APT 38", "Stardust Chollima", "Whois Hacking Team", "Zinc", "Appleworm", "Nickel Academy", "APT-C-26", "NICKEL GLADSTONE", "COVELLITE", "ATK3", "G0032", "ATK117", "G0082" ] }, "related": [ { "dest-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "linked-to" }, { "dest-uuid": "3bbf3f0f-346d-49ad-9300-3bb0f23c83ef", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "value": "Lazarus Group" }, { "description": "VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.", "meta": { "attribution-confidence": "50", "country": "IN", "refs": [ "https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia", "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/", "https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html", "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/", "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/", "https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ] }, "related": [ { "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239", "value": "VICEROY TIGER" }, { "meta": { "attribution-confidence": "50", "country": "US", "refs": [ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" ], "synonyms": [ "DD4BC", "Ambiorx" ] }, "uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d", "value": "PIZZO SPIDER" }, { "meta": { "attribution-confidence": "50", "country": "TN", "refs": [ "https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ], "synonyms": [ "TunisianCyberArmy" ] }, "uuid": "59d63dd6-f46f-4334-ad15-30d2e1ee0623", "value": "Corsair Jackal" }, { "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "France", "cfr-suspected-victims": [ "Syria", "United States", "Netherlands", "Russia", "Spain", "Iran", "China", "Germany", "Algeria", "Norway", "Malaysia", "Turkey", "United Kingdom", "Ivory Coast", "Greece" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "FR", "refs": [ "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cfr.org/interactive/cyber-operations/snowglobe", "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/" ], "synonyms": [ "Animal Farm", "Snowglobe", "ATK8" ] }, "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab", "value": "SNOWGLOBE" }, { "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", "meta": { "attribution-confidence": "50", "country": "SY", "refs": [ "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" ], "synonyms": [ "SyrianElectronicArmy", "SEA" ] }, "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d", "value": "Deadeye Jackal" }, { "description": "Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Pakistan", "cfr-target-category": [ "Civil society", "Military", "Government" ], "country": "PK", "refs": [ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" ], "synonyms": [ "C-Major", "Transparent Tribe", "Mythic Leopard", "ProjectM", "APT36", "APT 36", "TMP.Lapis", "Green Havildar", "COPPER FIELDSTONE" ] }, "related": [ { "dest-uuid": "2a410eea-a9da-11e8-b404-37b7060746c8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905", "value": "Operation C-Major" }, { "description": "This threat actor targets civil society groups and Emirati journalists, activists, and dissidents. ", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United Arab Emirates", "cfr-suspected-victims": [ "United Arab Emirates", "United Kingdom" ], "cfr-target-category": [ "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "AE", "refs": [ "https://citizenlab.ca/2016/05/stealth-falcon/", "https://www.cfr.org/interactive/cyber-operations/stealth-falcon", "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", "https://attack.mitre.org/groups/G0038/" ], "synonyms": [ "FruityArmor", "G0038" ] }, "related": [ { "dest-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", "value": "Stealth Falcon" }, { "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" ] }, "uuid": "12ab5c28-5f38-4a2f-bd40-40e9c500f4ac", "value": "HummingBad" }, { "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "India", "cfr-suspected-victims": [ "Bangladesh", "Sri Lanka", "Pakistan" ], "cfr-target-category": [ "Private sector", "Military" ], "cfr-type-of-incident": "Espionage", "country": "IN", "refs": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://attack.mitre.org/groups/G0040/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://securelist.com/the-dropping-elephant-actor/75328/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://www.secureworks.com/research/threat-profiles/zinc-emerson", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait", "https://unit42.paloaltonetworks.com/atoms/thirstygemini/" ], "synonyms": [ "Chinastrats", "Patchwork", "Monsoon", "Sarit", "Dropping Elephant", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini" ] }, "related": [ { "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "18d473a5-831b-47a5-97a1-a32156299825", "value": "QUILTED TIGER" }, { "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Groups", "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/groups/G0029/", "https://unit42.paloaltonetworks.com/atoms/golfing-taurus/" ], "synonyms": [ "G0029", "Golfing Taurus" ] }, "related": [ { "dest-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", "value": "Scarlet Mimic" }, { "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "meta": { "attribution-confidence": "50", "country": "BR", "refs": [ "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", "https://attack.mitre.org/wiki/Groups", "https://attack.mitre.org/groups/G0033/" ], "synonyms": [ "G0033" ] }, "related": [ { "dest-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", "value": "Poseidon Group" }, { "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups", "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf", "https://www.cfr.org/interactive/cyber-operations/moafee", "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", "https://attack.mitre.org/groups/G0017/", "https://attack.mitre.org/groups/G0002/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/" ], "synonyms": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ] }, "related": [ { "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a9b44750-992c-4743-8922-129880d277ea", "value": "DragonOK" }, { "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Russia", "Iran", "Belgium", "China", "Sweden", "Rwanda" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "US", "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", "https://www.cfr.org/interactive/cyber-operations/project-sauron", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf", "https://attack.mitre.org/groups/G0041/" ], "synonyms": [ "Strider", "Sauron", "Project Sauron", "G0041" ] }, "related": [ { "dest-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", "value": "ProjectSauron" }, { "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" ] }, "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f", "value": "TA530" }, { "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/", "https://attack.mitre.org/groups/G0036/" ], "synonyms": [ "G0036" ] }, "related": [ { "dest-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", "value": "GCMAN" }, { "description": "Suckfly is a China-based threat group that has been active since at least 2014", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0039/", "https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab", "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ] }, "related": [ { "dest-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5abb12e7-5066-4f84-a109-49a037205c76", "value": "APT22" }, { "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://attack.mitre.org/groups/G0037/", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ], "synonyms": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "White Giant", "GOLD FRANKLIN", "ATK88", "G0037" ] }, "related": [ { "dest-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "3126bd2c-3d04-5174-ad03-40136b94f574", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", "value": "FIN6" }, { "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "meta": { "attribution-confidence": "50", "country": "LY" }, "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731", "value": "Libyan Scorpions" }, { "meta": { "refs": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "synonyms": [ "CorporacaoXRat", "CorporationXRat" ] }, "uuid": "43ec65d1-a334-4c44-9a44-0fd21f27249d", "value": "TeamXRat" }, { "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.\n\n\n\nSince at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", "Kuwait", "United States", "Turkey", "Saudi Arabia", "Qatar", "Lebanon", "Middle East" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/", "https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/", "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/", "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/", "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://pan-unit42.github.io/playbook_viewer/", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf", "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", "https://www.cfr.org/interactive/cyber-operations/oilrig", "https://www.cfr.org/interactive/cyber-operations/apt-34", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.clearskysec.com/oilrig/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", "https://attack.mitre.org/groups/G0049/", "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" ], "synonyms": [ "Twisted Kitten", "Cobalt Gypsy", "Crambus", "Helix Kitten", "APT 34", "APT34", "IRN2", "ATK40", "G0049", "Evasive Serpens" ] }, "related": [ { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4945c0e7-9f4b-404d-83b2-e5cd3f26c32f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "value": "OilRig" }, { "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.", "meta": { "country": "LB", "refs": [ "https://blog.checkpoint.com/2015/03/31/volatilecedar/", "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/", "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "suspected-victims": [ "Middle East", "Israel", "Lebanon", "Saudi Arabia" ], "synonyms": [ "Lebanese Cedar", "DeftTorero" ] }, "related": [ { "dest-uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a", "value": "Volatile Cedar" }, { "description": "Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.", "meta": { "refs": [ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf" ], "suspected-victims": [ "Ukraine" ] }, "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632", "value": "Dancing Salome" }, { "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" ] }, "related": [ { "dest-uuid": "99784b80-6298-45ba-885c-0ed37bfd8324", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404", "value": "TERBIUM" }, { "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/", "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", "https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html", "https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/", "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", "https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", "https://www.kaspersky.com/blog/gaza-cybergang/26363/", "https://attack.mitre.org/groups/G0021/", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga" ], "synonyms": [ "Gaza Hackers Team", "Gaza cybergang", "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "Moonlight", "ALUMINUM SARATOGA", "G0021" ] }, "related": [ { "dest-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", "value": "Molerats" }, { "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { "attribution-confidence": "50", "country": "TR", "refs": [ "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", "https://attack.mitre.org/groups/G0056/" ], "synonyms": [ "StrongPity", "G0056" ] }, "related": [ { "dest-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "43894e2a-174e-4931-94a8-2296afe8f650", "value": "PROMETHIUM" }, { "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://attack.mitre.org/groups/G0055/" ], "synonyms": [ "G0055" ] }, "related": [ { "dest-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "47b5007a-3fb1-466a-9578-629e6e735493", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", "value": "NEODYMIUM" }, { "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", "meta": { "refs": [ "https://citizenlab.ca/2015/12/packrat-report/" ] }, "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7", "value": "Packrat" }, { "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ] }, "uuid": "03f13462-003c-4296-8784-bccea16710a9", "value": "Cadelle" }, { "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html" ] }, "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965", "value": "PassCV" }, { "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", "meta": { "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists" }, "uuid": "a03e2b4b-617f-4d28-ac4b-9943f792aa22", "value": "Sath-ı Müdafaa" }, { "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", "meta": { "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ "Lion Soldiers Team", "Phantom Turk" ] }, "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a", "value": "Aslan Neferler Tim" }, { "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", "meta": { "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ "Crescent and Star" ] }, "uuid": "ab1771de-25bb-4688-b132-eabb5d6452a1", "value": "Ayyıldız Tim" }, { "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", "meta": { "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ "Turk Hack Team" ] }, "uuid": "7ae74dc6-ded3-4873-a803-abb4160d10c0", "value": "TurkHackTeam" }, { "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Iran", "Afghanistan", "Syria", "Yemen", "Kenya", "Russia", "India", "Mali", "Algeria", "United Kingdom", "Pakistan", "China", "Lebanon", "United Arab Emirates", "Libya" ], "cfr-target-category": [ "Government", "Military" ], "cfr-type-of-incident": "Espionage", "country": "US", "refs": [ "https://en.wikipedia.org/wiki/Equation_Group", "https://www.cfr.org/interactive/cyber-operations/equation-group", "https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/", "https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0", "https://en.wikipedia.org/wiki/Stuxnet", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://attack.mitre.org/groups/G0020/" ], "synonyms": [ "Tilded Team", "EQGRP", "G0020" ] }, "related": [ { "dest-uuid": "2f3311cd-8476-4be7-9005-ead920afc781", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", "value": "Equation Group" }, { "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/", "https://www.clearskysec.com/greenbug/" ] }, "related": [ { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "47204403-34c9-4d25-a006-296a0939d1a2", "value": "Greenbug" }, { "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", "meta": { "cfr-suspected-victims": [ "Ukraine" ], "cfr-target-category": [ "Government" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://attack.mitre.org/groups/G0047", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", "https://unit42.paloaltonetworks.com/atoms/tridentursa", "https://cert.gov.ua/article/1229152", "https://cert.gov.ua/article/971405", "https://cert.gov.ua/article/40240", "https://cert.gov.ua/article/39386", "https://cert.gov.ua/article/39086", "https://cert.gov.ua/article/39138", "https://cert.gov.ua/article/18365" ], "synonyms": [ "ACTINIUM", "DEV-0157", "Blue Otso", "BlueAlpha", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "Trident Ursa", "UAC-0010", "Winterflounder" ] }, "related": [ { "dest-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", "value": "Gamaredon Group" }, { "description": "Infy is a group of suspected Iranian origin.\nSince early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents.\nThanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", "Iran", "France", "China", "Sweden", "United States", "United Kingdom", "Germany", "Syria", "Italy", "Denmark", "Canada", "Russia", "Saudi Arabia", "Bahrain" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "https://www.freebuf.com/articles/network/105726.html", "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://www.cfr.org/interactive/cyber-operations/prince-persia", "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ], "synonyms": [ "Operation Mermaid", "Prince of Persia", "Foudre" ] }, "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e", "value": "Infy" }, { "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/" ] }, "uuid": "80f9184d-1df3-4ad0-a452-cdb90fe57216", "value": "Sima" }, { "description": "Blue Termite is a group of suspected Chinese origin active in Japan.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Japan" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", "https://www.cfr.org/interactive/cyber-operations/blue-termite" ], "synonyms": [ "Cloudy Omega", "Emdivi" ] }, "uuid": "a250af72-f66c-4d02-9f36-ab764ce9fe85", "value": "Blue Termite" }, { "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.", "meta": { "attribution-confidence": "50", "country": "UA", "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" ] }, "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73", "value": "Groundbait" }, { "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name \"Vault 7.\"", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Global" ], "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "country": "US", "refs": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/", "https://www.cfr.org/interactive/cyber-operations/longhorn", "http://blogs.360.cn/post/APT-C-39_CIA_EN.html", "https://www.secureworks.com/research/threat-profiles/platinum-terminal" ], "synonyms": [ "Lamberts", "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ] }, "related": [ { "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2f3311cd-8476-4be7-9005-ead920afc781", "value": "Longhorn" }, { "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "meta": { "country": "RU", "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "COLDRIVER", "SEABORGIUM", "TA446", "GOSSAMER BEAR" ] }, "related": [ { "dest-uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "value": "Callisto" }, { "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Vietnam", "cfr-suspected-victims": [ "China", "Germany", "United States", "Vietnam", "Philippines", "Association of Southeast Asian Nations" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "VN", "refs": [ "https://attack.mitre.org/groups/G0050/", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.brighttalk.com/webcast/10703/261205", "https://github.com/eset/malware-research/tree/master/oceanlotus", "https://www.cfr.org/interactive/cyber-operations/ocean-lotus", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them", "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam" ], "synonyms": [ "OceanLotus Group", "Ocean Lotus", "OceanLotus", "Cobalt Kitty", "APT-C-00", "SeaLotus", "Sea Lotus", "APT-32", "APT 32", "Ocean Buffalo", "POND LOACH", "TIN WOODLAWN", "BISMUTH", "ATK17", "G0050" ] }, "related": [ { "dest-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", "value": "APT32" }, { "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ", "meta": { "attribution-confidence": "50", "country": "NG", "refs": [ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" ] }, "uuid": "acbfd9e4-f78c-4ae0-9b52-c35ed679e546", "value": "SilverTerrier" }, { "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.\n Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.\n This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/", "https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html", "https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766", "https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219", "https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/" ], "synonyms": [ "Butterfly", "Morpho", "Sphinx Moth" ] }, "uuid": "e7df3572-0c96-4968-8e5a-803ef4219762", "value": "WildNeutron" }, { "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", "meta": { "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", "https://attack.mitre.org/groups/G0068/" ], "synonyms": [ "TwoForOne", "G0068", "ATK33" ] }, "related": [ { "dest-uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "154e97b5-47ef-415a-99a6-2157f1b50339", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "value": "PLATINUM" }, { "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "meta": { "refs": [ "https://dragos.com/blog/20180802Raspite.html", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://attack.mitre.org/groups/G0077/" ], "since": "2017", "synonyms": [ "LeafMiner", "Raspite" ], "victimology": "Electric utility sector" }, "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e", "value": "RASPITE" }, { "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://attack.mitre.org/groups/G0061" ], "synonyms": [ "ATK113", "G0061" ] }, "related": [ { "dest-uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", "value": "FIN8" }, { "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Venezuela", "Russia", "Cuba", "China", "Belgium", "Ecuador", "Brazil", "Spain", "Germany", "France", "Colombia", "Peru", "Sweden", "United States", "Malaysia" ], "cfr-target-category": [ "Military", "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://attack.mitre.org/groups/G0095/", "https://securelist.com/el-machete/66108/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://www.cfr.org/interactive/cyber-operations/machete", "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" ], "synonyms": [ "Machete", "machete-apt", "APT-C-43", "G0095" ] }, "related": [ { "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", "value": "El Machete" }, { "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.", "meta": { "refs": [ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/", "https://www.group-ib.com/blog/cobalt", "https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX", "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", "https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/", "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", "https://attack.mitre.org/groups/G0080/", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://unit42.paloaltonetworks.com/atoms/mulelibra/" ], "synonyms": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ] }, "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", "value": "Cobalt" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", "https://attack.mitre.org/groups/G0062/" ], "synonyms": [ "G0062" ] }, "related": [ { "dest-uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", "value": "TA459" }, { "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" ] }, "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8", "value": "Cyber Berkut" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Eastern Europe", "Japan", "South Korea", "Taiwan", "US" ], "cfr-target-category": [ "Military", "Government", "Private sector" ], "country": "CN", "refs": [ "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/", "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "synonyms": [ "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "COPPER", "Red Beifang", "G0131", "PLA Unit 65017" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", "value": "Tonto Team" }, { "meta": { "refs": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ] }, "uuid": "fb745fe1-5478-4d47-ad3d-7389fa4a6f77", "value": "Danti" }, { "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.mandiant.com/resources/insights/apt-groups", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ "KEYHOLE PANDA", "MANGANESE", "BRONZE FLEETWOOD", "TEMP.Bottle" ] }, "related": [ { "dest-uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", "value": "APT5" }, { "description": "Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", "China", "Korea (Republic of)", "Russian Federation" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf", "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", "https://www.secureworks.jp/resources/rp-bronze-butler", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", "https://www.cfr.org/interactive/cyber-operations/bronze-butler", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://attack.mitre.org/groups/G0060/", "https://www.secureworks.com/research/threat-profiles/bronze-butler", "https://unit42.paloaltonetworks.com/atoms/stalkertaurus/", "https://twitter.com/iiyonite/status/1384431491485155331", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "synonyms": [ "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA", "G0060", "Stalker Taurus", "PLA Unit 61419" ] }, "related": [ { "dest-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", "value": "Tick" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "Hippo Team", "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM" ] }, "related": [ { "dest-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", "value": "APT26" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "uuid": "67adfa07-869f-4052-9d56-b88a51489902", "value": "SABRE PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" ] }, "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766", "value": "BIG PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c", "value": "POISONUS PANDA" }, { "meta": { "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15", "value": "Ghost Jackal" }, { "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html" ] }, "uuid": "73c636ae-e55c-4167-bf40-315789698adb", "value": "TEMP.Hermit" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Myanmar", "Germany", "Singapore", "Canada", "India", "United States", "South Korea" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://www.cfr.org/interactive/cyber-operations/mofang", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-walker" ], "synonyms": [ "Superman", "BRONZE WALKER" ] }, "uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344", "value": "Mofang" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", "Jordan", "Saudi Arabia", "Germany", "United States" ], "cfr-target-category": [ "Government", "Private sector", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", "https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr", "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/tulip/", "https://www.cfr.org/interactive/cyber-operations/copykittens", "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", "https://attack.mitre.org/groups/G0052/" ], "synonyms": [ "Slayer Kitten", "G0052" ] }, "related": [ { "dest-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", "value": "CopyKittens" }, { "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ] }, "uuid": "9035bfbf-a73f-4948-9df2-bd893e9cafef", "value": "EvilPost" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab", "value": "TEST PANDA" }, { "description": "Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.\nCommon applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Iran", "Pakistan", "Israel", "United States" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://securelist.com/the-madi-campaign-part-i-5/33693/", "https://securelist.com/the-madi-campaign-part-ii-53/33701/", "https://www.cfr.org/interactive/cyber-operations/madi", "https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east", "https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/", "https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns" ] }, "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2", "value": "Madi" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce", "value": "ELECTRIC PANDA" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "United Kingdom", "Hong Kong" ], "cfr-target-category": [ "Private sector", "Military" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919", "https://www.cfr.org/interactive/cyber-operations/sykipot", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "Sykipot" ] }, "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", "value": "APT4" }, { "description": "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "Ministry of Unification", "Sejong Institute", "Korea Institute for Defense Analyses" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "KP", "refs": [ "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://www.cfr.org/interactive/cyber-operations/kimsuky", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://youtu.be/hAsKp43AZmM?t=1027", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://attack.mitre.org/groups/G0086/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ], "synonyms": [ "Velvet Chollima", "Black Banshee", "Thallium", "Operation Stolen Pencil", "G0086", "APT43" ] }, "related": [ { "dest-uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", "value": "Kimsuky" }, { "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", "meta": { "refs": [ "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html" ] }, "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5", "value": "Snake Wine" }, { "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.\nThe Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name \"Mask\" comes from the Spanish slang word \"Careto\" (\"Ugly Face\" or “Mask”) which the authors included in some of the malware modules.\n More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Spain", "cfr-suspected-victims": [ "Morocco", "France", "Libya", "Venezuela", "Poland", "Brazil", "Spain", "United States", "South Africa", "Tunisia", "United Kingdom", "Switzerland", "Iran", "Germany" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "ES", "refs": [ "https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/", "https://www.cfr.org/interactive/cyber-operations/careto", "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf" ], "synonyms": [ "The Mask", "Mask", "Ugly Face" ] }, "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d", "value": "Careto" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0", "value": "GIBBERISH PANDA" }, { "description": "This threat actor targets the South Korean government, transportation, and energy sectors.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "South Korea" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "KP", "refs": [ "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml", "https://www.cfr.org/interactive/cyber-operations/onion-dog" ] }, "uuid": "5898e11e-a023-464d-975c-b36fb1639e69", "value": "OnionDog" }, { "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "http://www.crowdstrike.com/blog/whois-clever-kitten/" ], "synonyms": [ "Group 41" ] }, "related": [ { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "value": "Clever Kitten" }, { "meta": { "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77", "value": "ANDROMEDA SPIDER" }, { "meta": { "refs": [ "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" ], "synonyms": [ "Islamic State Hacking Division", "CCA", "United Cyber Caliphate", "UUC", "CyberCaliphate" ] }, "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0", "value": "Cyber Caliphate Army" }, { "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "uuid": "430ba885-cd24-492e-804c-815176ed9b1e", "value": "MAGNETIC SPIDER" }, { "meta": { "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50", "value": "SINGING SPIDER" }, { "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "http://pastebin.com/u/QassamCyberFighters", "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" ], "synonyms": [ "Fraternal Jackal" ] }, "uuid": "22c2b363-5d8f-4b04-96db-1b6cf4d7e8db", "value": "Cyber fighters of Izz Ad-Din Al Qassam" }, { "description": "The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.\nDetails regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.\n“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/" ], "synonyms": [ "1.php Group" ] }, "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7", "value": "APT6" }, { "meta": { "refs": [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf" ], "synonyms": [ "Desert Falcon", "Arid Viper", "APT-C-23" ] }, "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6", "value": "AridViper" }, { "meta": { "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "445c7b62-028b-455e-9d65-74899b7006a4", "value": "DEXTOROUS SPIDER" }, { "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Israel", "cfr-suspected-victims": [ "Iran", "Sudan" ], "cfr-target-category": [ "Military", "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "IL", "refs": [ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://archive.org/details/Stuxnet", "https://www.cfr.org/interactive/cyber-operations/duqu", "https://www.cfr.org/interactive/cyber-operations/duqu-20" ], "synonyms": [ "Duqu Group" ] }, "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02", "value": "Unit 8200" }, { "description": "As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity.\nFrom February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", "South Korea", "United Kingdom", "Uzbekistan" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://securelist.com/introducing-whitebear/81638/", "https://www.cfr.org/interactive/cyber-operations/whitebear" ], "synonyms": [ "Skipper Turla" ] }, "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6", "value": "White Bear" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7", "value": "PALE PANDA" }, { "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm" ] }, "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994", "value": "Mana Team" }, { "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Argentina", "Ecuador", "Brazil", "Brunei", "Peru", "Malaysia" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", "https://www.cfr.org/interactive/cyber-operations/sowbug", "https://attack.mitre.org/groups/G0054/" ], "synonyms": [ "G0054" ] }, "related": [ { "dest-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", "value": "Sowbug" }, { "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Saudi Arabia", "Georgia", "Turkey", "Iraq", "Israel", "India", "United Arab Emirates", "Pakistan", "United States" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.cfr.org/interactive/cyber-operations/muddywater", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/", "https://securelist.com/muddywater/88059/", "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/", "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html", "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://unit42.paloaltonetworks.com/atoms/boggyserpens/" ], "synonyms": [ "TEMP.Zagros", "Static Kitten", "Seedworm", "MERCURY", "COBALT ULSTER", "G0069", "ATK51", "Boggy Serpens" ] }, "related": [ { "dest-uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "da68ca6d-250f-50f1-a585-240475fdbb35", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", "value": "MuddyWater" }, { "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", "https://www.group-ib.com/blog/moneytaker" ] }, "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f", "value": "MoneyTaker" }, { "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", "meta": { "attribution-confidence": "50", "country": "LB", "refs": [ "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "https://research.checkpoint.com/2020/bandook-signed-delivered", "https://attack.mitre.org/groups/G0070/" ], "synonyms": [ "G0070" ] }, "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", "value": "Dark Caracal" }, { "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.", "meta": { "refs": [ "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" ] }, "uuid": "8c21ce09-33c3-412c-bb55-323765e89a60", "value": "Nexus Zeta" }, { "description": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "Republic of Korea", "Japan", "Vietnam" ], "cfr-target-category": [ "Government", "Private sector" ], "country": "KP", "refs": [ "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://twitter.com/mstoned7/status/966126706107953152", "https://www.cfr.org/interactive/cyber-operations/apt-37", "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/", "https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://attack.mitre.org/groups/G0067/", "https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/", "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/", "https://unit42.paloaltonetworks.com/atoms/moldypisces/" ], "synonyms": [ "APT 37", "Group 123", "Group123", "InkySquid", "Operation Daybreak", "Operation Erebus", "Reaper Group", "Reaper", "Red Eyes", "Ricochet Chollima", "ScarCruft", "Venus 121", "ATK4", "G0067", "Moldy Pisces" ] }, "related": [ { "dest-uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "linked-to" }, { "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", "value": "APT37" }, { "description": "Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "Hong Kong", "The Philippines", "Asia Pacific Economic Cooperation", "Cambodia", "Belgium", "Germany", "Philippines", "Malaysia", "Norway", "Saudi Arabia", "Switzerland", "United Kingdom" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.cfr.org/interactive/cyber-operations/apt-40", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", "https://attack.mitre.org/groups/G0065/", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company", "https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu", "https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network", "https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding", "https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.mycert.org.my/portal/advisory?id=MA-774.022020", "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion", "https://www.justice.gov/opa/press-release/file/1412916/download", "https://www.justice.gov/opa/press-release/file/1412921/download", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://us-cert.cisa.gov/ncas/alerts/aa21-200b", "https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html", "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.mofa.go.jp/press/danwa/press6e_000312.html", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory", "https://www.mandiant.com/resources/insights/apt-groups", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia", "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf" ], "synonyms": [ "TEMP.Periscope", "TEMP.Jumper", "Leviathan", "BRONZE MOHAWK", "GADOLINIUM", "KRYPTONITE PANDA", "G0065", "ATK29", "TA423", "Red Ladon", "ITG09", "MUDCARP" ] }, "related": [ { "dest-uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "dbc45b46-5b64-50d4-b0f1-d7de888d4e85", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", "value": "APT40" }, { "description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://attack.mitre.org/groups/G0059/", "https://www.cfr.org/interactive/cyber-operations/magic-hound", "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", "https://www.cfr.org/cyber-operations/apt-35", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" ], "synonyms": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus" ] }, "related": [ { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, { "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://attack.mitre.org/groups/G0071/" ] }, "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c", "value": "Orangeworm" }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities.\nALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.\nALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.", "meta": { "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec", "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection", "refs": [ "https://dragos.com/adversaries.html", "https://dragos.com/blog/20180510Allanite.html" ], "since": "2017", "synonyms": [ "Palmetto Fusion", "Allanite" ], "victimology": "Electric utilities, US and UK" }, "related": [ { "dest-uuid": "fd28d200-2f1f-464a-af1f-fcadac7640a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470", "value": "ALLANITE" }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”", "meta": { "attribution-confidence": "50", "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Iraq", "United Kingdom", "Pakistan", "Israel" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs", "refs": [ "https://dragos.com/adversaries.html", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://www.cfr.org/interactive/cyber-operations/chrysene" ], "since": "2017", "synonyms": [ "OilRig", "Greenbug" ], "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America" }, "related": [ { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "47204403-34c9-4d25-a006-296a0939d1a2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "value": "CHRYSENE" }, { "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.", "meta": { "refs": [ "https://securelist.com/whos-who-in-the-zoo/85394/" ] }, "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568", "value": "ZooPark" }, { "description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Singapore", "Cambodia" ], "cfr-target-category": [ "Government", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://www.cfr.org/interactive/cyber-operations/rancor", "https://attack.mitre.org/groups/G0075/", "https://unit42.paloaltonetworks.com/atoms/rancortaurus/" ], "synonyms": [ "Rancor group", "Rancor", "Rancor Group", "G0075", "Rancor Taurus" ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", "value": "RANCOR" }, { "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.", "meta": { "refs": [ "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" ] }, "uuid": "a3cc5105-3bc6-498b-8d53-981e12d86909", "value": "The Big Bang" }, { "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/", "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/", "https://attack.mitre.org/groups/G0078/", "https://unit42.paloaltonetworks.com/atoms/pastygemini/" ], "synonyms": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ] }, "uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", "value": "The Gorgon Group" }, { "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://mobile.twitter.com/360TIC/status/1083289987339042817", "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", "https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://attack.mitre.org/groups/G0079/", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/" ], "synonyms": [ "LazyMeerkat", "G0079", "Obscure Serpens" ] }, "uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9", "value": "DarkHydrus" }, { "description": "Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.", "meta": { "refs": [ "https://www.recordedfuture.com/chinese-cyberespionage-operations", "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "DeepCliff", "Red Dev 3" ] }, "uuid": "71a3b962-9a36-11e8-88f8-b31d20c6fa2a", "value": "RedAlpha" }, { "description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "South Korea", "Japan" ], "cfr-target-category": [ "Government", "Private sector" ], "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/temptick" ] }, "uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762", "value": "TempTick" }, { "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Palestine", "United Arab Emirates", "Qatar", "Somalia", "Syria", "Canada", "Germany", "Serbia", "Kuwait", "Egypt", "Saudi Arabia", "Chile", "Iraq", "India", "United States", "Israel", "Russia", "South Korea", "Jordan", "Djibouti", "Lebonon", "Morocco", "Iran", "United Kingdom", "Afghanistan", "Oman", "Denmark" ], "cfr-target-category": [ "Government", "Civil society" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/operation-parliament", "https://securelist.com/operation-parliament-who-is-doing-what/85237/", "https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" ] }, "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d", "value": "Operation Parliament" }, { "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Afghanistan", "Armenia", "Azerbaijan", "Belarus", "Belgium", "Czech Republic", "Greece", "India", "Iran", "Italy", "Kazakhstan", "Kenya", "Malaysia", "Russia", "South Africa", "Suriname", "Turkmenistan", "Ukraine", "United Kingdom", "United States", "Vietnam" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", "https://securelist.com/the-red-october-campaign/57647", "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740", "https://securelist.com/red-october-part-two-the-modules/57645", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083", "https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", "https://securelist.com/recent-cloud-atlas-activity/92016", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://unit42.paloaltonetworks.com/atoms/clean-ursa", "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", "https://www.cfr.org/cyber-operations/red-october", "https://attack.mitre.org/groups/G0100" ], "synonyms": [ "Clean Ursa", "Cloud Atlas", "OXYGEN", "G0100", "ATK116", "Blue Odin" ] }, "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "value": "Inception Framework" }, { "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Uighurs" ], "cfr-target-category": [ "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/henbox" ] }, "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", "value": "HenBox" }, { "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/mustang-panda", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" ], "synonyms": [ "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TEMP.HEX", "BASIN", "Earth Preta" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", "value": "MUSTANG PANDA" }, { "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/thrip", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://attack.mitre.org/groups/G0076/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf" ], "synonyms": [ "G0076", "ATK78" ] }, "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", "value": "Thrip" }, { "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Pakistan", "cfr-suspected-victims": [ "Pakistan", "Iraq", "Australia", "Afghanistan", "United Arab Emirates", "Germany", "India", "United States" ], "cfr-target-category": [ "Government", "Civil society" ], "cfr-type-of-incident": "Espionage", "country": "PK", "refs": [ "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo", "https://www.lookout.com/blog/stealth-mango" ] }, "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c", "value": " Stealth Mango and Tangelo " }, { "description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/", "https://twitter.com/craiu/status/1311920398259367942" ], "synonyms": [ "IAmTheKing" ] }, "uuid": "abd89986-b1b0-11e8-b857-efe290264006", "value": "PowerPool" }, { "description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.", "meta": { "refs": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", "value": "Bahamut" }, { "description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.", "meta": { "refs": [ "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" ], "synonyms": [ "Iron Cyber Group" ] }, "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905", "value": "Iron Group" }, { "description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Ukraine", "Austria", "Russia", "Saudi Arabia" ], "cfr-target-category": [ "Private sector" ], "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ "https://www.cfr.org/interactive/cyber-operations/operation-bugdrop" ] }, "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "value": "Operation BugDrop" }, { "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "China", "Myanmar", "Hong Kong", "Taiwan" ], "cfr-target-category": [ "Civil society", "Government" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/unnamed-actor" ] }, "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e", "value": "Unnamed Actor" }, { "description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/", "https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/", "https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/", "https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/", "https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/" ] }, "uuid": "0768fd50-c547-11e8-9aa5-776183769eab", "value": "MageCart" }, { "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/" ] }, "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee", "value": "Domestic Kitten" }, { "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", "value": "FASTCash" }, { "description": "According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials.\nRecently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/" ], "synonyms": [ "Roaming Mantis Group" ], "threat-actor-classification": [ "campaign" ] }, "uuid": "b27beb94-ce25-11e8-8e11-2f1a59bd0e91", "value": "Roaming Mantis" }, { "description": "ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks", "meta": { "refs": [ "https://www.eset.com/int/greyenergy-exposed/", "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/" ] }, "related": [ { "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce", "value": "GreyEnergy" }, { "description": "The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.", "meta": { "refs": [ "https://en.wikipedia.org/wiki/The_Shadow_Brokers", "https://securelist.com/darkpulsar/88199/", "https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html", "https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files", "https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023", "https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/", "https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html", "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/", "http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html", "https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/", "https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/" ], "synonyms": [ "The ShadowBrokers", "TSB", "Shadow Brokers", "ShadowBrokers" ] }, "uuid": "d5e90854-d5c9-11e8-98b9-1f98eb80d30a", "value": "The Shadow Brokers" }, { "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.", "meta": { "refs": [ "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html", "https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf" ], "synonyms": [ "Operation EvilTraffic" ] }, "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa", "value": "EvilTraffic" }, { "description": "HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/" ] }, "uuid": "dce617eb-a3b6-4a9a-bd76-575c424f9761", "value": "HookAds" }, { "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.", "meta": { "country": "RU", "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" ] }, "related": [ { "dest-uuid": "b19bc1a0-2489-56ae-aa61-ed147310363e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", "value": "INDRIK SPIDER" }, { "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.", "meta": { "refs": [ "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/", "https://krebsonsecurity.com/tag/dnspionage/", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater" ], "synonyms": [ "COBALT EDGEWATER" ] }, "uuid": "608a903a-8145-4fd1-84bc-235e278480bf", "value": "DNSpionage" }, { "description": "Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/" ] }, "uuid": "db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2", "value": "DarkVishnya" }, { "description": "What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.\nSince it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.", "meta": { "refs": [ "http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN" ] }, "uuid": "08ff3cb6-c292-4360-a978-6f05775881ed", "value": "Operation Poison Needles" }, { "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).", "meta": { "refs": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "synonyms": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ] }, "related": [ { "dest-uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d", "value": "GC01" }, { "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).", "meta": { "refs": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "synonyms": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ] }, "related": [ { "dest-uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8", "value": "GC02" }, { "description": "The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.\nOperation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.", "meta": { "refs": [ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/" ] }, "related": [ { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", "value": "Operation Sharpshooter" }, { "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.", "meta": { "country": "RU", "refs": [ "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/", "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", "https://cyberthreat.thalesgroup.com/attackers/ATK103", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain" ], "synonyms": [ "SectorJ04", "SectorJ04 Group", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "ATK103", "Hive0065", "CHIMBORAZO" ] }, "related": [ { "dest-uuid": "b27dcdee-14b1-5842-86b3-32eacec94584", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c85120d0-c397-5d30-9d57-3b019090acd5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", "value": "TA505" }, { "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.\nSimilar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.\nGrim Spider is reportedly associated with Lunar Spider and Wizard Spider.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ], "synonyms": [ "GOLD ULRICK" ] }, "uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f", "value": "GRIM SPIDER" }, { "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", "meta": { "country": "RU", "refs": [ "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://www.secureworks.com/research/dyre-banking-trojan", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "http://www.secureworks.com/research/threat-profiles/gold-blackburn" ], "synonyms": [ "TEMP.MixMaster", "GOLD BLACKBURN", "FIN12" ] }, "related": [ { "dest-uuid": "120dc1ae-e850-5059-a4fb-520748ca6881", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "567ea386-a78f-5550-ae7c-9c9eacdf45af", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", "value": "WIZARD SPIDER" }, { "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.\nMUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version.\nAfter a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.\n MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", "https://www.secureworks.com/research/threat-profiles/gold-crestwood" ], "synonyms": [ "TA542", "GOLD CRESTWOOD" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", "value": "MUMMY SPIDER" }, { "description": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017. ", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" ] }, "uuid": "d8e1762a-0063-48c2-9ea1-8d176d14b70f", "value": "STARDUST CHOLLIMA" }, { "description": "In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.", "meta": { "refs": [ "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/" ], "synonyms": [ "Nahr Elbard", "Nahr el bared" ] }, "uuid": "7d99d2f7-adf0-44e4-9044-d18ff6842a16", "value": "Cold River" }, { "description": "a relatively new threat actor that’s been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.", "meta": { "refs": [ "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", "https://www.group-ib.com/blog/silence", "https://securelist.com/the-silence/83009/" ], "spoken-language": [ "rus" ], "synonyms": [ "Silence", "WHISPER SPIDER" ] }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", "value": "Silence group" }, { "description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.", "meta": { "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/", "https://securelist.com/chafer-used-remexi-malware/89538/", "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "https://attack.mitre.org/groups/G0087/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://unit42.paloaltonetworks.com/atoms/radioserpens/" ], "synonyms": [ "Chafer", "REMIX KITTEN", "COBALT HICKMAN", "G0087", "Radio Serpens" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", "value": "APT39" }, { "description": "FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html" ] }, "uuid": "27c97181-b8e9-43e1-93c0-f953cac45326", "value": "Siesta" }, { "description": "Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign.\nThe group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" ] }, "uuid": "c79dab01-3f9f-491e-8a5f-6423339c9f76", "value": "Gallmaker" }, { "description": "Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.secureworks.com/research/threat-profiles/gold-lowell", "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", "https://www.secureworks.com/blog/samas-ransomware", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://www.secureworks.com/research/samsam-ransomware-campaigns" ], "synonyms": [ "GOLD LOWELL" ] }, "uuid": "d6a13387-4c98-4a0c-a516-6c36c081b64c", "value": "BOSS SPIDER" }, { "description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.\nCrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\n PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117", "value": "PINCHY SPIDER" }, { "description": "Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ] }, "uuid": "0a667713-bc31-4a72-9ea3-34fc094a9dde", "value": "GURU SPIDER" }, { "description": "Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3", "value": "SALTY SPIDER" }, { "description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ] }, "uuid": "4b7df353-fbcc-4f00-a54f-5121c5edb9be", "value": "NOMAD PANDA" }, { "description": "This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ] }, "uuid": "6e899dd4-f95e-42a0-a5a3-e57249f017cf", "value": "Flash Kitten" }, { "description": "According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ] }, "uuid": "89a05f9f-a6dc-4426-8c15-a8d5ef6d8524", "value": "TINY SPIDER" }, { "description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.\nOn March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors.\nLunar Spider is reportedly associated withGrim Spider and Wizard Spider.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore" ], "synonyms": [ "GOLD SWATHMORE" ] }, "uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62", "value": "LUNAR SPIDER" }, { "description": "In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked. This malware has been linked to the targeting of Russia’s financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.", "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ] }, "uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633", "value": "RATPAK SPIDER" }, { "meta": { "refs": [ "http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf", "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102" ] }, "uuid": "9ba291f2-b107-402d-9083-3128395ff26e", "value": "Operation Kabar Cobra" }, { "description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.", "meta": { "refs": [ "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" ], "synonyms": [ "Blind Eagle" ] }, "uuid": "ae1c64ff-5a37-4291-97f8-ea402c63efd0", "value": "APT-C-36" }, { "description": "Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)", "meta": { "attribution-confidence": "10", "country": "IR", "refs": [ "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986", "https://threatpost.com/ranian-apt-6tb-data-citrix/142688/", "https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/" ] }, "related": [ { "dest-uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", "value": "IRIDIUM" }, { "description": "SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of which had a zero-day status when Microsoft released fixes.", "meta": { "refs": [ "https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/" ] }, "uuid": "dc15f388-a353-4185-b28e-015745f708ba", "value": "SandCat" }, { "description": "Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while maintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a minimum knowledge on software development (in this case VB.NET) has been enough for running a campaign lasting month, and potentially gathering credit card information and other possible data. ", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/" ] }, "uuid": "35c40ce2-57c0-479e-8a56-efbb8695e395", "value": "Operation Comando" }, { "description": "A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.", "meta": { "country": "SY", "refs": [ "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", "https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf" ], "since": "2014", "suspected-victims": [ "Middle East", "Syria" ], "synonyms": [ "GoldMouse", "Golden RAT", "ATK80" ] }, "uuid": "ee7f535d-cc3e-40f3-99f3-c97963cfa250", "value": "APT-C-27" }, { "description": "Newly discovered supply chain attack that leveraged ASUS Live Update software.\nThe goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.", "meta": { "refs": [ "https://securelist.com/operation-shadowhammer/89992/" ] }, "uuid": "401c30c7-4317-458a-9b0a-379a44d63457", "value": "Operation ShadowHammer" }, { "description": "In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore", "https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J" ] }, "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", "value": "Whitefly" }, { "description": "This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/04/seaturtle.html" ] }, "related": [ { "dest-uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ce7bba52-5ae8-44ea-9979-68502d832ab7", "value": "Sea Turtle" }, { "description": "Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.", "meta": { "country": "IR", "refs": [ "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment", "https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment", "https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic", "https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary", "https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again", "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities", "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", "https://community.riskiq.com/article/44eb0802" ], "synonyms": [ "COBALT DICKENS", "Mabna Institute", "TA407" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", "value": "Silent Librarian" }, { "description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.", "meta": { "country": "CN", "refs": [ "https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/", "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", "https://twitter.com/bkMSFT/status/1201876664667582466", "https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://research.checkpoint.com/2021/the-story-of-jian", "https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi", "https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan", "https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet", "https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601", "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://twitter.com/bkMSFT/status/1417823714922610689", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres" ] }, "related": [ { "dest-uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "value": "APT31" }, { "description": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.\nLike most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.", "meta": { "country": "CN", "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/", "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/" ], "synonyms": [ "Topgear", "Comnie", "BLACKGEAR" ] }, "uuid": "8b62b20a-5b1c-48af-8424-e8220cd2fbd7", "value": "Blackgear" }, { "description": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", "meta": { "refs": [ "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "https://attack.mitre.org/groups/G0063/" ], "synonyms": [ "G0063" ] }, "uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", "value": "BlackOasis" }, { "description": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.\nFollowing their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.\nPLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.\nPLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.", "meta": { "country": "CN", "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://unit42.paloaltonetworks.com/atoms/mangataurus/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "CIRCUIT PANDA", "Temp.Overboard", "HUAPI", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Red Djinn" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", "value": "BlackTech" }, { "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.", "meta": { "refs": [ "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://attack.mitre.org/groups/G0053/" ], "synonyms": [ "G0053" ] }, "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", "value": "FIN5" }, { "description": "FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.", "meta": { "country": "RU", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" ] }, "uuid": "13289552-596e-4592-9c81-eeb4db6baf3c", "value": "FIN1" }, { "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", "https://attack.mitre.org/groups/G0051/" ], "synonyms": [ "G0051" ] }, "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", "value": "FIN10" }, { "description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)", "meta": { "refs": [ "http://www.nartv.org/mirror/ghostnet.pdf", "https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf", "https://en.wikipedia.org/wiki/GhostNet" ], "synonyms": [ "Snooping Dragon" ] }, "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d", "value": "GhostNet" }, { "description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.", "meta": { "refs": [ "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/", "https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/", "https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation" ] }, "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0", "value": "GozNym" }, { "description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past", "meta": { "refs": [ "https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition", "https://attack.mitre.org/groups/G0043/" ], "synonyms": [ "G0043" ] }, "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", "value": "Group5" }, { "description": "McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.\nAdvanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.\nThe Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.", "meta": { "refs": [ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", "https://attack.mitre.org/groups/G0072/" ], "synonyms": [ "G0072" ] }, "uuid": "2d82a18e-8c53-11e9-b0ec-536b62fa3d86", "value": "Honeybee" }, { "description": "A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP).\nThe vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.", "meta": { "refs": [ "https://vx-underground.org/papers/luckycat-hackers-12-en.pdf", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic" ], "synonyms": [ "TA413", "White Dev 9" ] }, "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", "value": "Lucky Cat" }, { "description": "There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.\nThe group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.", "meta": { "refs": [ "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "https://attack.mitre.org/groups/G0048/" ], "synonyms": [ "G0048" ] }, "uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", "value": "RTM" }, { "description": "Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.", "meta": { "refs": [ "https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf" ] }, "uuid": "ef800f1c-8e90-11e9-972c-53e01614f101", "value": "Shadow Network" }, { "description": "While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router.\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).", "meta": { "refs": [ "https://securelist.com/apt-slingshot/84312/" ] }, "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5", "value": "Slingshot" }, { "description": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control.\nAs part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background.\nWe were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.", "meta": { "refs": [ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "https://attack.mitre.org/groups/G0015/" ], "synonyms": [ "G0015" ] }, "uuid": "e6669606-91ad-11e9-b6f5-374843911989", "value": "Taidoor" }, { "description": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.", "meta": { "capabilities": "TRISIS, custom credential harvesting", "mode-of-operation": "Focused on physical destruction and long-term persistence", "refs": [ "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://attack.mitre.org/groups/G0088/", "https://cyberthreat.thalesgroup.com/attackers/ATK91", "https://www.dragos.com/threat/xenotime/" ], "since": "2014", "synonyms": [ "Xenotime", "G0088", "ATK91" ], "victimology": "Oil and Gas, Middle East" }, "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", "value": "TEMP.Veles" }, { "description": "In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/", "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", "https://unit42.paloaltonetworks.com/atoms/windyphoenix/" ], "synonyms": [ "Windy Phoenix" ] }, "uuid": "cbbbfc82-9294-11e9-8e19-2bc14137b25b", "value": "WindShift" }, { "description": "Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose.\n Below are the three main Telegram groups on which the leaks were posted: \nLab Dookhtegam pseudonym (\"The people whose lips are stitched and sealed\" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. \nGreen Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the \"green movement\", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) \nBlack Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as \"secret\" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.", "meta": { "refs": [ "https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf" ] }, "uuid": "f50a5f64-9296-11e9-9b46-a331d01a008d", "value": "[Unnamed group]" }, { "description": "DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine.\nDUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/" ] }, "uuid": "f1da463c-9297-11e9-875a-d327fc8282f2", "value": "DUNGEON SPIDER" }, { "description": "Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory.\nMost recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.", "meta": { "refs": [ "https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies" ] }, "uuid": "686f4fe0-9298-11e9-b02a-af9595918956", "value": "Fxmsp" }, { "description": "The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt.\nMost of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked.\n\"I got upset because I feel no one is learning,\" the hacker told ZDNet in an online chat earlier today. \"I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.\"\nIn a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money.\nBut in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him.\n Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private.\n\"I came to an agreement with some companies, but the concerned startups won't see their data for sale,\" he said. \"I did it that's why I can't publish the rest of my databases or even name them.\"", "meta": { "refs": [ "https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/", "https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/", "https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/", "https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/", "https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/" ] }, "uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1", "value": "Gnosticplayers" }, { "description": "The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.\nThe capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied.\nWhen the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.\nFollowing the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.", "meta": { "refs": [ "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", "https://en.wikipedia.org/wiki/Hacking_Team", "https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked" ] }, "uuid": "d7f0d2a8-9329-11e9-851e-dbfc1c517e4e", "value": "Hacking Team" }, { "description": "OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services.\n(Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach.\nKnown for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.”\nThis is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.", "meta": { "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine", "https://gizmodo.com/welp-vevo-just-got-hacked-1813390834", "https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/", "https://en.wikipedia.org/wiki/OurMine" ] }, "uuid": "2c9e1964-9357-11e9-ad8f-5f422851e912", "value": "OurMine" }, { "description": "Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.", "meta": { "refs": [ "https://www.intezer.com/blog-technical-analysis-pacha-group/", "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" ] }, "uuid": "aa469d96-9357-11e9-bd7d-df125c7cba53", "value": "Pacha Group" }, { "description": "This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.\nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.", "meta": { "refs": [ "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/", "https://unit42.paloaltonetworks.com/atoms/agedlibra/" ], "synonyms": [ "Aged Libra" ] }, "uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2", "value": "Rocke" }, { "description": "An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018.\nMost of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer.\n(WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named \"Vault 7\" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.\nThe first full part of the series, \"Year Zero\", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.\nRecently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized \"zero day\" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.\n\"Year Zero\" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of \"zero day\" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.", "meta": { "refs": [ "https://wikileaks.org/ciav7p1/", "https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses" ] }, "uuid": "9f133738-935f-11e9-aa5e-bbf8d91abb46", "value": "[Vault 7/8]" }, { "description": "On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDER’s specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashov’s arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ] }, "uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6", "value": "ZOMBIE SPIDER" }, { "description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.", "meta": { "refs": [ "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" ] }, "uuid": "f676fcd1-cde9-4d0a-8958-221f2abb56e9", "value": "ViceLeaker" }, { "description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" ] }, "uuid": "64ac8827-89d9-4738-9df3-cd955c628bee", "value": "SWEED" }, { "description": "Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.", "meta": { "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://www.recordedfuture.com/china-linked-ta428-threat-group", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", "https://blog.group-ib.com/task", "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf" ], "synonyms": [ "Colourful Panda", "BRONZE DUDLEY" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" }, { "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", "https://www.clearskysec.com/siamesekitten/", "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" ], "synonyms": [ "COBALT LYCEUM", "HEXANE", "Spirlin", "siamesekitten" ] }, "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", "meta": { "cfr-suspected-state-sponsor": "People's Republic of China", "cfr-suspected-victims": [ "China", "France", "Hong Kong", "India", "Italy", "Japan", "Myanmar", "Netherlands", "Singapore", "South Korea", "South Africa", "Switzerland", "Thailand", "Turkey", "United Kingdom", "United States" ], "cfr-target-category": [ "Automotive", "Business", "Services", "Cryptocurrency", "Education", "Energy", "Financial", "Healthcare", "High-Tech", "Intergovernmental", "Media and Entertainment", "Pharmaceuticals", "Private sector", "Retail", "Telecommunications", "Travel" ], "country": "CN", "refs": [ "https://securelist.com/winnti-faq-more-than-just-a-game/57585/", "https://securelist.com/winnti-more-than-just-a-game/37029/", "http://williamshowalter.com/a-universal-windows-bootkit/", "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://securelist.com/games-are-over/70991/", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", "https://401trg.com/burning-umbrella/", "https://attack.mitre.org/groups/G0044/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.secureworks.com/research/threat-profiles/bronze-export", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer", "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf", "https://www.cfr.org/cyber-operations/winnti-umbrella", "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", "https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation", "https://www.cfr.org/cyber-operations/apt-41", "https://attack.mitre.org/groups/G0096", "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf" ], "synonyms": [ "G0096", "TA415", "Blackfly", "Grayfly", "LEAD", "BARIUM", "WICKED SPIDER", "WICKED PANDA", "BRONZE ATLAS", "BRONZE EXPORT", "Red Kelpie", "G0044", "Earth Baku", "Amoeba", "HOODOO", "Brass Typhoon" ] }, "related": [ { "dest-uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "similar" }, { "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f542442e-ba0f-425d-b386-6c10351a468e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "value": "APT41" }, { "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897" ], "synonyms": [ "IMPERIAL KITTEN" ] }, "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734", "value": "Tortoiseshell" }, { "description": "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.", "meta": { "refs": [ "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/", "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/", "https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html" ], "synonyms": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ] }, "uuid": "7aa99279-4255-4d26-bb95-12e7156555a0", "value": "POISON CARP" }, { "description": "Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ] }, "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", "value": "TA410" }, { "description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.", "meta": { "refs": [ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" ], "threat-actor-classification": [ "operation" ] }, "related": [ { "dest-uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "6085aad0-1d95-11ea-a140-078d42aced40", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", "value": "Operation Soft Cell" }, { "description": "We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.", "meta": { "refs": [ "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/" ], "threat-actor-classification": [ "operation" ] }, "uuid": "75db4269-924b-4771-8f62-0de600a43634", "value": "Operation WizardOpium" }, { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "meta": { "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "synonyms": [ "BRONZE MEDLEY" ] }, "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", "value": "Calypso" }, { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", "http://www.secureworks.com/research/threat-profiles/gold-village" ], "synonyms": [ "Maze Team", "TWISTED SPIDER", "GOLD VILLAGE" ] }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", "value": "TA2101" }, { "description": "As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.", "meta": { "refs": [ "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", "https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/" ], "synonyms": [ "Golden Falcon" ] }, "uuid": "feb0cfef-0472-4108-83d7-1a322d8ab86b", "value": "APT-C-34" }, { "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.", "meta": { "refs": [ "https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/" ], "since": "2017" }, "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed", "value": "luoxk" }, { "description": "An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.", "meta": { "refs": [ "https://securelist.com/apt-trends-report-q1-2018/85280/", "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/", "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://s.tencent.com/research/report/659.html", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf", "https://s.tencent.com/research/report/479.html", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "synonyms": [ "SideWinder", "Rattlesnake", "APT-C-17", "T-APT-04" ] }, "related": [ { "dest-uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", "value": "RAZOR TIGER" }, { "description": "Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.", "meta": { "refs": [ "https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/" ] }, "uuid": "c432d032-ce2b-4eb8-ba87-312b2a43fb7a", "value": "Operation Wocao" }, { "description": "Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.", "meta": { "country": "CN", "refs": [ "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan", "https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm", "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" ], "suspected-victims": "Taiwan", "synonyms": [ "Budminer cyberespionage group" ] }, "uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95", "value": "Budminer" }, { "description": "Adversary group targeting diplomatic missions and governmental organisations.", "meta": { "cfr-target-category": [ "Private sector", "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform" ] }, "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", "value": "Attor" }, { "description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.", "meta": { "cfr-target-category": [ "Private sector", "Government", "Military", "Scientific Research", "Finance" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA", "https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/" ], "suspected-victims": "China", "synonyms": [ "Sapphire Mushroom", "Blue Mushroom", "NuclearCrisis" ] }, "uuid": "53771ca5-f1cb-47b6-a92a-53a485307cf7", "value": "APT-C-12" }, { "description": "Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.", "meta": { "cfr-suspected-victims": [ "Ukraine" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" ] }, "uuid": "87af83a4-ced4-4e7c-96a6-86612dc095b1", "value": "InvisiMole" }, { "description": "Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", "https://fortiguard.com/encyclopedia/botnet/7630456" ], "synonyms": [ "Empire Monkey", "CobaltGoblin" ] }, "uuid": "559a64d8-8657-4a93-9208-060d52efdec4", "value": "ANTHROPOID SPIDER" }, { "description": "Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf" ] }, "uuid": "2d2f3b53-c544-4823-a65f-da53ff8f594e", "value": "CLOCKWORK SPIDER" }, { "description": "In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.secureworks.com/research/threat-profiles/gold-heron" ], "synonyms": [ "GOLD HERON" ] }, "uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30", "value": "DOPPEL SPIDER" }, { "description": "Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "168a9e38-70e3-4542-b78f-afa2414436bb", "value": "MONTY SPIDER" }, { "description": "NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes" ], "synonyms": [ "GOLD ESSEX", "TA544" ] }, "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", "value": "NARWHAL SPIDER" }, { "description": "Mentioned as MaaS operator in CrowdStrike's 2020 Report.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "c042c592-25f6-4887-8a1b-6b8e3bfdcf0c", "value": "NOCTURNAL SPIDER" }, { "description": "Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "7fb1662e-0257-4606-b3a2-bf294c64c098", "value": "SCULLY SPIDER" }, { "description": "Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "e27796eb-624a-4e41-aa40-52d47c764b07", "value": "SMOKY SPIDER" }, { "description": "VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2" ], "synonyms": [ "badbullzvenom", "badbullz" ] }, "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187", "value": "VENOM SPIDER" }, { "description": "Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.", "meta": { "refs": [ "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129", "https://mobile.twitter.com/mstoned7/status/1247361687570673664" ] }, "uuid": "f628b544-48b6-44e2-b794-950713353cf1", "value": "Operation Shadow Force" }, { "description": "Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.", "meta": { "refs": [ "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" ] }, "uuid": "21d08f2c-97b2-444e-be49-8457093b841a", "value": "NOTROBIN" }, { "description": "ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.", "meta": { "refs": [ "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/", "https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html", "https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465" ], "synonyms": [ "DarkUniverse", "SIG27" ] }, "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003", "value": "ItaDuke" }, { "description": "This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.", "meta": { "refs": [ "https://www.epicturla.com/blog/the-lost-nazar" ], "synonyms": [ "SIG37" ] }, "uuid": "169187c5-9fbe-42df-ae92-6e35846db021", "value": "Nazar" }, { "description": "The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.", "meta": { "cfr-suspected-state-sponsor": "Korea (Republic of)", "cfr-suspected-victims": [ "China", "North Korea", "Japan", "Nepal", "Singapore", "Russia", "Poland", "Switzerland" ], "cfr-target-category": [ "Government" ], "country": "KR", "refs": [ "https://s.tencent.com/research/report/836.html", "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" ] }, "uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a", "value": "Higaisa" }, { "description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/cobalt-juno" ], "synonyms": [ "APT-C-38 (QiAnXin)", "SABER LION", "TG-2884 (SCWX CTU)" ] }, "uuid": "4687e1ab-a361-4165-b142-00845f4b2c62", "value": "COBALT JUNO" }, { "description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/cobalt-katana", "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/" ], "synonyms": [ "Hive0081 (IBM)", "SectorD01 (NHSC)", "xHunt campaign (Palo Alto)", "Hunter Serpens" ] }, "uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e", "value": "COBALT KATANA" }, { "description": "Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.\nDark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.\nWe also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.\nWe link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie", "meta": { "refs": [ "https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/", "https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin" ] }, "uuid": "3cbc52d5-fe4d-4d7a-a5e9-641b7c073d62", "value": "Dark Basin" }, { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.youtube.com/watch?v=fBFm2fiEPTg", "https://troopers.de/troopers22/talks/7cv8pz/", "https://unit42.paloaltonetworks.com/atoms/alloytaurus/" ], "synonyms": [ "Red Dev 4", "Alloy Taurus" ] }, "related": [ { "dest-uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "6085aad0-1d95-11ea-a140-078d42aced40", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "ae4036de-c901-5f21-808a-f5c071ef509b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", "value": "GALLIUM" }, { "description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.", "meta": { "refs": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" ], "synonyms": [ "DeathStalker" ] }, "uuid": "b6f3150f-2240-4c57-9dda-5144c5077058", "value": "Evilnum" }, { "description": "PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for reconnaissance and to establish encrypted communications.", "meta": { "country": "IR", "refs": [ "https://youtu.be/pBDu8EGWRC4?t=2492", "https://www.dragos.com/threat/parisite", "https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf", "https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices", "https://www.crowdstrike.com/blog/who-is-pioneer-kitten", "https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a" ], "synonyms": [ "PIONEER KITTEN", "PARISITE", "UNC757" ] }, "related": [ { "dest-uuid": "0757856a-1313-57d8-bb6c-f4c537e110da", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "bfb0bc20-5bdf-47ff-b07f-dbd9a3cb9772", "value": "Fox Kitten" }, { "description": "Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.", "meta": { "refs": [ "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf", "https://github.com/eset/malware-ioc/tree/master/xdspy/" ] }, "uuid": "b205584e-db93-433a-b97a-7f2e19d8c188", "value": "XDSpy" }, { "description": "Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.", "meta": { "refs": [ "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "https://www.bbc.com/news/world-us-canada-53195749", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation" ], "synonyms": [ "GOLD DRAKE" ] }, "uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8", "value": "Evil Corp" }, { "description": "In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to conduct a variety of reconnaissance activities, undertake credential harvesting and prepare for data exfiltration.", "meta": { "country": "IR", "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf" ] }, "uuid": "6cc574c0-3dfa-459c-933a-4c63490c4e93", "value": "TRACER KITTEN" }, { "description": "FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html", "https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html", "https://www.brighttalk.com/webcast/7451/447347" ], "synonyms": [ "TEMP.Warlock", "UNC902" ] }, "related": [ { "dest-uuid": "b27dcdee-14b1-5842-86b3-32eacec94584", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", "value": "FIN11" }, { "description": "UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.", "meta": { "refs": [ "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", "https://www.youtube.com/watch?v=CgDtm05qApE", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html" ] }, "uuid": "3c2bb7d7-a085-4594-adc7-4a20cf724abb", "value": "UNC1878" }, { "description": "Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack. Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, CyCraft assess with high confidence these new attacks were conducted by the same foreign threat actor. During their investigation, they dubbed this threat actor Chimera. “Chimera” stands for the synthesis of hacker tools that they’ve seen the group use, such as the skeleton key malware that contained code extracted from both Dumpert and Mimikatz — hence Chimera. Their operation — the entirety of the new attacks utilizing the Skeleton Key attack (described below) from late 2018 to late 2019, CyCraft have dubbed Operation Skeleton Key.", "meta": { "refs": [ "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ] }, "uuid": "c8b961fe-3698-41ac-aba1-002ee3c19531", "value": "Red Charon" }, { "description": "Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.", "meta": { "attribution-confidence": "100", "country": "RU", "refs": [ "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://pastebin.com/6EDgCKxd", "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", "https://unit42.paloaltonetworks.com/atoms/solarphoenix/" ], "synonyms": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix" ] }, "related": [ { "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "value": "UNC2452" }, { "description": "In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim.\nThey're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware.\nTeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", "https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45", "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", "https://unit42.paloaltonetworks.com/atoms/adept-libra/" ], "synonyms": [ "Adept Libra" ] }, "uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba", "value": "TeamTNT" }, { "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", "meta": { "attribution-confidence": "100", "country": "CN", "refs": [ "https://attack.mitre.org/groups/G0125/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://twitter.com/ESETresearch/status/1366862946488451088", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://github.com/cert-lv/exchange_webshell_detection", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", "https://pastebin.com/J4L3r2RS", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server", "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite", "https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk", "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "ATK233", "G0125", "Operation Exchange Marauder", "Red Dev 13" ] }, "related": [ { "dest-uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "9728610a-17cb-5cac-9322-ef19ae296a29", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", "value": "HAFNIUM" }, { "description": "RedEcho: The group made heavy use of AXIOMATICASYMPTOTE — a term we use to track infrastructure that comprises ShadowPad C2s, which is shared between several Chinese threat activity groups", "meta": { "refs": [ "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://therecord.media/redecho-group-parks-domains-after-public-exposure/" ] }, "uuid": "986fcc3f-5f36-4975-bf5f-c42524466bbd", "value": "RedEcho" }, { "description": "Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Belarus", "cfr-suspected-victims": [ "Germany", "Latvia", "Lithuania", "Poland", "Ukraine" ], "cfr-target-category": [ "Government" ], "country": "BY", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html", "https://twitter.com/hatr/status/1377220336597483520", "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government", "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" ], "synonyms": [ "UNC1151", "TA445", "PUSHCHA" ] }, "related": [ { "dest-uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", "value": "Ghostwriter" }, { "description": "RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.", "meta": { "cfr-suspected-victims": [ "South Korea", "Japan" ], "refs": [ "https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/", "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/" ] }, "uuid": "eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e", "value": "Yanbian Gang" }, { "description": "Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.", "meta": { "refs": [ "https://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf" ] }, "uuid": "a515632e-3374-4602-911e-4f4e259ae0fd", "value": "TRAVELING SPIDER" }, { "description": "Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER", "meta": { "refs": [ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", "http://www.secureworks.com/research/threat-profiles/gold-lagoon" ], "synonyms": [ "GOLD LAGOON" ] }, "uuid": "08f4bfa6-8326-42b5-a9e2-d6e1c360a160", "value": "MALLARD SPIDER" }, { "description": "According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ] }, "uuid": "090d0553-cdcf-4f4e-ae3b-b5d751acaf5d", "value": "RIDDLE SPIDER" }, { "description": "GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.youtube.com/watch?v=qxPXxWMI2i4" ], "synonyms": [ "SPRITE SPIDER" ] }, "uuid": "3570552c-c46f-428e-9472-744a14e6ece7", "value": "GOLD DUPONT" }, { "description": "KNOCKOUT SPIDER has conducted low-volume spear-phishing campaigns focused on companies involved in cryptocurrency.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ] }, "uuid": "0fb7b53a-77d5-44c5-b500-1d612f262172", "value": "KNOCKOUT SPIDER" }, { "description": "SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ] }, "uuid": "f65103ad-f051-47c3-b90e-c77239a4d65c", "value": "SOLAR SPIDER" }, { "description": "VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDER’s Ragnar Locker", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf" ] }, "uuid": "ffc02459-3d94-4558-bff0-2e7f0bbf70c6", "value": "VIKING SPIDER" }, { "description": "According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.", "meta": { "country": "RU", "refs": [ "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf" ] }, "uuid": "3ebf503c-c554-4ac3-aa3e-3ef114ca2345", "value": "CIRCUS SPIDER" }, { "description": "GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group" ] }, "uuid": "fc1c1d9f-1432-417f-a3bf-e730ddd1d139", "value": "GOLD EVERGREEN" }, { "description": "Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/" ] }, "uuid": "419599eb-c1ea-4d32-8c9e-0ad61d7c5ba5", "value": "BAMBOO SPIDER" }, { "description": "BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf", "https://www.crowdstrike.com/blog/ecrime-ecosystem/" ] }, "uuid": "9c11a822-2239-42ca-a439-ee57edb44ebf", "value": "BOSON SPIDER" }, { "description": "OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1" ] }, "uuid": "b43ce229-feaa-4731-9926-e0970140ab0b", "value": "OVERLORD SPIDER" }, { "description": "On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the city’s files.", "meta": { "refs": [ "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf" ] }, "uuid": "ae121063-3960-4834-90d7-66aad69c5e8b", "value": "OUTLAW SPIDER" }, { "description": "MIMIC SPIDER is mentioned in two summary reports only", "meta": { "refs": [ "https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2a_15GlobalThreatReport_Extracted.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" ] }, "uuid": "20e2be89-a54d-46c7-a837-1f17359f30ba", "value": "MIMIC SPIDER" }, { "description": "According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017", "meta": { "refs": [ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ] }, "uuid": "22dd1608-272c-4243-9bda-25eec834a24d", "value": "HOUND SPIDER" }, { "description": "GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).", "meta": { "cfr-target-category": [ "Healthcare" ], "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf" ], "synonyms": [ "CYBORG SPIDER" ] }, "related": [ { "dest-uuid": "68a7ca8e-2902-43f2-ad23-a77b4c48221d", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "d34ca487-1613-4ee5-8930-2ac8a60f945f", "value": "GOLD BURLAP" }, { "description": "GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/gold-cabin", "https://attack.mitre.org/groups/G0127/", "https://unit42.paloaltonetworks.com/atoms/monsterlibra/" ], "synonyms": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ] }, "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", "value": "GOLD CABIN" }, { "description": "GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-fairfax" ] }, "uuid": "eadc8c5c-a97d-454e-8e67-475ac60749bf", "value": "GOLD FAIRFAX" }, { "description": "GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes. ", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-flanders" ] }, "uuid": "20180cbb-27e3-49d5-922e-1e3bddc6c085", "value": "GOLD FLANDERS" }, { "description": "GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.", "meta": { "refs": [ "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "http://www.secureworks.com/research/threat-profiles/gold-galleon" ] }, "uuid": "6976b33c-a45b-4330-b0d8-8ef029ef830e", "value": "GOLD GALLEON" }, { "description": "GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-garden" ] }, "uuid": "c0f86de9-888e-42b0-90f4-f313808533ff", "value": "GOLD GARDEN" }, { "description": "GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-mansard" ] }, "uuid": "bda575ed-5066-4625-98ef-938bbffddc00", "value": "GOLD MANSARD" }, { "description": "Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-northfield", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/" ] }, "uuid": "4c51f24c-90a1-4f22-b932-bd4bb9d488f6", "value": "GOLD NORTHFIELD" }, { "description": "GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE's Dridex (Bugat v5), GOLD BLACKBURN's TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-riverview" ] }, "uuid": "3806516d-151b-4869-88bc-1f2a2cb73c3c", "value": "GOLD RIVERVIEW" }, { "description": "GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-skyline" ] }, "uuid": "dcb6b056-7a1b-484c-82ee-f3962d47bcd9", "value": "GOLD SKYLINE" }, { "description": "GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-southfield", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", "https://www.secureworks.com/blog/revil-the-gandcrab-connection" ] }, "uuid": "262c8537-1cdb-4297-aa3e-1410164160bf", "value": "GOLD SOUTHFIELD" }, { "description": "GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-symphony" ] }, "uuid": "bf151740-b667-4f06-87a1-131c3261cca2", "value": "GOLD SYMPHONY" }, { "description": "GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access" ] }, "uuid": "4d787c58-2581-4696-ad6c-e0e36ed2bac7", "value": "GOLD WATERFALL" }, { "description": "GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.", "meta": { "refs": [ "http://www.secureworks.com/research/threat-profiles/gold-winter" ] }, "uuid": "6c514d9d-e2fa-45a5-a938-9a461f69ad2d", "value": "GOLD WINTER" }, { "description": "An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.", "meta": { "cfr-suspected-victims": [ "Libya", "Namibia", "Sudan", "Albania", "Croatia", "Georgia", "Poland", "Iran", "Qatar", "Saudi Arabia", "Sri Lanka", "Uzbekistan" ], "cfr-target-category": [ "Government", "Telecomms" ], "refs": [ "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" ], "synonyms": [ "BackDip", "CloudComputating", "Quarian" ] }, "uuid": "6472be4d-c186-4c86-b3b7-7dc1b4d3a3d8", "value": "BackdoorDiplomacy" }, { "description": "The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.", "meta": { "cfr-target-category": [ "Government", "Electronics Manufacturers", "Universities", "Religious organization" ], "refs": [ "https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/", "https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf", "https://hitcon.org/2016/pacific/0composition/pdf/1202/1202%20R0%200930%20an%20intelligance-driven%20approach%20to%20cyber%20defense.pdf", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [ "狼毒草" ] }, "uuid": "2dd31182-bae1-48ed-8bb3-805a3df89783", "value": "Gelsemium" }, { "description": "Mentioned as operator of TriumphLoader and Matanbuchus", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" ], "synonyms": [ "Matanbuchus" ] }, "uuid": "e7aff414-fc21-43eb-ad5d-9a46e07be9f5", "value": "BelialDemon" }, { "description": "Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.", "meta": { "refs": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs", "https://www2.swift.com/isac/report/10118", "https://blog.group-ib.com/opera1er-apt" ], "synonyms": [ "OPERA1ER", "NXSMS", "DESKTOP-GROUP" ] }, "uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389", "value": "Common Raven" }, { "description": "Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.", "meta": { "country": "RU", "refs": [ "https://www.mandiant.com/resources/fin13-cybercriminal-mexico", "https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation", "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf", "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf" ], "synonyms": [ "TG2003", "Elephant Beetle" ] }, "uuid": "60fa684d-c738-4b77-98fb-3f6605e2bb82", "value": "FIN13" }, { "description": "The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.", "meta": { "country": "PK", "refs": [ "https://www.seqrite.com/blog/operation-sidecopy/", "https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/", "https://www.telsy.com/sidecopy-apt-from-windows-to-nix/", "https://blog.talosintelligence.com/2021/07/sidecopy.html", "https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/", "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d" ] }, "uuid": "f6d02ac3-3447-4892-b844-1ef31839e04f", "value": "SideCopy" }, { "description": "Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.", "meta": { "cfr-suspected-victims": [ "Taiwan" ], "cfr-target-category": [ "Financial" ], "country": "CN", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" ] }, "uuid": "8482f350-867c-11ec-a8a3-0242ac120002", "value": "Antlion" }, { "description": "Persistent cybercrime threat actor targeting aviation, aerospace, transportation, manufacturing, and defense industries for years. This threat actor consistently uses remote access trojans (RATs) that can be used to remotely control compromised machines. This threat actor uses consistent themes related to aviation, transportation, and travel. The threat actor has used similar themes and targeting since 2017.", "meta": { "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" ] }, "uuid": "a57e5bf5-d7f4-43a1-9c15-8a44cdb95079", "value": "TA2541" }, { "description": "This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.", "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ] }, "uuid": "0466bbf1-a187-4b3d-b558-a31e5ca11ea7", "value": "TA516" }, { "description": "TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.", "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ] }, "uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1", "value": "TA547" }, { "description": "Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.\nWhile initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.", "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ], "synonyms": [ "TH-163" ] }, "uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe", "value": "TA554" }, { "description": "Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.", "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ] }, "uuid": "d0d26dae-195f-4503-a6a9-ebb1ec0e07f9", "value": "TA555" }, { "description": "This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573).\nTA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.", "meta": { "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes" ] }, "uuid": "75fac2e9-8f2c-4620-a1cc-4b8a61c1bb48", "value": "TA800" }, { "description": "Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.", "meta": { "country": "IR", "refs": [ "https://twitter.com/campuscodi/status/1450455259202166799", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/", "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [ "Moses Staff" ] }, "related": [ { "dest-uuid": "ef415059-e150-5324-877e-44b65ab022f5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" }, { "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", "meta": { "country": "CN", "refs": [ "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", "https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group", "https://www.contextis.com/en/blog/avivore" ] }, "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", "value": "Avivore" }, { "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", "meta": { "country": "IN", "refs": [ "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Bitter", "T-APT-17", "APT-C-08", "Orange Yali" ] }, "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", "value": "HAZY TIGER" }, { "description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", "https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/", "https://www.crowdstrike.com/adversaries/slippy-spider/" ], "synonyms": [ "LAPSUS$", "DEV-0537", "SLIPPY SPIDER" ] }, "related": [ { "dest-uuid": "d4dfb329-822c-5db3-a078-a8c0f77924da", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d9e5be22-1a04-4956-af6c-37af02330980", "value": "LAPSUS" }, { "description": "Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.", "meta": { "cfr-suspected-victims": [ "Russia", "Ukraine", "United States" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine" ] }, "uuid": "ef59014b-79bb-408f-97f1-3c585a240ca7", "value": "Scarab" }, { "meta": { "cfr-suspected-victims": [ "Kurdistan" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/", "https://telegra.ph/Discover-Malware-Android-03-26", "https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/" ], "synonyms": [] }, "uuid": "0d72c57c-73e3-4739-8144-c8055cabd7dc", "value": "BladeHawk" }, { "description": "The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.", "meta": { "cfr-suspected-victims": [ "Australia" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cyber.gov.au/acsc/view-all-content/alerts/copy-paste-compromises", "https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks" ], "synonyms": [] }, "uuid": "38d75c89-f243-45ee-87e7-e4675f0c53b3", "value": "Copy-Paste" }, { "description": "A group targeting various countries using Denial of Services attacked.", "meta": { "cfr-suspected-victims": [ "United States", "Czech Republic" ], "cfr-target-category": [ "Government" ], "cfr-type-of-incident": "Denial of service", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://therecord.media/russia-or-ukraine-hacking-groups-take-sides/?msclkid=235244a7ba6611ec92f21c9bd3b8ee49", "https://www.expats.cz/czech-news/article/pro-russian-hackers-target-czech-websites-in-a-series-of-attacks" ], "synonyms": [] }, "uuid": "ad2d6946-1ec2-4d77-b864-39980af4e103", "value": "Killnet" }, { "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://cert.gov.ua/article/38374", "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/", "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" ], "synonyms": [ "UNC2589", "TA471", "UAC-0056", "Nascent Ursa", "Nodaria", "FROZENVISTA" ] }, "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f", "value": "SaintBear" }, { "description": "Mandiant observed this group operating since December 2019. Its techniques partially overlap with multiple Russian-based espionage actors (APT28 and APT29). They are described as having a high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet at their disposal.", "meta": { "cfr-type-of-incident": "Espionage", "refs": [ "https://www.mandiant.com/resources/unc3524-eye-spy-email" ] }, "uuid": "bee8b09c-07e5-4c12-94d6-266ebcb1ec24", "value": "UNC3524" }, { "description": "Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.", "meta": { "cfr-suspected-victims": [ "Ukraine", "Russia", "Kazakhstan", "Mongolia" ], "cfr-target-category": [ "Government", "Military", "Logistics", "Defense Contractor" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "UNC3742" ] }, "uuid": "6ee284d9-2742-4468-851c-a61366cc9a20", "value": "Curious Gorge" }, { "description": "Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.", "meta": { "cfr-suspected-victims": [ "Middle East", "Asia" ], "cfr-target-category": [ "Government", "Education", "Logistics" ], "country": "CN", "refs": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://troopers.de/troopers22/talks/7cv8pz" ], "synonyms": [ "Red Dev 18" ] }, "uuid": "bfe66711-32dc-4c1f-b78b-9b2f9e4c1525", "value": "Red Menshen" }, { "description": "Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.", "meta": { "cfr-type-of-incident": "Business Email Compromise", "refs": [ "https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf" ] }, "uuid": "54ae5c75-8aab-41a8-971a-03d53db9b35c", "value": "Cosmic Lynx" }, { "description": "Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.", "meta": { "cfr-target-category": [ "Civil Society" ], "refs": [ "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/" ] }, "uuid": "6cce6ecc-e6f5-4ae5-b8c5-cf633b7cf973", "value": "ModifiedElephant" }, { "description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti" ], "synonyms": [ "DEV-0413" ] }, "uuid": "3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d", "value": "EXOTIC LILY" }, { "description": "TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.", "meta": { "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" ] }, "uuid": "d1a8626a-06a5-4ecc-9519-e17fc6724f15", "value": "TA578" }, { "description": "TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.", "meta": { "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" ] }, "uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b", "value": "TA579" }, { "description": "This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.", "meta": { "cfr-target-category": [ "Private sector" ], "refs": [ "https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/" ] }, "uuid": "4d522fad-452c-46be-94ea-5803aec9b709", "value": "RansomHouse" }, { "description": "ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.", "meta": { "cfr-suspected-victims": [ "Afghanistan", "India", "Indonesia", "Iran", "Kyrgyzstan", "Malaysia", "Pakistan", "Russia", "Slovakia", "Taiwan", "Thailand", "United Kingdom", "Uzbekistan", "Vietnam" ], "cfr-target-category": [ "Military", "Government" ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/", "https://securelist.com/toddycat/106799/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://community.riskiq.com/article/d8b749f2", "https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/" ], "synonyms": [ "Websiic" ] }, "uuid": "091a0b69-74de-44b6-bb12-16b7a8fd078b", "value": "ToddyCat" }, { "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.", "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "Lebanon", "cfr-suspected-victims": [ "Israel" ], "cfr-target-category": [ "Critical manufacturing", "Defense industrial base", "Financial services", "Food and agriculture", "Government agencies and services", "Healthcare and public health", "Information technology", "Transportation systems" ], "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ] }, "related": [ { "dest-uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "3c5129ea-8f18-4bcf-a33b-b5aab0720494", "value": "POLONIUM" }, { "description": "A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.", "meta": { "cfr-suspected-victims": [ "Iran" ], "cfr-target-category": [ "Critical manufacturing", "Transportation systems" ], "cfr-type-of-incident": "Sabotage", "refs": [ "https://www.bbc.com/news/technology-62072480", "https://twitter.com/_cpresearch_/status/1541753913732366338", "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" ], "synonyms": [ "Indra", "Gonjeshke Darande" ] }, "uuid": "e665ac2f-87b4-4c2e-bef7-78bf0a8af87b", "value": "Predatory Sparrow" }, { "description": "MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.", "meta": { "cfr-suspected-victims": [ "Ukraine" ], "cfr-type-of-incident": "Sabotage", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" ], "synonyms": [ "Ruinous Ursa" ] }, "related": [ { "dest-uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a5f64c1a-c829-4855-903d-e0ff2098b2d7", "value": "DEV-0586" }, { "description": "This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.", "meta": { "refs": [ "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/", "https://unit42.paloaltonetworks.com/atoms/moneylibra/" ], "synonyms": [ "Money Libra" ] }, "uuid": "bc6f3b91-5a28-46df-9778-179218c809fe", "value": "Kinsing" }, { "description": "According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.", "meta": { "cfr-suspected-victims": [ "China", "United States", "Hong Kong", "Malaysia", "Taiwan" ], "cfr-target-category": [ "Gambling Websites", "Information technology", "Electronics Manufacturers", "Education" ], "country": "CN", "refs": [ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt", "https://www.youtube.com/watch?v=QXGO4RJaUPQ", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" ] }, "uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0", "value": "Earth Berberoka" }, { "description": "Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.", "meta": { "cfr-suspected-victims": [ "Australia", "China", "France", "Germany", "Hong Kong", "Japan", "Mongolia", "Nepal", "Nigeria", "Philippines", "Taiwan", "Thailand", "United Arab Emirates", "United States", "Vietnam" ], "cfr-target-category": [ "Gambling companies", "Government Institutions", "Education", "Media and Entertainment", "Pro-democracy and human rights political organizations", "Telecommunications", "Religious organization", "Cryptocurrency", "Medical", "Covid-19 research organizations" ], "country": "CN", "refs": [ "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E", "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools", "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "CHROMIUM", "ControlX", "TAG-22", "FISHMONGER", "BRONZE UNIVERSITY", "AQUATIC PANDA", "Red Dev 10" ] }, "related": [ { "dest-uuid": "3f8b7c98-7484-523f-9d58-181274e6fc8f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "39150b30-61af-4d9c-9682-1595e145f3c1", "value": "Earth Lusca" }, { "description": "Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.", "meta": { "cfr-suspected-victims": [ "Hong Kong", "Taiwan" ], "cfr-target-category": [ "Government", "Education" ], "country": "CN", "refs": [ "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html" ] }, "uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5", "value": "Earth Wendigo" }, { "description": "In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.", "meta": { "cfr-suspected-victims": [ "Kyrgyzstan", "Malaysia", "Vietnam" ], "country": "CN", "refs": [ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Red Hariasa" ] }, "uuid": "b4ce9385-eedf-4a71-803c-6d53a250d10b", "value": "BRONZE EDGEWOOD" }, { "description": "APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.", "meta": { "cfr-suspected-victims": [ "United States" ], "cfr-target-category": [ "Pharmaceuticals", "Healthcare", "Construction", "Aerospace", "Defense industrial base" ], "country": "CN", "refs": [ "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.mandiant.com/resources/insights/apt-groups", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml", "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ], "synonyms": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ] }, "uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5", "value": "APT9" }, { "description": "BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. \nIn July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.", "meta": { "cfr-suspected-victims": [ "United States", "Australia", "Belgium", "Germany", "Japan", "Lithuania", "Netherlands", "Spain", "South Korea", "Sweden", "United Kingdom" ], "cfr-target-category": [ "Information technology", "Medical", "Civil engineering", "Business", "Education", "Gaming", "Energy", "Pharmaceuticals", "Defense industrial base" ], "country": "CN", "refs": [ "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion", "https://www.justice.gov/opa/press-release/file/1295981/download", "https://www.justice.gov/opa/press-release/file/1295986/download", "https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name", "https://twitter.com/MrDanPerez/status/1390285821786394624" ], "synonyms": [ "UNC302" ] }, "uuid": "8b77424e-18bc-4ea7-baa4-d87441978e20", "value": "BRONZE SPRING" }, { "description": "BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. \nCTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.", "meta": { "country": "CN", "refs": [ "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", "https://twitter.com/cglyer/status/1480734487000453121" ], "synonyms": [ "SLIME34", "DEV-0401" ] }, "related": [ { "dest-uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "737c0207-1a1a-4480-86e7-b6a5066e1ee5", "value": "BRONZE STARLIGHT" }, { "description": "BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China", "meta": { "cfr-suspected-victims": [ "Hong Kong", "Malaysia", "India", "Taiwan", "Macao", "Nigeria" ], "country": "CN", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware", "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf", "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s", "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" ], "synonyms": [ "Evasive Panda", " Daggerfly" ] }, "uuid": "62710572-e416-419d-bb1f-81ffc1ddc976", "value": "BRONZE HIGHLAND" }, { "description": "In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.\n\nBRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.", "meta": { "country": "CN", "refs": [ "https://unit42.paloaltonetworks.com/solarstorm-supernova", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis", "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112" ] }, "uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c", "value": "BRONZE SPIRAL" }, { "description": "BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).\n\nPrior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.\n\nBRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a \"sync\" or \"update\" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word \"update\". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.", "meta": { "cfr-suspected-victims": [ "Taiwan" ], "cfr-target-category": [ "Semiconductor Industry" ], "country": "CN", "refs": [ "https://www.secureworks.com/research/threat-profiles/bronze-vapor" ] }, "uuid": "af12a336-bb68-41ff-866a-834cedc0b5fc", "value": "BRONZE VAPOR" }, { "description": "Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. \nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.", "meta": { "cfr-suspected-victims": [ "Belarus", "Russia", "Mongolia", "Ukraine" ], "country": "CN", "refs": [ "https://securelist.com/microcin-is-here/97353", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", "https://securelist.com/apt-trends-report-q2-2019/91897", "https://securelist.com/apt-trends-report-q2-2020/97937", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://securelist.com/apt-trends-report-q3-2021/104708", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "synonyms": [ "SixLittleMonkeys" ] }, "uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717", "value": "Vicious Panda" }, { "description": "Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.", "meta": { "country": "CN", "refs": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", "https://blogs.jpcert.or.jp/en/2021/10/windealer.html", "https://securelist.com/windealer-dealing-on-the-side/105946", "https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "LuoYu" ] }, "uuid": "c73c8a76-1e44-44d6-b955-79f3a73582a1", "value": "Red Nue" }, { "description": "Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/atoms/pryinglibra/" ], "synonyms": [ "Prying Libra" ] }, "uuid": "1bfd16ae-fd98-4a96-9397-d1651548bda2", "value": "Pickaxe" }, { "description": "Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/atoms/thieflibra/" ], "synonyms": [ "Thief Libra" ] }, "uuid": "4b4b4717-d31e-4be6-a3ba-b13edb42decd", "value": "Watchdog" }, { "description": "Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.", "meta": { "refs": [ "https://unit42.paloaltonetworks.com/atoms/returnedlibra/" ], "synonyms": [ "8220 Mining Group" ] }, "uuid": "7831d56e-5913-44ca-8835-f42017aeb0cd", "value": "Returned Libra" }, { "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "China", "Hong Kong", "Kazakhstan", "Taiwan", "Philippines" ], "cfr-target-category": [ "Private Sector", "Gambling companies", "Gaming", "Information technology", "Telecommunications", "Government", "Transportation systems", "Dissident" ], "country": "CN", "refs": [ "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies", "https://github.com/avast/ioc/tree/master/OperationDragonCastling" ] }, "uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d", "value": "TianWu" }, { "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "China", "cfr-target-category": [ "Private Sector" ], "country": "CN", "refs": [ "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" ] }, "uuid": "d58030e2-5673-4836-9aff-ab6d55da0bc0", "value": "SLIME29" }, { "description": "Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.", "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Malaysia", "India", "Indonesia", "Japan", "Philippines", "Southeast Asia", "South Korea", "Vietnam" ], "cfr-target-category": [ "Private Sector" ], "country": "CN", "refs": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf" ], "synonyms": [ "Conimes", "Cycldek" ] }, "uuid": "8d73715a-8bbd-4eaa-ae24-2f1b1c84cf21", "value": "GOBLIN PANDA" }, { "description": "Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.", "meta": { "sources": [ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel" ] }, "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1", "value": "TA558" }, { "description": "One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.\n PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ] }, "related": [ { "dest-uuid": "42148074-196b-4f8c-b149-12163fc385fa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" }, { "dest-uuid": "5939e42e-06d0-5719-8072-62f0fc0821e8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4245e4cd-a57a-4e0b-9853-acaa549d495d", "value": "PARINACOTA" }, { "description": "In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.", "meta": { "cfr-suspected-victims": [ "India" ], "cfr-target-category": [ "High-Tech", "Military", "Energy" ], "country": "CN", "refs": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" ] }, "uuid": "50d61877-bfc7-4c65-980e-c0589b5561fa", "value": "Red Dev 17" }, { "description": "SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor's primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.", "meta": { "cfr-suspected-victims": [ "Australia", "Cambodia", "Hong Kong", "Singapore", "Vietnam" ], "cfr-target-category": [ "Government", "Education", "Telecommunications" ], "country": "CN", "refs": [ "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/", "https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf" ], "synonyms": [ "UNC94" ] }, "uuid": "fa1fdccb-1a06-4607-bd45-1a7df4db02d7", "value": "Aoqin Dragon" }, { "description": "Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo.\nDangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.", "meta": { "cfr-suspected-victims": [ "Ivory Coast", "Morocco", "Cameroon", "Senegal", "Togo" ], "refs": [ "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/" ], "threat-actor-classification": [ "campaign" ] }, "uuid": "1bb64526-cc51-475a-b6bc-af30df9f2fb6", "value": "DangerousSavanna" }, { "description": "Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.", "meta": { "refs": [ "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/" ] }, "uuid": "fd82cd40-9306-4285-8fae-ad29a9711603", "value": "Hezb" }, { "description": "NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland.", "meta": { "cfr-suspected-victims": [ "Czech Republic", "Denmark", "Estonia", "Lithuania", "NATO", "Norway", "Poland", "Ukraine" ], "cfr-target-category": [ "Financial", "Government", "Military", "Telecommunications", "Transportation" ], "cfr-type-of-incident": [ "Denial of service" ], "refs": [ "https://decoded.avast.io/martinchlumecky/bobik/", "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/", "https://www.gov.pl/web/special-services/russian-cyberattacks" ], "synonyms": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ] }, "uuid": "e62937d0-dec6-4c39-a836-e43b1d138df4", "value": "NoName057(16)" }, { "description": "BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", "https://security.packt.com/understanding-lockbit/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit" ] }, "related": [ { "dest-uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "fd035735-1ab9-419d-a94c-d560612e970b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac", "value": "BITWISE SPIDER" }, { "description": "Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.", "meta": { "cfr-suspected-victims": [ "Brazil", "Central African Republic", "Georgia", "Kazakhstan", "Moldova", "Russia", "Spain", "Sudan", "Taiwan", "Ukraine", "United Kingdom", "United States" ], "refs": [ "https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/", "https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/", "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf", "https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/", "https://equalit.ie/deflect-labs-report-6/" ] }, "uuid": "ca310f0a-1131-4c67-b0a7-f1cd4ce0f87f", "value": "Void Balaur" }, { "description": "APT-Q-12", "meta": { "refs": [ "https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A" ] }, "uuid": "6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5", "value": "APT-Q-12" }, { "description": "RomCom", "meta": { "refs": [ "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass", "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries" ] }, "uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd", "value": "RomCom" }, { "description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.", "meta": { "refs": [ "https://www.secureworks.com/research/threat-profiles/gold-prelude" ], "synonyms": [ "TA569", "UNC1543" ] }, "related": [ { "dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", "value": "GOLD PRELUDE" }, { "description": "BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.", "meta": { "refs": [ "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html", "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/" ], "synonyms": [ "BazzarCall", "BazaCall" ] }, "uuid": "906e2091-cc32-499e-a799-2b9b15e45042", "value": "BazarCall" }, { "description": "Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Hong Kong", "India", "Malaysia", "Taiwan" ], "cfr-target-category": [ "Government", "Individuals", "Universities" ], "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf", "https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack" ], "synonyms": [ "BRONZE HIGHLAND" ] }, "uuid": "171d0590-be92-443f-addb-af5dc2a8034d", "value": "Evasive Panda" }, { "description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.", "meta": { "refs": [ "https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies", "https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations", "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf" ] }, "related": [ { "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "overlaps" } ], "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747", "value": "TAG-53" }, { "description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.", "meta": { "refs": [ "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", "https://blog.scilabs.mx/cyber-threat-profile-malteiro/" ] }, "related": [ { "dest-uuid": "d27eea57-e55f-40b1-9690-55c2c8500876", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "delivers" } ], "uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f", "value": "Malteiro" }, { "meta": { "references": [ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://vixra.org/abs/1902.0257", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/" ], "synonyms": [ "MAN1", "TA511" ] }, "related": [ { "dest-uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "66a0a3ad-5b07-4876-baee-cf44000f7470", "value": "Moskalvzapoe" }, { "description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.", "meta": { "country": "RU", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/", "https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728", "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "DEV-0450" ] }, "related": [ { "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "82a808ad-3f2f-43c0-bd15-848a6e27da95", "value": "TA570" }, { "description": "TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.", "meta": { "references": [ "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware", "https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware" ] }, "related": [ { "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" }, { "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" } ], "uuid": "fbb04514-f71d-4a95-a1af-727d21ef12a2", "value": "TA575" }, { "description": "TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.", "meta": { "country": "RU", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html", "https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network", "https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315" ], "synonyms": [ "Hive0118" ] }, "related": [ { "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "e405b7d0-3eed-4f9d-9b68-728e9793974c", "value": "TA577" }, { "description": "TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.", "meta": { "country": "NG", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1" ] }, "related": [ { "dest-uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "31615066-dbff-4134-b467-d97a337b408b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "9687a6a9-0a66-4373-b546-60553857a442", "value": "TA2536" }, { "description": "DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.", "meta": { "cfr-suspected-victims": [ "South America", "Asia", "European Union" ], "country": "CN", "references": [ "https://twitter.com/MsftSecIntel/status/1625181255754039318" ] }, "uuid": "85f20141-1c8e-49ac-b963-eaa1fb1f4018", "value": "DEV-0147" }, { "description": "TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.", "meta": { "cfr-suspected-victims": [ "China", "France", "Germany", "India", "Japan", "North America", "Russia", "South Africa", "South Korea", "United Kingdom" ], "cfr-target-category": [ "Government", "Journalists", "NGOs" ], "country": "KR", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" ] }, "related": [ { "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "part-of" } ], "uuid": "89f005f9-22e9-4c50-9b48-e94c521266e5", "value": "TA406" }, { "description": "Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.", "meta": { "attribution-confidence": "50", "cfr-suspected-victims": [ "Australia", "Europe", "Middle East", "US" ], "cfr-target-category": [ "Education", "Government", "Healthcare", "Legal", "Manufacturing", "Media", "NGOs", "Pharmaceuticals" ], "country": "IR", "references": [ "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises" ], "synonyms": [ "UNC788" ] }, "related": [ { "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "35f887ad-6709-4d0b-8e9c-6b3fa09c783f", "value": "APT42" }, { "description": "TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.", "meta": { "country": "IR", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations", "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" ] }, "related": [ { "dest-uuid": "35f887ad-6709-4d0b-8e9c-6b3fa09c783f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c1d44f44-425e-48fd-b78b-84b988da8bc3", "value": "TA453" }, { "description": "In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word \"chameleon\"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.", "meta": { "cfr-suspected-victims": [ "India", "Japan", "Nepal", "Russia", "Taiwan", "US" ], "cfr-target-category": [ "Aviation", "Energy" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" ] }, "related": [ { "dest-uuid": "b91e1d34-cabd-404f-84d2-51a4f9840ffb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "eafdd27f-a3e2-4bb1-ae03-bf9ca5ff0355", "value": "Chamelgang" }, { "description": "Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.", "meta": { "cfr-suspected-victims": [ "Canada", "Germany", "United Kingdom", "United States" ], "cfr-type-of-incident": "Extortion", "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation" ], "synonyms": [ "Karakurt Lair" ] }, "related": [ { "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "7d71d21e-68f0-4595-beee-7c353471463d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "035fbd5c-e4a1-4c7b-80fb-f5a89a361aed", "value": "Karakurt" }, { "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.", "meta": { "country": "IR", "references": [ "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" ], "synonyms": [ "Nemesis Kitten" ] }, "related": [ { "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "part-of" } ], "uuid": "7b90319a-9f7b-466d-9f90-7fcc270ed505", "value": "DEV-0270" }, { "description": "PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.", "meta": { "country": "", "references": [ "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/" ] }, "related": [ { "dest-uuid": "cd84bc53-8684-4921-89c7-2cf49512bf61", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "b5814e05-532a-4262-a8da-82fd0d7605ee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c", "value": "Prophet Spider" }, { "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.", "meta": { "motive": "mainly financially motivated, additional espionage objective.", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me" ] }, "related": [ { "dest-uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "49ca568f-b6e4-49ff-963e-796f8207d185", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31", "value": "TA866" }, { "description": "Since January 23, 2023, a threat actor identifying as \"Anonymous Sudan\" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be \"hacktivists,\" politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.", "meta": { "cfr-suspected-victims": [ "Denmark", "Sweden" ], "cfr-type-of-incident": [ "Denial of service" ], "references": [ "https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf", "https://www.truesec.com/hub/blog/what-is-anonymous-sudan" ] }, "uuid": "8ca38564-5515-45f5-9f3b-a4091546e10b", "value": "Anonymous Sudan" }, { "description": "Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.", "meta": { "cfr-suspected-state-sponsor": "China", "cfr-target-category": [ "Aviation", "Automotive", "Education", "Intergovernmental", "Media and Entertainment", "Information Technology", "Religious Organizations" ], "country": "CN", "motive": "state-sponsored espionage and financially motivated", "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer" ] }, "related": [ { "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "overlaps" }, { "dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "eff0c059-5449-4207-9860-715475139595", "value": "RedGolf" }, { "description": "• APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues. \n• In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. \n• The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. \n• APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.", "meta": { "refs": [ "https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ] }, "uuid": "aac49b4e-74e9-49fa-84f9-e340cf8bafbc", "value": "APT43" }, { "description": "Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.", "meta": { "refs": [ "https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor", "https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1" ] }, "related": [ { "dest-uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "1e318d85-79c7-4988-83b7-ff86a974786c", "value": "Hagga" }, { "description": "[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.\n\n[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.", "meta": { "country": "CN", "refs": [ "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" ], "synonyms": [ "BRONZE SILHOUETTE" ] }, "uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f", "value": "Volt Typhoon" }, { "description": "The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.\n\nThe campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.", "meta": { "refs": [ "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/" ] }, "uuid": "c95520c1-0a27-42aa-9853-bf5f0f3bc074", "value": "SmugX" }, { "description": "Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine.\n\nDuring the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.\n\nRedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.", "meta": { "refs": [ "https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf" ] }, "related": [ { "dest-uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "overlaps" }, { "dest-uuid": "420ac20b-f2b9-42b8-aa1a-6d4b72895ca4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "overlaps" } ], "uuid": "fceed509-938e-4f9e-acd4-76e6c28dc6f1", "value": "RedDelta" } ], "version": 275 }