{ "values": [ { "meta": { "synonyms": [ "Comment Panda", "PLA Unit 61398", "APT 1", "APT1", "Advanced Persistent Threat 1", "Byzantine Candor", "Group 3", "TG-8223", "Comment Group", "Brown Fox" ], "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "value": "Comment Crew", "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be" }, { "meta": { "country": "CN" }, "value": "Stalker Panda", "uuid": "36843742-adf1-427c-a7c0-067d74b4aeaf" }, { "value": "Nitro", "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", "meta": { "country": "CN", "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" ], "synonyms": [ "Covert Grove" ] }, "uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80" }, { "value": "Codoso", "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.'", "meta": { "country": "CN", "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" ], "synonyms": [ "C0d0so", "APT19", "APT 19", "Sunshop Group" ] }, "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c" }, { "meta": { "refs": [ "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" ] }, "value": "Dust Storm", "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929" }, { "value": "Karma Panda", "description": "Adversary targeting dissident groups in China and its surroundings.", "meta": { "country": "CN", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee" }, { "meta": { "country": "CN", "synonyms": [ "temp.bottle" ] }, "value": "Keyhole Panda", "uuid": "ad022538-b457-4839-8ebd-3fdcc807a820" }, { "meta": { "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Wet Panda", "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428" }, { "meta": { "country": "CN", "refs": [ "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "value": "Foxy Panda", "description": "Adversary group targeting telecommunication and technology organizations.", "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd" }, { "meta": { "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Predator Panda", "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f" }, { "meta": { "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "value": "Union Panda", "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8" }, { "meta": { "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Spicy Panda", "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb" }, { "meta": { "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "value": "Eloquent Panda", "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7" }, { "meta": { "synonyms": [ "LadyBoyle" ] }, "value": "Dizzy Panda", "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe" }, { "meta": { "synonyms": [ "PLA Unit 61486", "APT 2", "Group 36", "APT-2", "MSUpdater", "4HCrew", "SULPHUR", "TG-6952" ], "country": "CN", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ] }, "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "value": "Putter Panda", "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d" }, { "meta": { "synonyms": [ "Gothic Panda", "TG-0110", "APT 3", "Group 6", "UPS Team", "APT3", "Buckeye" ], "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ] }, "value": "UPS", "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae" }, { "meta": { "synonyms": [ "DUBNIUM", "Fallout Team", "Karba", "Luder", "Nemim", "Tapaoux" ], "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://securelist.com/blog/research/66779/the-darkhotel-apt/", "http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" ] }, "value": "DarkHotel", "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d" }, { "meta": { "synonyms": [ "Numbered Panda", "TG-2754", "BeeBus", "Group 22", "DynCalc", "Calc Team", "DNSCalc", "Crimson Iron", "APT12", "APT 12" ], "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/" ] }, "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "value": "IXESHE", "uuid": "48146604-6693-4db1-bd94-159744726514" }, { "meta": { "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" ] }, "value": "APT 16", "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" }, { "meta": { "synonyms": [ "APT 17", "Deputy Dog", "Group 8", "APT17", "Hidden Lynx", "Tailgater Team" ], "country": "CN", "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" ] }, "value": "Aurora Panda", "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb" }, { "meta": { "synonyms": [ "Dynamite Panda", "TG-0416", "APT 18", "SCANDIUM", "PLA Navy", "APT18" ], "country": "CN", "refs": [ "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" ] }, "value": "Wekby", "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c" }, { "meta": { "synonyms": [ "Operation Tropic Trooper" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" ] }, "value": "Tropic Trooper", "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89" }, { "meta": { "synonyms": [ "Winnti Group", "Tailgater Team", "Group 72", "Group72", "Tailgater", "Ragebeast", "Blackfly", "Lead", "Wicked Spider", "APT17", "APT 17", "Dogfish", "Deputy Dog", "Wicked Panda", "Barium" ], "country": "CN", "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", "http://williamshowalter.com/a-universal-windows-bootkit/", "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" ] }, "value": "Axiom", "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'", "uuid": "24110866-cb22-4c85-a7d2-0413e126694b" }, { "meta": { "synonyms": [ "Deep Panda", "WebMasters", "APT 19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w" ], "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "description": "Adversary group targeting financial, technology, non-profit organisations.", "value": "Shell Crew", "uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4" }, { "meta": { "synonyms": [ "PLA Unit 78020", "APT 30", "APT30", "Override Panda", "Camerashy", "APT.Naikon" ], "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" ] }, "value": "Naikon", "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'", "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff" }, { "meta": { "synonyms": [ "Spring Dragon", "ST Group" ], "country": "CN", "refs": [ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://securelist.com/spring-dragon-updated-activity/79067/" ] }, "value": "Lotus Blossom", "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d" }, { "meta": { "synonyms": [ "Elise" ], "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ] }, "value": "Lotus Panda", "uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8" }, { "meta": { "synonyms": [ "Black Vine", "TEMP.Avengers" ], "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ] }, "value": "Hurricane Panda", "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb" }, { "meta": { "synonyms": [ "TG-3390", "APT 27", "TEMP.Hippo", "Group 35", "Bronze Union", "ZipToken", "HIPPOTeam", "APT27", "Operation Iron Tiger", "Iron Tiger APT" ], "country": "CN", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" ] }, "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", "value": "Emissary Panda", "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32" }, { "meta": { "synonyms": [ "APT10", "APT 10", "menuPass", "happyyongzi", "POTASSIUM", "DustStorm", "Red Apollo", "CVNX", "HOGFISH" ], "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" ] }, "value": "Stone Panda", "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c" }, { "meta": { "synonyms": [ "APT 9", "Flowerlady/Flowershow", "Flowerlady", "Flowershow" ], "country": "CN", "refs": [ "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" ] }, "value": "Nightshade Panda", "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45" }, { "meta": { "synonyms": [ "Goblin Panda", "Cycldek" ], "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" ] }, "value": "Hellsing", "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3" }, { "meta": { "country": "CN", "refs": [ "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" ] }, "value": "Night Dragon", "uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d" }, { "meta": { "synonyms": [ "Vixen Panda", "Ke3Chang", "GREF", "Playful Dragon", "APT 15", "APT15", "Metushy", "Lurid", "Social Network Team", "Royal APT" ], "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", "https://github.com/nccgroup/Royal_APT" ] }, "value": "Mirage", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8" }, { "meta": { "country": "CN", "synonyms": [ "APT14", "APT 14", "QAZTeam", "ALUMINUM" ], "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], "motive": "Espionage" }, "value": "Anchor Panda", "description": "PLA Navy", "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" }, { "meta": { "country": "CN", "synonyms": [ "APT 21" ], "refs": [ "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" ] }, "value": "NetTraveler", "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e" }, { "meta": { "synonyms": [ "IceFog", "Dagger Panda" ], "country": "CN", "refs": [ "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" ] }, "value": "Ice Fog", "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.", "uuid": "32c534b9-abec-4823-b223-a810f897b47b" }, { "meta": { "synonyms": [ "PittyTiger", "MANGANESE" ], "country": "CN", "refs": [ "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" ] }, "value": "Pitty Panda", "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189" }, { "value": "Roaming Tiger", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" ] }, "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d" }, { "meta": { "country": "CN", "synonyms": [ "Sneaky Panda" ] }, "value": "Beijing Group", "uuid": "da754aeb-a86d-4874-b388-d1d2028a56be" }, { "meta": { "country": "CN", "synonyms": [ "Shrouded Crossbow" ] }, "value": "Radio Panda", "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e" }, { "value": "APT.3102", "meta": { "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" ] }, "uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf" }, { "meta": { "synonyms": [ "PLA Navy", "APT4", "APT 4", "Wisp Team", "Getkys", "SykipotGroup", "Wkysol" ], "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-samurai-panda/" ] }, "value": "Samurai Panda", "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7" }, { "meta": { "country": "CN" }, "value": "Impersonating Panda", "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1" }, { "meta": { "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" ], "synonyms": [ "APT20", "APT 20", "APT8", "APT 8", "TH3Bug" ] }, "value": "Violin Panda", "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40" }, { "meta": { "country": "CN", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "description": "A group targeting dissident groups in China and at the boundaries.", "value": "Toxic Panda", "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761" }, { "meta": { "synonyms": [ "Admin338", "Team338", "MAGNESIUM", "admin@338" ], "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ] }, "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", "value": "Temper Panda", "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b" }, { "meta": { "country": "CN", "refs": [ "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "synonyms": [ "APT23", "KeyBoy" ] }, "value": "Pirate Panda", "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee" }, { "meta": { "country": "IR", "synonyms": [ "SaffronRose", "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26" ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ] }, "value": "Flying Kitten", "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48" }, { "meta": { "country": "IR", "synonyms": [ "ITSecTeam", "Threat Group 2889", "TG-2889", "Ghambar" ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" ] }, "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", "value": "Cutting Kitten", "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e" }, { "meta": { "country": "IR", "synonyms": [ "Newscaster", "Parastoo", "iKittens", "Group 83", "Newsbeef" ], "refs": [ "https://en.wikipedia.org/wiki/Operation_Newscaster", "https://iranthreats.github.io/resources/macdownloader-macos-malware/", "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" ] }, "value": "Charming Kitten", "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", "uuid": "f98bac6b-12fd-4cad-be84-c84666932232" }, { "meta": { "country": "IR", "synonyms": [], "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ] }, "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", "value": "APT33", "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10" }, { "meta": { "country": "IR", "synonyms": [ "Group 42" ], "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ] }, "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", "value": "Magic Kitten", "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4" }, { "meta": { "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", "Thamar Reservoir", "Timberworm" ], "country": "IR", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.org/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://en.wikipedia.org/wiki/Rocket_Kitten" ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "value": "Rocket Kitten", "uuid": "f873db71-3d53-41d5-b141-530675ade27a" }, { "meta": { "country": "IR", "synonyms": [ "Operation Cleaver", "Tarh Andishan", "Alibaba", "2889", "TG-2889", "Cobalt Gypsy", "Ghambar", "Cutting Kitten" ], "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.secureworks.com/research/the-curious-case-of-mia-ash", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" ] }, "value": "Cleaver", "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies.", "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810" }, { "meta": { "country": "IR" }, "value": "Sands Casino", "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff" }, { "meta": { "country": "TN", "synonyms": [ "FallagaTeam" ], "motive": "Hacktivism-Nationalist" }, "value": "Rebel Jackal", "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.", "uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b" }, { "meta": { "country": "AE", "synonyms": [ "Vikingdom" ] }, "value": "Viking Jackal", "uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1" }, { "meta": { "synonyms": [ "APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit", "TsarTeam", "TG-4127", "Group-4127", "STRONTIUM", "TAG_0700", "Swallowtail", "IRON TWILIGHT", "Group 74" ], "country": "RU", "refs": [ "https://en.wikipedia.org/wiki/Sofacy_Group", "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/" ] }, "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", "value": "Sofacy", "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754" }, { "meta": { "synonyms": [ "Dukes", "Group 100", "Cozy Duke", "CozyDuke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29", "Cozy Bear", "The Dukes", "Minidionis", "SeaDuke", "Hammer Toss" ], "country": "RU", "refs": [ "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" ] }, "value": "APT 29", "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '", "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a" }, { "meta": { "synonyms": [ "Turla", "Snake", "Venomous Bear", "Group 88", "Waterbug", "WRAITH", "Turla Team", "Uroburos", "Pfinet", "TAG_0530", "KRYPTON", "Hippo Team" ], "refs": [ "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://www.circl.lu/pub/tr-25/", "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", "https://securelist.com/blog/research/67962/the-penquin-turla-2/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "country": "RU" }, "value": "Turla Group", "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68" }, { "meta": { "synonyms": [ "Dragonfly", "Crouching Yeti", "Group 24", "Havex", "CrouchingYeti", "Koala Team" ], "country": "RU", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" ] }, "description": "A Russian group that collects intelligence on the energy industry.", "value": "Energetic Bear", "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee" }, { "meta": { "synonyms": [ "Sandworm Team", "Black Energy", "BlackEnergy", "Quedagh", "Voodoo Bear", "TEMP.Noble" ], "country": "RU", "refs": [ "http://www.isightpartners.com/2014/10/cve-2014-4114/", "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-163A", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" ] }, "value": "Sandworm", "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35" }, { "meta": { "country": "RU", "refs": [ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [ "Sandworm" ] }, "value": "TeleBots", "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", "uuid": "b47250ec-2094-4d06-b658-11456e05fe89" }, { "meta": { "synonyms": [ "Carbanak", "Carbon Spider", "FIN7" ], "country": "RU", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" ], "motive": "Cybercrime" }, "description": "Groups targeting financial organizations or people with significant financial assets.", "value": "Anunak", "uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb" }, { "meta": { "synonyms": [ "TeamSpy", "Team Bear", "Berserk Bear", "Anger Bear" ], "country": "RU", "refs": [ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" ] }, "value": "TeamSpy Crew", "uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445" }, { "meta": { "country": "RU", "refs": [ "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" ] }, "value": "BuhTrap", "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb" }, { "meta": { "country": "RU" }, "value": "Berserk Bear", "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624" }, { "meta": { "country": "RO", "synonyms": [ "FIN4" ] }, "value": "Wolf Spider", "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57" }, { "meta": { "country": "RU" }, "value": "Boulder Bear", "description": "First observed activity in December 2013.", "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0" }, { "meta": { "country": "RU" }, "value": "Shark Spider", "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4" }, { "meta": { "country": "RU", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "value": "Union Spider", "description": "Adversary targeting manufacturing and industrial organizations.", "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd" }, { "meta": { "country": "KP", "synonyms": [ "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team" ], "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "value": "Silent Chollima", "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7" }, { "meta": { "country": "KP", "synonyms": [ "Operation DarkSeoul", "Dark Seoul", "Hidden Cobra", "Hastati Group", "Andariel", "Unit 121", "Bureau 121", "NewRomanic Cyber Army Team", "Bluenoroff" ], "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", "https://www.us-cert.gov/ncas/alerts/TA17-164A", "https://securelist.com/lazarus-under-the-hood/77908/", "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318B" ] }, "value": "Lazarus Group", "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.", "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376" }, { "meta": { "synonyms": [ "Appin", "OperationHangover" ], "country": "IN", "refs": [ "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ] }, "value": "Viceroy Tiger", "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239" }, { "meta": { "synonyms": [ "DD4BC", "Ambiorx" ], "country": "US" }, "value": "Pizzo Spider", "uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d" }, { "meta": { "synonyms": [ "TunisianCyberArmy" ], "country": "TN", "refs": [ "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ] }, "value": "Corsair Jackal", "uuid": "59d63dd6-f46f-4334-ad15-30d2e1ee0623" }, { "value": "SNOWGLOBE", "meta": { "country": "FR", "refs": [ "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" ], "synonyms": [ "Animal Farm" ] }, "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab" }, { "meta": { "synonyms": [ "SyrianElectronicArmy", "SEA" ], "country": "SY", "refs": [ "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" ] }, "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", "value": "Deadeye Jackal", "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d" }, { "meta": { "country": "PK", "synonyms": [ "C-Major" ], "refs": [ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" ] }, "value": "Operation C-Major", "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.", "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905" }, { "meta": { "refs": [ "https://citizenlab.org/2016/05/stealth-falcon/" ], "synonyms": [ "FruityArmor" ], "country": "AE" }, "value": "Stealth Falcon", "description": "Group targeting Emirati journalists, activists, and dissidents.", "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0" }, { "meta": { "synonyms": [ "Operation Daybreak", "Operation Erebus" ], "refs": [ "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" ] }, "value": "ScarCruft", "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.", "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338" }, { "meta": { "refs": [ "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "Skipper", "Popeye" ], "country": "RU" }, "value": "Pacifier APT", "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", "uuid": "32db3cc1-bb79-4b08-a7a4-747a37221afa" }, { "meta": { "country": "CN", "refs": [ "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" ] }, "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", "value": "HummingBad", "uuid": "12ab5c28-5f38-4a2f-bd40-40e9c500f4ac" }, { "meta": { "synonyms": [ "Chinastrats", "Patchwork", "Monsoon", "Sarit" ], "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/" ] }, "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", "value": "Dropping Elephant", "uuid": "18d473a5-831b-47a5-97a1-a32156299825" }, { "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ] }, "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", "value": "Operation Transparent Tribe", "uuid": "0b36d80d-5966-4c91-945b-1ac85552aa7b" }, { "meta": { "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Groups", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ] }, "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", "value": "Scarlet Mimic", "uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e" }, { "meta": { "refs": [ "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", "https://attack.mitre.org/wiki/Groups" ], "country": "BR" }, "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "value": "Poseidon Group", "uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d" }, { "meta": { "synonyms": [ "Moafee" ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" ], "country": "CN" }, "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "value": "DragonOK", "uuid": "a9b44750-992c-4743-8922-129880d277ea" }, { "meta": { "synonyms": [ "TG-3390", "Emissary Panda" ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://attack.mitre.org" ], "country": "CN" }, "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "value": "Threat Group-3390", "uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045" }, { "meta": { "synonyms": [ "Strider", "Sauron" ], "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" ] }, "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", "value": "ProjectSauron", "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7" }, { "meta": { "refs": [ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013" ], "synonyms": [ "APT30" ], "country": "CN" }, "value": "APT 30", "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", "uuid": "f26144c5-8593-4e78-831a-11f6452d809b" }, { "meta": { "country": "CN" }, "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", "value": "TA530", "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f" }, { "meta": { "refs": [ "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" ], "country": "RU" }, "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "value": "GCMAN", "uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0" }, { "meta": { "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" ], "country": "CN" }, "description": "Suckfly is a China-based threat group that has been active since at least 2014", "value": "Suckfly", "uuid": "5abb12e7-5066-4f84-a109-49a037205c76" }, { "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" ] }, "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", "value": "FIN6", "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302" }, { "meta": { "country": "LY" }, "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "value": "Libyan Scorpions", "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731" }, { "meta": { "synonyms": [ "CorporacaoXRat", "CorporationXRat" ], "refs": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ] }, "value": "TeamXRat", "uuid": "43ec65d1-a334-4c44-9a44-0fd21f27249d" }, { "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://www.clearskysec.com/oilrig/", "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", "https://pan-unit42.github.io/playbook_viewer/", "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json" ], "country": "IR", "synonyms": [ "Twisted Kitten", "Cobalt Gypsy" ] }, "value": "OilRig", "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.", "uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba" }, { "meta": { "refs": [ "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" ] }, "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "value": "Volatile Cedar", "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a" }, { "meta": { "synonyms": [ "Reuse team", "Dancing Salome" ] }, "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", "value": "Malware reusers", "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632" }, { "value": "TERBIUM", "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" ] }, "uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404" }, { "value": "Molerats", "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks" ], "synonyms": [ "Gaza Hackers Team", "Gaza cybergang", "Operation Molerats", "Extreme Jackal", "Moonlight" ] }, "uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde" }, { "value": "PROMETHIUM", "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" ], "synonyms": [ "StrongPity" ], "country": "TR" }, "uuid": "43894e2a-174e-4931-94a8-2296afe8f650" }, { "value": "NEODYMIUM", "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" ] }, "uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb" }, { "value": "Packrat", "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", "meta": { "refs": [ "https://citizenlab.org/2015/12/packrat-report/" ] }, "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7" }, { "value": "Cadelle", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "country": "IR" }, "uuid": "03f13462-003c-4296-8784-bccea16710a9" }, { "value": "Chafer", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "country": "IR" }, "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3" }, { "value": "PassCV", "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", "meta": { "refs": [ "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "country": "CN" }, "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965" }, { "value": "Sath-ı Müdafaa", "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", "meta": { "country": "TR", "motive": "Hacktivists-Nationalists" }, "uuid": "a03e2b4b-617f-4d28-ac4b-9943f792aa22" }, { "value": "Aslan Neferler Tim", "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", "meta": { "country": "TR", "synonyms": [ "Lion Soldiers Team", "Phantom Turk" ], "motive": "Hacktivists-Nationalists" }, "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a" }, { "value": "Ayyıldız Tim", "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", "meta": { "country": "TR", "synonyms": [ "Crescent and Star" ], "motive": "Hacktivists-Nationalists" }, "uuid": "ab1771de-25bb-4688-b132-eabb5d6452a1" }, { "value": "TurkHackTeam", "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", "meta": { "country": "TR", "synonyms": [ "Turk Hack Team" ], "motive": "Hacktivists-Nationalists" }, "uuid": "7ae74dc6-ded3-4873-a803-abb4160d10c0" }, { "value": "Equation Group", "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", "meta": { "country": "US", "refs": [ "https://en.wikipedia.org/wiki/Equation_Group" ], "synonyms": [ "Tilded Team", "Lamberts", "EQGRP" ] }, "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840" }, { "value": "Greenbug", "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" ], "country": "IR" }, "uuid": "47204403-34c9-4d25-a006-296a0939d1a2" }, { "value": "Gamaredon Group", "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" ] }, "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb" }, { "meta": { "country": "CN", "synonyms": [ "Zhenbao", "TEMP.Zhenbao" ], "refs": [ "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" ] }, "value": "Hammer Panda", "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.", "uuid": "1f2762d9-a4b5-4457-ac51-00be05be9e23" }, { "meta": { "country": "IR", "synonyms": [ "Operation Mermaid" ], "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ] }, "value": "Infy", "description": "Infy is a group of suspected Iranian origin.", "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e" }, { "meta": { "country": "IR", "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/" ] }, "value": "Sima", "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", "uuid": "80f9184d-1df3-4ad0-a452-cdb90fe57216" }, { "meta": { "country": "CN", "synonyms": [ "Cloudy Omega" ], "refs": [ "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" ] }, "value": "Blue Termite", "description": "Blue Termite is a group of suspected Chinese origin active in Japan.", "uuid": "a250af72-f66c-4d02-9f36-ab764ce9fe85" }, { "meta": { "country": "UA", "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" ] }, "value": "Groundbait", "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.", "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73" }, { "meta": { "refs": [ "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" ], "country": "US" }, "value": "Longhorn", "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.", "uuid": "2f3311cd-8476-4be7-9005-ead920afc781" }, { "meta": { "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group" ] }, "value": "Callisto", "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f" }, { "meta": { "synonyms": [ "OceanLotus Group", "Ocean Lotus", "Cobalt Kitty", "APT-C-00", "SeaLotus", "APT-32", "APT 32" ], "refs": [ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.brighttalk.com/webcast/10703/261205", "https://github.com/eset/malware-research/tree/master/oceanlotus" ] }, "value": "APT32", "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", "uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7" }, { "value": "SilverTerrier", "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ", "meta": { "country": "NG", "refs": [ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" ] }, "uuid": "acbfd9e4-f78c-4ae0-9b52-c35ed679e546" }, { "value": "WildNeutron", "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", "https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/" ], "synonyms": [ "Butterfly", "Morpho", "Sphinx Moth" ] }, "uuid": "e7df3572-0c96-4968-8e5a-803ef4219762" }, { "value": "PLATINUM", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", "meta": { "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" ], "synonyms": [ "TwoForOne" ] }, "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a" }, { "value": "ELECTRUM", "description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", "meta": { "refs": [ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" ], "synonyms": [ "Sandworm" ] }, "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c" }, { "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf" ] }, "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.", "value": "FIN8", "uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73" }, { "value": "El Machete", "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", "meta": { "refs": [ "https://securelist.com/blog/research/66108/el-machete/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3" }, { "value": "Cobalt", "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.", "meta": { "refs": [ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/" ], "synonyms": [ "Cobalt group", "Cobalt gang" ] }, "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe" }, { "meta": { "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" ] }, "value": "TA459", "uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314" }, { "meta": { "refs": [ "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" ], "country": "RU" }, "value": "Cyber Berkut", "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8" }, { "meta": { "country": "CN", "refs": [ "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" ] }, "value": "Tonto Team", "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26" }, { "value": "Danti", "meta": { "refs": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ] }, "uuid": "fb745fe1-5478-4d47-ad3d-7389fa4a6f77" }, { "value": "APT5", "meta": { "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795" }, { "meta": { "country": "CN", "synonyms": [ "APT22" ], "refs": [ "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" ] }, "value": "APT 22", "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842" }, { "meta": { "synonyms": [ "Bronze Butler" ], "country": "CN", "refs": [ "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", "https://www.secureworks.jp/resources/rp-bronze-butler", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" ] }, "value": "Tick", "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8" }, { "meta": { "synonyms": [ "APT26", "Hippo Team", "JerseyMikes" ], "country": "CN" }, "value": "APT 26", "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11" }, { "meta": { "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Sabre Panda", "uuid": "67adfa07-869f-4052-9d56-b88a51489902" }, { "meta": { "country": "CN", "refs": [ "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" ] }, "value": "Big Panda", "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766" }, { "meta": { "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, "value": "Poisonous Panda", "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c" }, { "value": "Ghost Jackal", "meta": { "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15" }, { "meta": { "country": "KP", "refs": [ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" ] }, "value": "TEMP.Hermit", "uuid": "73c636ae-e55c-4167-bf40-315789698adb" }, { "meta": { "synonyms": [ "Superman" ], "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://www.threatconnect.com/china-superman-apt/" ] }, "value": "Mofang", "uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344" }, { "meta": { "country": "IR", "synonyms": [ "Slayer Kitten" ], "refs": [ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/tulip/" ] }, "value": "CopyKittens", "uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae" }, { "value": "EvilPost", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ] }, "uuid": "9035bfbf-a73f-4948-9df2-bd893e9cafef" }, { "meta": { "country": "CN", "refs": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ] }, "value": "SVCMONDR", "description": "The referenced link links this group to Temper Panda", "uuid": "70b80bcc-58e3-4a09-a3bf-98c0412bb7d3" }, { "value": "Test Panda", "meta": { "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab" }, { "meta": { "country": "IR", "refs": [ "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" ] }, "value": "Madi", "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2" }, { "meta": { "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "value": "Electric Panda", "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce" }, { "meta": { "country": "CN", "synonyms": [ "PLA Navy", "Sykipot" ], "refs": [ "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" ] }, "value": "Maverick Panda", "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b" }, { "meta": { "country": "KP", "refs": [ "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" ] }, "value": "Kimsuki", "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3" }, { "value": "Snake Wine", "meta": { "refs": [ "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" ] }, "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5" }, { "value": "Careto", "meta": { "refs": [ "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" ], "synonyms": [ "The Mask" ] }, "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d" }, { "meta": { "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, "value": "Gibberish Panda", "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0" }, { "meta": { "country": "KP", "refs": [ "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" ] }, "value": "OnionDog", "uuid": "5898e11e-a023-464d-975c-b36fb1639e69" }, { "meta": { "country": "IR", "synonyms": [ "Group 41" ], "refs": [ "http://www.crowdstrike.com/blog/whois-clever-kitten/" ] }, "value": "Clever Kitten", "uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be" }, { "meta": { "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "value": "Andromeda Spider", "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77" }, { "value": "Cyber Caliphate Army", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" ], "synonyms": [ "Islamic State Hacking Division", "CCA", "United Cyber Caliphate", "UUC" ] }, "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0" }, { "meta": { "country": "RU", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Magnetic Spider", "uuid": "430ba885-cd24-492e-804c-815176ed9b1e" }, { "meta": { "country": "CN", "refs": [ "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" ] }, "value": "Group 27", "uuid": "73e4728a-955e-426a-b144-8cb95131f2ca" }, { "meta": { "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "value": "Singing Spider", "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50" }, { "meta": { "country": "IR", "synonyms": [ "Fraternal Jackal" ], "refs": [ "http://pastebin.com/u/QassamCyberFighters", "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" ] }, "value": "Cyber fighters of Izz Ad-Din Al Qassam", "uuid": "22c2b363-5d8f-4b04-96db-1b6cf4d7e8db" }, { "meta": { "synonyms": [ "1.php Group", "APT6" ], "country": "CN" }, "value": "APT 6", "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7" }, { "value": "AridViper", "meta": { "refs": [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", "https://www.ci-project.org/blog/2017/3/4/arid-viper", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" ], "synonyms": [ "Desert Falcon", "Arid Viper", "APT-C-23" ] }, "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6" }, { "meta": { "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, "value": "Dextorous Spider", "uuid": "445c7b62-028b-455e-9d65-74899b7006a4" }, { "value": "Unit 8200", "meta": { "country": "IL", "refs": [ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://archive.org/details/Stuxnet" ], "synonyms": [ "Duqu Group" ] }, "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" }, { "meta": { "refs": [ "https://securelist.com/introducing-whitebear/81638/" ], "synonyms": [ "Skipper Turla" ], "country": "RU" }, "value": "White Bear", "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" }, { "meta": { "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, "value": "Pale Panda", "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7" }, { "meta": { "country": "CN", "refs": [ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" ] }, "value": "Mana Team", "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994" }, { "meta": { "refs": [ "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ] }, "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", "value": "Sowbug", "uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5" }, { "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" ] }, "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "value": "MuddyWater", "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", "https://www.group-ib.com/resources/reports/money-taker.html", "https://www.group-ib.com/blog/moneytaker" ] }, "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.", "value": "MoneyTaker", "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f" }, { "value": "Microcin", "description": "We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.", "meta": { "refs": [ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" ] }, "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632" }, { "meta": { "country": "LB", "refs": [ "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ] }, "value": "Dark Caracal", "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94" }, { "value": "Nexus Zeta", "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.", "meta": { "refs": [ "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" ] }, "uuid": "8c21ce09-33c3-412c-bb55-323765e89a60" }, { "value": "APT37", "description": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://twitter.com/mstoned7/status/966126706107953152" ], "synonyms": [ "APT 37", "Group 123", "Starcruft", "Reaper", "Red Eyes", "Ricochet Chollima" ], "country": "KP" } }, { "value": "Leviathan", "description": "Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [ "TEMP.Periscope" ], "country": "CN" }, "uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9" }, { "value": "APT34", "description": "Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.", "meta": { "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" ], "synonyms": [ "APT 34" ], "country": "IR" }, "uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda" }, { "value": "APT35", "description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.", "meta": { "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" ], "synonyms": [ "APT 35", "Newscaster Team" ], "country": "IR" }, "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e" }, { "value": "Operation Parliament", "description": "Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage – they involve gaining access to top legislative, executive and judicial bodies around the world.", "meta": { "refs": [ "https://securelist.com/operation-parliament-who-is-doing-what/85237/" ] }, "uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0" }, { "value": "Orangeworm", "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ] }, "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c" }, { "value": "ALLANITE", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection", "since": "2017", "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec", "victimology": "Electric utilities, US and UK", "synonyms": [ "Palmetto Fusion" ] }, "uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470" }, { "value": "CHRYSENE", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs", "since": "2017", "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR", "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America", "synonyms": [ "OilRig", "Greenbug" ] }, "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1" }, { "value": "COVELLITE", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs", "since": "2017", "capabilities": "Encoded binaries in documents, evasion techniques", "victimology": "Electric Utilities, US", "synonyms": [ "Lazarus", "Hidden Cobra" ] }, "uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b" }, { "value": "DYMALLOY", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "since": "2016", "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", "victimology": "Turkey, Europe, US", "synonyms": [ "Dragonfly2", "Berserker Bear" ] }, "uuid": "a08ab076-33c1-4350-b021-650c34277f2d" }, { "value": "ELECTRUM", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "Electric grid disruption and long-term persistence", "since": "2016", "capabilities": "CRASHOVERRIDE", "victimology": "Ukraine, Electric Utilities", "synonyms": [ "Sandworm" ] }, "uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05" }, { "value": "MAGNALLIUM", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "IT network limited, information gathering against industrial orgs", "since": "2016", "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", "victimology": "Petrochemical, Aerospace, Saudi Arabia", "synonyms": [ "APT33" ] }, "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2" }, { "value": "XENOTIME", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { "refs": [ "https://dragos.com/adversaries.html" ], "mode-of-operation": "Focused on physical destruction and long-term persistence", "since": "2014", "capabilities": "TRISIS, custom credential harvesting", "victimology": "Oil and Gas, Middle East", "synonyms": [] }, "uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f" }, { "value": "ZooPark", "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.", "meta": { "refs": [ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03095519/ZooPark_for_public_final.pdf" ] }, "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568" } ], "name": "Threat actor", "type": "threat-actor", "source": "MISP Project", "authors": [ "Alexandre Dulaunoy", "Florian Roth", "Thomas Schreck", "Timo Steffens", "Various" ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "version": 39 }