Clusters and elements to attach to MISP events or attributes (like threat actors) https://www.misp-project.org/galaxy.html
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

8505 lines
444 KiB

  1. {
  2. "authors": [
  3. "Alexandre Dulaunoy",
  4. "Florian Roth",
  5. "Thomas Schreck",
  6. "Timo Steffens",
  7. "Various"
  8. ],
  9. "category": "actor",
  10. "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.",
  11. "name": "Threat Actor",
  12. "source": "MISP Project",
  13. "type": "threat-actor",
  14. "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
  15. "values": [
  16. {
  17. "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
  18. "meta": {
  19. "attribution-confidence": "50",
  20. "cfr-suspected-state-sponsor": "China",
  21. "cfr-suspected-victims": [
  22. "United States",
  23. "Taiwan",
  24. "Israel",
  25. "Norway",
  26. "United Arab Emirates",
  27. "United Kingdom",
  28. "Singapore",
  29. "India",
  30. "Belgium",
  31. "South Africa",
  32. "Switzerland",
  33. "Canada",
  34. "France",
  35. "Luxembourg",
  36. "Japan"
  37. ],
  38. "cfr-target-category": [
  39. "Private sector",
  40. "Government"
  41. ],
  42. "cfr-type-of-incident": "Espionage",
  43. "country": "CN",
  44. "refs": [
  45. "https://en.wikipedia.org/wiki/PLA_Unit_61398",
  46. "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf",
  47. "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398",
  48. "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
  49. "https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/",
  50. "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html",
  51. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/",
  52. "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf",
  53. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  54. "https://attack.mitre.org/groups/G0006/",
  55. "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html"
  56. ],
  57. "synonyms": [
  58. "Comment Panda",
  59. "PLA Unit 61398",
  60. "APT 1",
  61. "APT1",
  62. "Advanced Persistent Threat 1",
  63. "Byzantine Candor",
  64. "Group 3",
  65. "TG-8223",
  66. "Comment Group",
  67. "Brown Fox",
  68. "GIF89a",
  69. "ShadyRAT",
  70. "Shanghai Group"
  71. ]
  72. },
  73. "related": [
  74. {
  75. "dest-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
  76. "tags": [
  77. "estimative-language:likelihood-probability=\"likely\""
  78. ],
  79. "type": "similar"
  80. }
  81. ],
  82. "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
  83. "value": "Comment Crew"
  84. },
  85. {
  86. "description": "The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. Stalker Panda has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States. The attacks appear to be centered on political, media, and engineering sectors. The group appears to have been active since around 2010 and they maintain and upgrade their tools regularly.",
  87. "meta": {
  88. "attribution-confidence": "50",
  89. "country": "CN",
  90. "refs": [
  91. "https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf"
  92. ]
  93. },
  94. "uuid": "36843742-adf1-427c-a7c0-067d74b4aeaf",
  95. "value": "Stalker Panda"
  96. },
  97. {
  98. "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
  99. "meta": {
  100. "attribution-confidence": "50",
  101. "country": "CN",
  102. "refs": [
  103. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf",
  104. "https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/",
  105. "https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/"
  106. ],
  107. "synonyms": [
  108. "Covert Grove"
  109. ]
  110. },
  111. "uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80",
  112. "value": "Nitro"
  113. },
  114. {
  115. "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.'",
  116. "meta": {
  117. "attribution-confidence": "50",
  118. "country": "CN",
  119. "refs": [
  120. "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
  121. "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
  122. "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
  123. "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
  124. ],
  125. "synonyms": [
  126. "C0d0so",
  127. "APT19",
  128. "APT 19",
  129. "Sunshop Group"
  130. ]
  131. },
  132. "related": [
  133. {
  134. "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
  135. "tags": [
  136. "estimative-language:likelihood-probability=\"likely\""
  137. ],
  138. "type": "similar"
  139. },
  140. {
  141. "dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
  142. "tags": [
  143. "estimative-language:likelihood-probability=\"likely\""
  144. ],
  145. "type": "similar"
  146. },
  147. {
  148. "dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
  149. "tags": [
  150. "estimative-language:likelihood-probability=\"likely\""
  151. ],
  152. "type": "similar"
  153. }
  154. ],
  155. "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
  156. "value": "Codoso"
  157. },
  158. {
  159. "meta": {
  160. "refs": [
  161. "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
  162. "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
  163. "https://attack.mitre.org/groups/G0031/"
  164. ]
  165. },
  166. "related": [
  167. {
  168. "dest-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
  169. "tags": [
  170. "estimative-language:likelihood-probability=\"likely\""
  171. ],
  172. "type": "similar"
  173. }
  174. ],
  175. "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
  176. "value": "Dust Storm"
  177. },
  178. {
  179. "meta": {
  180. "attribution-confidence": "50",
  181. "country": "CN",
  182. "synonyms": [
  183. "temp.bottle"
  184. ]
  185. },
  186. "uuid": "ad022538-b457-4839-8ebd-3fdcc807a820",
  187. "value": "Keyhole Panda"
  188. },
  189. {
  190. "meta": {
  191. "attribution-confidence": "50",
  192. "country": "CN",
  193. "refs": [
  194. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  195. ]
  196. },
  197. "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428",
  198. "value": "Wet Panda"
  199. },
  200. {
  201. "description": "Adversary group targeting telecommunication and technology organizations.",
  202. "meta": {
  203. "attribution-confidence": "50",
  204. "country": "CN",
  205. "refs": [
  206. "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
  207. ]
  208. },
  209. "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd",
  210. "value": "Foxy Panda"
  211. },
  212. {
  213. "meta": {
  214. "attribution-confidence": "50",
  215. "country": "CN",
  216. "refs": [
  217. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  218. ]
  219. },
  220. "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f",
  221. "value": "Predator Panda"
  222. },
  223. {
  224. "meta": {
  225. "attribution-confidence": "50",
  226. "country": "CN",
  227. "refs": [
  228. "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
  229. ]
  230. },
  231. "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8",
  232. "value": "Union Panda"
  233. },
  234. {
  235. "meta": {
  236. "attribution-confidence": "50",
  237. "country": "CN",
  238. "refs": [
  239. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  240. ]
  241. },
  242. "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb",
  243. "value": "Spicy Panda"
  244. },
  245. {
  246. "meta": {
  247. "attribution-confidence": "50",
  248. "country": "CN",
  249. "refs": [
  250. "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
  251. ]
  252. },
  253. "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7",
  254. "value": "Eloquent Panda"
  255. },
  256. {
  257. "meta": {
  258. "synonyms": [
  259. "LadyBoyle"
  260. ]
  261. },
  262. "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
  263. "value": "Dizzy Panda"
  264. },
  265. {
  266. "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
  267. "meta": {
  268. "attribution-confidence": "50",
  269. "cfr-suspected-state-sponsor": "China",
  270. "cfr-suspected-victims": [
  271. "U.S. satellite and aerospace sector"
  272. ],
  273. "cfr-target-category": [
  274. "Private sector",
  275. "Government"
  276. ],
  277. "cfr-type-of-incident": "Espionage",
  278. "country": "CN",
  279. "refs": [
  280. "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
  281. "https://www.cfr.org/interactive/cyber-operations/putter-panda",
  282. "https://attack.mitre.org/groups/G0024/"
  283. ],
  284. "synonyms": [
  285. "PLA Unit 61486",
  286. "APT 2",
  287. "APT2",
  288. "Group 36",
  289. "APT-2",
  290. "MSUpdater",
  291. "4HCrew",
  292. "SULPHUR",
  293. "SearchFire",
  294. "TG-6952"
  295. ]
  296. },
  297. "related": [
  298. {
  299. "dest-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
  300. "tags": [
  301. "estimative-language:likelihood-probability=\"likely\""
  302. ],
  303. "type": "similar"
  304. }
  305. ],
  306. "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d",
  307. "value": "Putter Panda"
  308. },
  309. {
  310. "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'",
  311. "meta": {
  312. "attribution-confidence": "50",
  313. "cfr-suspected-state-sponsor": "China",
  314. "cfr-suspected-victims": [
  315. "United States",
  316. "United Kingdom",
  317. "Hong Kong"
  318. ],
  319. "cfr-target-category": [
  320. "Private sector"
  321. ],
  322. "cfr-type-of-incident": "Espionage",
  323. "country": "CN",
  324. "refs": [
  325. "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
  326. "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
  327. "https://www.cfr.org/interactive/cyber-operations/apt-3",
  328. "https://www.secureworks.com/research/threat-profiles/bronze-mayfair"
  329. ],
  330. "synonyms": [
  331. "Gothic Panda",
  332. "TG-0110",
  333. "APT 3",
  334. "Group 6",
  335. "UPS Team",
  336. "APT3",
  337. "Buckeye",
  338. "Boyusec",
  339. "BORON",
  340. "BRONZE MAYFAIR"
  341. ]
  342. },
  343. "related": [
  344. {
  345. "dest-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
  346. "tags": [
  347. "estimative-language:likelihood-probability=\"likely\""
  348. ],
  349. "type": "similar"
  350. }
  351. ],
  352. "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae",
  353. "value": "UPS"
  354. },
  355. {
  356. "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'",
  357. "meta": {
  358. "attribution-confidence": "50",
  359. "cfr-suspected-state-sponsor": "Korea (Republic of)",
  360. "cfr-suspected-victims": [
  361. "Japan",
  362. "Russia",
  363. "Taiwan",
  364. "South Korea",
  365. "China"
  366. ],
  367. "cfr-target-category": [
  368. "Private sector"
  369. ],
  370. "cfr-type-of-incident": "Espionage",
  371. "country": "KR",
  372. "refs": [
  373. "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
  374. "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
  375. "https://securelist.com/blog/research/66779/the-darkhotel-apt/",
  376. "https://securelist.com/the-darkhotel-apt/66779/",
  377. "https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726",
  378. "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
  379. "https://www.cfr.org/interactive/cyber-operations/darkhotel",
  380. "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
  381. "https://attack.mitre.org/groups/G0012/",
  382. "https://www.secureworks.com/research/threat-profiles/tungsten-bridge",
  383. "https://www.antiy.cn/research/notice&report/research_report/20200522.html"
  384. ],
  385. "synonyms": [
  386. "DUBNIUM",
  387. "Fallout Team",
  388. "Karba",
  389. "Luder",
  390. "Nemim",
  391. "Nemin",
  392. "Tapaoux",
  393. "Pioneer",
  394. "Shadow Crane",
  395. "APT-C-06",
  396. "SIG25",
  397. "TUNGSTEN BRIDGE",
  398. "T-APT-02"
  399. ]
  400. },
  401. "related": [
  402. {
  403. "dest-uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a",
  404. "tags": [
  405. "estimative-language:likelihood-probability=\"likely\""
  406. ],
  407. "type": "similar"
  408. }
  409. ],
  410. "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d",
  411. "value": "DarkHotel"
  412. },
  413. {
  414. "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.",
  415. "meta": {
  416. "attribution-confidence": "50",
  417. "cfr-suspected-state-sponsor": "China",
  418. "cfr-suspected-victims": [
  419. "Taiwan",
  420. "Japan"
  421. ],
  422. "cfr-target-category": [
  423. "Private sector",
  424. "Government"
  425. ],
  426. "cfr-type-of-incident": "Espionage",
  427. "country": "CN",
  428. "refs": [
  429. "http://www.crowdstrike.com/blog/whois-numbered-panda/",
  430. "https://www.cfr.org/interactive/cyber-operations/apt-12",
  431. "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
  432. "https://www.secureworks.com/research/threat-profiles/bronze-globe"
  433. ],
  434. "synonyms": [
  435. "Numbered Panda",
  436. "TG-2754",
  437. "BeeBus",
  438. "Group 22",
  439. "DynCalc",
  440. "Calc Team",
  441. "DNSCalc",
  442. "Crimson Iron",
  443. "APT12",
  444. "APT 12",
  445. "BRONZE GLOBE"
  446. ]
  447. },
  448. "related": [
  449. {
  450. "dest-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
  451. "tags": [
  452. "estimative-language:likelihood-probability=\"likely\""
  453. ],
  454. "type": "similar"
  455. }
  456. ],
  457. "uuid": "48146604-6693-4db1-bd94-159744726514",
  458. "value": "IXESHE"
  459. },
  460. {
  461. "description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.",
  462. "meta": {
  463. "attribution-confidence": "50",
  464. "cfr-suspected-state-sponsor": "China",
  465. "cfr-suspected-victims": [
  466. "Japan",
  467. "Taiwan"
  468. ],
  469. "cfr-target-category": [
  470. "Private sector"
  471. ],
  472. "cfr-type-of-incident": "Espionage",
  473. "country": "CN",
  474. "refs": [
  475. "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
  476. "https://www.cfr.org/interactive/cyber-operations/apt-16"
  477. ],
  478. "synonyms": [
  479. "APT16",
  480. "SVCMONDR"
  481. ]
  482. },
  483. "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf",
  484. "value": "APT 16"
  485. },
  486. {
  487. "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'",
  488. "meta": {
  489. "attribution-confidence": "50",
  490. "cfr-suspected-state-sponsor": "China",
  491. "cfr-suspected-victims": [
  492. "United States"
  493. ],
  494. "cfr-target-category": [
  495. "Government",
  496. "Private sector",
  497. "Civil society"
  498. ],
  499. "cfr-type-of-incident": "Espionage",
  500. "country": "CN",
  501. "refs": [
  502. "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
  503. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
  504. "https://www.cfr.org/interactive/cyber-operations/apt-17",
  505. "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
  506. "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
  507. "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
  508. "https://www.recordedfuture.com/hidden-lynx-analysis/",
  509. "https://www.secureworks.com/research/threat-profiles/bronze-keystone"
  510. ],
  511. "synonyms": [
  512. "APT 17",
  513. "Deputy Dog",
  514. "Group 8",
  515. "APT17",
  516. "Hidden Lynx",
  517. "Tailgater Team",
  518. "Dogfish",
  519. "BRONZE KEYSTONE"
  520. ]
  521. },
  522. "related": [
  523. {
  524. "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
  525. "tags": [
  526. "estimative-language:likelihood-probability=\"likely\""
  527. ],
  528. "type": "similar"
  529. },
  530. {
  531. "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
  532. "tags": [
  533. "estimative-language:likelihood-probability=\"likely\""
  534. ],
  535. "type": "similar"
  536. },
  537. {
  538. "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
  539. "tags": [
  540. "estimative-language:likelihood-probability=\"likely\""
  541. ],
  542. "type": "similar"
  543. },
  544. {
  545. "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
  546. "tags": [
  547. "estimative-language:likelihood-probability=\"likely\""
  548. ],
  549. "type": "similar"
  550. }
  551. ],
  552. "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
  553. "value": "Aurora Panda"
  554. },
  555. {
  556. "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'",
  557. "meta": {
  558. "attribution-confidence": "50",
  559. "cfr-suspected-state-sponsor": "China",
  560. "cfr-suspected-victims": [
  561. "United States"
  562. ],
  563. "cfr-target-category": [
  564. "Government",
  565. "Private sector",
  566. "Civil society"
  567. ],
  568. "cfr-type-of-incident": "Espionage",
  569. "country": "CN",
  570. "refs": [
  571. "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828",
  572. "https://www.cfr.org/interactive/cyber-operations/apt-18"
  573. ],
  574. "synonyms": [
  575. "Dynamite Panda",
  576. "TG-0416",
  577. "APT 18",
  578. "SCANDIUM",
  579. "PLA Navy",
  580. "APT18"
  581. ]
  582. },
  583. "related": [
  584. {
  585. "dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
  586. "tags": [
  587. "estimative-language:likelihood-probability=\"likely\""
  588. ],
  589. "type": "similar"
  590. },
  591. {
  592. "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
  593. "tags": [
  594. "estimative-language:likelihood-probability=\"likely\""
  595. ],
  596. "type": "similar"
  597. }
  598. ],
  599. "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
  600. "value": "Wekby"
  601. },
  602. {
  603. "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'",
  604. "meta": {
  605. "attribution-confidence": "50",
  606. "cfr-suspected-state-sponsor": "China",
  607. "cfr-suspected-victims": [
  608. "United States",
  609. "Netherlands",
  610. "Italy",
  611. "Japan",
  612. "United Kingdom",
  613. "Belgium",
  614. "Russia",
  615. "Indonesia",
  616. "Germany",
  617. "Switzerland",
  618. "China"
  619. ],
  620. "cfr-target-category": [
  621. "Government",
  622. "Private sector"
  623. ],
  624. "cfr-type-of-incident": "Espionage",
  625. "country": "CN",
  626. "refs": [
  627. "https://securelist.com/winnti-faq-more-than-just-a-game/57585/",
  628. "https://securelist.com/winnti-more-than-just-a-game/37029/",
  629. "http://williamshowalter.com/a-universal-windows-bootkit/",
  630. "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
  631. "https://www.cfr.org/interactive/cyber-operations/axiom",
  632. "https://securelist.com/games-are-over/70991/",
  633. "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
  634. "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
  635. "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
  636. "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
  637. "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004",
  638. "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
  639. "https://401trg.com/burning-umbrella/",
  640. "https://attack.mitre.org/groups/G0044/",
  641. "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
  642. "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
  643. "https://www.secureworks.com/research/threat-profiles/bronze-export",
  644. "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
  645. "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
  646. "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf"
  647. ],
  648. "synonyms": [
  649. "Winnti Umbrella",
  650. "Winnti Group",
  651. "Suckfly",
  652. "APT41",
  653. "APT 41",
  654. "Group72",
  655. "Group 72",
  656. "Blackfly",
  657. "LEAD",
  658. "WICKED SPIDER",
  659. "WICKED PANDA",
  660. "BARIUM",
  661. "BRONZE ATLAS",
  662. "BRONZE EXPORT",
  663. "Red Kelpie"
  664. ]
  665. },
  666. "related": [
  667. {
  668. "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
  669. "tags": [
  670. "estimative-language:likelihood-probability=\"likely\""
  671. ],
  672. "type": "similar"
  673. },
  674. {
  675. "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
  676. "tags": [
  677. "estimative-language:likelihood-probability=\"likely\""
  678. ],
  679. "type": "similar"
  680. },
  681. {
  682. "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
  683. "tags": [
  684. "estimative-language:likelihood-probability=\"likely\""
  685. ],
  686. "type": "similar"
  687. },
  688. {
  689. "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
  690. "tags": [
  691. "estimative-language:likelihood-probability=\"likely\""
  692. ],
  693. "type": "similar"
  694. }
  695. ],
  696. "uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
  697. "value": "Axiom"
  698. },
  699. {
  700. "description": "Adversary group targeting financial, technology, non-profit organisations.",
  701. "meta": {
  702. "attribution-confidence": "50",
  703. "cfr-suspected-state-sponsor": "China",
  704. "cfr-suspected-victims": [
  705. "United States"
  706. ],
  707. "cfr-target-category": [
  708. "Private sector",
  709. "Military"
  710. ],
  711. "cfr-type-of-incident": "Espionage",
  712. "country": "CN",
  713. "refs": [
  714. "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
  715. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
  716. "https://www.cfr.org/interactive/cyber-operations/deep-panda",
  717. "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
  718. "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/",
  719. "https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/",
  720. "https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/",
  721. "https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/",
  722. "https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/",
  723. "https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/",
  724. "https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/",
  725. "https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442",
  726. "https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html",
  727. "https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/",
  728. "https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/",
  729. "https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html",
  730. "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/",
  731. "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
  732. "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
  733. "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
  734. "https://attack.mitre.org/groups/G0009/",
  735. "https://www.secureworks.com/research/threat-profiles/bronze-firestone"
  736. ],
  737. "synonyms": [
  738. "Deep Panda",
  739. "WebMasters",
  740. "APT 19",
  741. "KungFu Kittens",
  742. "Black Vine",
  743. "Group 13",
  744. "PinkPanther",
  745. "Sh3llCr3w",
  746. "BRONZE FIRESTONE"
  747. ]
  748. },
  749. "related": [
  750. {
  751. "dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
  752. "tags": [
  753. "estimative-language:likelihood-probability=\"likely\""
  754. ],
  755. "type": "similar"
  756. },
  757. {
  758. "dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
  759. "tags": [
  760. "estimative-language:likelihood-probability=\"likely\""
  761. ],
  762. "type": "similar"
  763. },
  764. {
  765. "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
  766. "tags": [
  767. "estimative-language:likelihood-probability=\"likely\""
  768. ],
  769. "type": "similar"
  770. }
  771. ],
  772. "uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
  773. "value": "Shell Crew"
  774. },
  775. {
  776. "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'",
  777. "meta": {
  778. "attribution-confidence": "50",
  779. "cfr-suspected-state-sponsor": "China",
  780. "cfr-suspected-victims": [
  781. "India",
  782. "Saudi Arabia",
  783. "Vietnam",
  784. "Myanmar",
  785. "Singapore",
  786. "Thailand",
  787. "Malaysia",
  788. "Cambodia",
  789. "China",
  790. "Philippines",
  791. "South Korea",
  792. "United States",
  793. "Indonesia",
  794. "Laos"
  795. ],
  796. "cfr-target-category": [
  797. "Government",
  798. "Private sector"
  799. ],
  800. "cfr-type-of-incident": "Espionage",
  801. "country": "CN",
  802. "refs": [
  803. "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
  804. "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
  805. "https://www.cfr.org/interactive/cyber-operations/apt-30",
  806. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
  807. "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
  808. "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
  809. "https://threatconnect.com/blog/tag/naikon/",
  810. "https://attack.mitre.org/groups/G0019/",
  811. "https://www.secureworks.com/research/threat-profiles/bronze-geneva"
  812. ],
  813. "synonyms": [
  814. "PLA Unit 78020",
  815. "APT 30",
  816. "APT30",
  817. "Override Panda",
  818. "Camerashy",
  819. "APT.Naikon",
  820. "Lotus Panda",
  821. "Hellsing",
  822. "BRONZE GENEVA"
  823. ]
  824. },
  825. "related": [
  826. {
  827. "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
  828. "tags": [
  829. "estimative-language:likelihood-probability=\"likely\""
  830. ],
  831. "type": "similar"
  832. },
  833. {
  834. "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
  835. "tags": [
  836. "estimative-language:likelihood-probability=\"likely\""
  837. ],
  838. "type": "similar"
  839. },
  840. {
  841. "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
  842. "tags": [
  843. "estimative-language:likelihood-probability=\"likely\""
  844. ],
  845. "type": "similar"
  846. },
  847. {
  848. "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
  849. "tags": [
  850. "estimative-language:likelihood-probability=\"likely\""
  851. ],
  852. "type": "similar"
  853. }
  854. ],
  855. "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
  856. "value": "Naikon"
  857. },
  858. {
  859. "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.",
  860. "meta": {
  861. "attribution-confidence": "50",
  862. "cfr-suspected-state-sponsor": "China",
  863. "cfr-suspected-victims": [
  864. "Japan",
  865. "Philippines",
  866. "Hong Kong",
  867. "Indonesia",
  868. "Taiwan",
  869. "Vietnam"
  870. ],
  871. "cfr-target-category": [
  872. "Military",
  873. "Government"
  874. ],
  875. "cfr-type-of-incident": "Espionage",
  876. "country": "CN",
  877. "refs": [
  878. "https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
  879. "https://securelist.com/spring-dragon-updated-activity/79067/",
  880. "https://www.cfr.org/interactive/cyber-operations/lotus-blossom",
  881. "https://unit42.paloaltonetworks.com/operation-lotus-blossom/",
  882. "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf",
  883. "https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/",
  884. "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting",
  885. "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
  886. "https://attack.mitre.org/groups/G0030/",
  887. "https://www.secureworks.com/research/threat-profiles/bronze-elgin"
  888. ],
  889. "synonyms": [
  890. "Spring Dragon",
  891. "ST Group",
  892. "Esile",
  893. "DRAGONFISH",
  894. "BRONZE ELGIN"
  895. ]
  896. },
  897. "related": [
  898. {
  899. "dest-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
  900. "tags": [
  901. "estimative-language:likelihood-probability=\"likely\""
  902. ],
  903. "type": "similar"
  904. }
  905. ],
  906. "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
  907. "value": "Lotus Blossom"
  908. },
  909. {
  910. "meta": {
  911. "attribution-confidence": "50",
  912. "country": "CN",
  913. "refs": [
  914. "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/"
  915. ],
  916. "synonyms": [
  917. "Elise"
  918. ]
  919. },
  920. "related": [
  921. {
  922. "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
  923. "tags": [
  924. "estimative-language:likelihood-probability=\"likely\""
  925. ],
  926. "type": "similar"
  927. },
  928. {
  929. "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
  930. "tags": [
  931. "estimative-language:likelihood-probability=\"likely\""
  932. ],
  933. "type": "similar"
  934. },
  935. {
  936. "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
  937. "tags": [
  938. "estimative-language:likelihood-probability=\"likely\""
  939. ],
  940. "type": "similar"
  941. },
  942. {
  943. "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
  944. "tags": [
  945. "estimative-language:likelihood-probability=\"likely\""
  946. ],
  947. "type": "similar"
  948. }
  949. ],
  950. "uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
  951. "value": "Lotus Panda"
  952. },
  953. {
  954. "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
  955. "meta": {
  956. "attribution-confidence": "50",
  957. "country": "CN",
  958. "refs": [
  959. "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
  960. "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
  961. "https://www.crowdstrike.com/blog/storm-chasing/",
  962. "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
  963. ],
  964. "synonyms": [
  965. "Black Vine",
  966. "TEMP.Avengers"
  967. ]
  968. },
  969. "related": [
  970. {
  971. "dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
  972. "tags": [
  973. "estimative-language:likelihood-probability=\"likely\""
  974. ],
  975. "type": "similar"
  976. },
  977. {
  978. "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
  979. "tags": [
  980. "estimative-language:likelihood-probability=\"likely\""
  981. ],
  982. "type": "similar"
  983. },
  984. {
  985. "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
  986. "tags": [
  987. "estimative-language:likelihood-probability=\"likely\""
  988. ],
  989. "type": "similar"
  990. }
  991. ],
  992. "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
  993. "value": "Hurricane Panda"
  994. },
  995. {
  996. "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
  997. "meta": {
  998. "attribution-confidence": "50",
  999. "cfr-suspected-state-sponsor": "Unknown",
  1000. "cfr-suspected-victims": [
  1001. "United States",
  1002. "Japan",
  1003. "Taiwan",
  1004. "India",
  1005. "Canada",
  1006. "China",
  1007. "Thailand",
  1008. "Israel",
  1009. "Australia",
  1010. "Republic of Korea",
  1011. "Russia",
  1012. "Iran"
  1013. ],
  1014. "cfr-target-category": [
  1015. "Government",
  1016. "Private sector"
  1017. ],
  1018. "cfr-type-of-incident": "Espionage",
  1019. "country": "CN",
  1020. "refs": [
  1021. "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
  1022. "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
  1023. "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
  1024. "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
  1025. "https://www.cfr.org/interactive/cyber-operations/iron-tiger"
  1026. ],
  1027. "synonyms": [
  1028. "TG-3390",
  1029. "APT 27",
  1030. "TEMP.Hippo",
  1031. "Group 35",
  1032. "Bronze Union",
  1033. "ZipToken",
  1034. "HIPPOTeam",
  1035. "APT27",
  1036. "Operation Iron Tiger",
  1037. "Iron Tiger APT",
  1038. "BRONZE UNION",
  1039. "Lucky Mouse"
  1040. ]
  1041. },
  1042. "related": [
  1043. {
  1044. "dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
  1045. "tags": [
  1046. "estimative-language:likelihood-probability=\"likely\""
  1047. ],
  1048. "type": "similar"
  1049. },
  1050. {
  1051. "dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
  1052. "tags": [
  1053. "estimative-language:likelihood-probability=\"likely\""
  1054. ],
  1055. "type": "similar"
  1056. },
  1057. {
  1058. "dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
  1059. "tags": [
  1060. "estimative-language:likelihood-probability=\"likely\""
  1061. ],
  1062. "type": "similar"
  1063. }
  1064. ],
  1065. "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
  1066. "value": "Emissary Panda"
  1067. },
  1068. {
  1069. "meta": {
  1070. "attribution-confidence": "50",
  1071. "cfr-suspected-state-sponsor": "China",
  1072. "cfr-suspected-victims": [
  1073. "Japan",
  1074. "India",
  1075. "South Africa",
  1076. "South Korea",
  1077. "Sweden",
  1078. "United States",
  1079. "Canada",
  1080. "Australia",
  1081. "France",
  1082. "Finland",
  1083. "United Kingdom",
  1084. "Brazil",
  1085. "Thailand",
  1086. "Switzerland",
  1087. "Norway"
  1088. ],
  1089. "cfr-target-category": [
  1090. "Private sector",
  1091. "Government"
  1092. ],
  1093. "cfr-type-of-incident": "Espionage",
  1094. "country": "CN",
  1095. "refs": [
  1096. "https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
  1097. "https://www.cfr.org/interactive/cyber-operations/apt-10",
  1098. "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
  1099. "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
  1100. "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
  1101. "https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret",
  1102. "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
  1103. "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
  1104. "https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf",
  1105. "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
  1106. "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
  1107. "https://attack.mitre.org/groups/G0045/",
  1108. "https://www.secureworks.com/research/threat-profiles/bronze-riverside"
  1109. ],
  1110. "synonyms": [
  1111. "APT10",
  1112. "APT 10",
  1113. "MenuPass",
  1114. "Menupass Team",
  1115. "menuPass",
  1116. "menuPass Team",
  1117. "happyyongzi",
  1118. "POTASSIUM",
  1119. "DustStorm",
  1120. "Red Apollo",
  1121. "CVNX",
  1122. "HOGFISH",
  1123. "Cloud Hopper",
  1124. "BRONZE RIVERSIDE"
  1125. ]
  1126. },
  1127. "related": [
  1128. {
  1129. "dest-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
  1130. "tags": [
  1131. "estimative-language:likelihood-probability=\"likely\""
  1132. ],
  1133. "type": "similar"
  1134. }
  1135. ],
  1136. "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c",
  1137. "value": "Stone Panda"
  1138. },
  1139. {
  1140. "meta": {
  1141. "attribution-confidence": "50",
  1142. "country": "CN",
  1143. "refs": [
  1144. "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/"
  1145. ],
  1146. "synonyms": [
  1147. "APT 9",
  1148. "Flowerlady/Flowershow",
  1149. "Flowerlady",
  1150. "Flowershow"
  1151. ]
  1152. },
  1153. "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45",
  1154. "value": "Nightshade Panda"
  1155. },
  1156. {
  1157. "description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage",
  1158. "meta": {
  1159. "attribution-confidence": "50",
  1160. "cfr-suspected-state-sponsor": "China",
  1161. "cfr-suspected-victims": [
  1162. "Malaysia",
  1163. "Indonesia",
  1164. "Philippines",
  1165. "United States",
  1166. "India"
  1167. ],
  1168. "cfr-target-category": [
  1169. "Government"
  1170. ],
  1171. "cfr-type-of-incident": "Espionage",
  1172. "country": "CN",
  1173. "refs": [
  1174. "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/",
  1175. "https://www.cfr.org/interactive/cyber-operations/hellsing",
  1176. "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/",
  1177. "https://securelist.com/cycldek-bridging-the-air-gap/97157/",
  1178. "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html"
  1179. ],
  1180. "synonyms": [
  1181. "Goblin Panda",
  1182. "Conimes",
  1183. "Cycldek"
  1184. ]
  1185. },
  1186. "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3",
  1187. "value": "Hellsing"
  1188. },
  1189. {
  1190. "meta": {
  1191. "attribution-confidence": "50",
  1192. "country": "CN",
  1193. "refs": [
  1194. "https://kc.mcafee.com/corporate/index?page=content&id=KB71150",
  1195. "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf",
  1196. "https://attack.mitre.org/groups/G0014/"
  1197. ]
  1198. },
  1199. "related": [
  1200. {
  1201. "dest-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
  1202. "tags": [
  1203. "estimative-language:likelihood-probability=\"likely\""
  1204. ],
  1205. "type": "similar"
  1206. }
  1207. ],
  1208. "uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d",
  1209. "value": "Night Dragon"
  1210. },
  1211. {
  1212. "description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.",
  1213. "meta": {
  1214. "attribution-confidence": "50",
  1215. "cfr-suspected-state-sponsor": "China",
  1216. "cfr-suspected-victims": [
  1217. "European Union",
  1218. "India",
  1219. "United Kingdom"
  1220. ],
  1221. "cfr-target-category": [
  1222. "Government"
  1223. ],
  1224. "cfr-type-of-incident": "Espionage",
  1225. "country": "CN",
  1226. "refs": [
  1227. "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html",
  1228. "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/",
  1229. "https://github.com/nccgroup/Royal_APT",
  1230. "https://www.cfr.org/interactive/cyber-operations/mirage",
  1231. "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf",
  1232. "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
  1233. "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
  1234. "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
  1235. "https://attack.mitre.org/groups/G0004/",
  1236. "https://www.secureworks.com/research/threat-profiles/bronze-palace"
  1237. ],
  1238. "synonyms": [
  1239. "Vixen Panda",
  1240. "Ke3Chang",
  1241. "GREF",
  1242. "Playful Dragon",
  1243. "APT 15",
  1244. "APT15",
  1245. "Metushy",
  1246. "Lurid",
  1247. "Social Network Team",
  1248. "Royal APT",
  1249. "BRONZE PALACE"
  1250. ]
  1251. },
  1252. "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
  1253. "value": "Mirage"
  1254. },
  1255. {
  1256. "description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.",
  1257. "meta": {
  1258. "attribution-confidence": "50",
  1259. "cfr-suspected-state-sponsor": "China",
  1260. "cfr-suspected-victims": [
  1261. "United States",
  1262. "United Kingdom",
  1263. "Germany",
  1264. "Australia",
  1265. "Sweden"
  1266. ],
  1267. "cfr-target-category": [
  1268. "Government",
  1269. "Military"
  1270. ],
  1271. "cfr-type-of-incident": "Espionage",
  1272. "country": "CN",
  1273. "motive": "Espionage",
  1274. "refs": [
  1275. "http://www.crowdstrike.com/blog/whois-anchor-panda/",
  1276. "https://www.cfr.org/interactive/cyber-operations/anchor-panda"
  1277. ],
  1278. "synonyms": [
  1279. "APT14",
  1280. "APT 14",
  1281. "QAZTeam",
  1282. "ALUMINUM"
  1283. ]
  1284. },
  1285. "related": [
  1286. {
  1287. "dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3",
  1288. "tags": [
  1289. "estimative-language:likelihood-probability=\"likely\""
  1290. ],
  1291. "type": "uses"
  1292. },
  1293. {
  1294. "dest-uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f",
  1295. "tags": [
  1296. "estimative-language:likelihood-probability=\"likely\""
  1297. ],
  1298. "type": "uses"
  1299. },
  1300. {
  1301. "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
  1302. "tags": [
  1303. "estimative-language:likelihood-probability=\"likely\""
  1304. ],
  1305. "type": "uses"
  1306. },
  1307. {
  1308. "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
  1309. "tags": [
  1310. "estimative-language:likelihood-probability=\"likely\""
  1311. ],
  1312. "type": "uses"
  1313. },
  1314. {
  1315. "dest-uuid": "32a67552-3b31-47bb-8098-078099bbc813",
  1316. "tags": [
  1317. "estimative-language:likelihood-probability=\"likely\""
  1318. ],
  1319. "type": "uses"
  1320. }
  1321. ],
  1322. "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104",
  1323. "value": "Anchor Panda"
  1324. },
  1325. {
  1326. "meta": {
  1327. "attribution-confidence": "50",
  1328. "cfr-suspected-state-sponsor": "China",
  1329. "cfr-suspected-victims": [
  1330. "Mongolia",
  1331. "Kazakhstan",
  1332. "Tajikistan",
  1333. "Germany",
  1334. "United Kingdom",
  1335. "India",
  1336. "Kyrgyzstan",
  1337. "South Korea",
  1338. "United States",
  1339. "Chile",
  1340. "Russia",
  1341. "China",
  1342. "Spain",
  1343. "Canada",
  1344. "Morocco"
  1345. ],
  1346. "cfr-target-category": [
  1347. "Government",
  1348. "Military"
  1349. ],
  1350. "cfr-type-of-incident": "Espionage",
  1351. "country": "CN",
  1352. "refs": [
  1353. "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/",
  1354. "https://www.cfr.org/interactive/cyber-operations/nettraveler",
  1355. "https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes",
  1356. "https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary",
  1357. "https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/",
  1358. "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests"
  1359. ],
  1360. "synonyms": [
  1361. "APT 21",
  1362. "APT21",
  1363. "TravNet"
  1364. ]
  1365. },
  1366. "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e",
  1367. "value": "NetTraveler"
  1368. },
  1369. {
  1370. "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.",
  1371. "meta": {
  1372. "attribution-confidence": "50",
  1373. "cfr-suspected-state-sponsor": "China",
  1374. "cfr-suspected-victims": [
  1375. "South Korea",
  1376. "United States",
  1377. "Japan",
  1378. "Germany",
  1379. "China"
  1380. ],
  1381. "cfr-target-category": [
  1382. "Government",
  1383. "Military"
  1384. ],
  1385. "cfr-type-of-incident": "Espionage",
  1386. "country": "CN",
  1387. "refs": [
  1388. "https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/",
  1389. "https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/",
  1390. "https://www.cfr.org/interactive/cyber-operations/icefog",
  1391. "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf"
  1392. ],
  1393. "synonyms": [
  1394. "IceFog",
  1395. "Dagger Panda",
  1396. "Trident"
  1397. ]
  1398. },
  1399. "uuid": "32c534b9-abec-4823-b223-a810f897b47b",
  1400. "value": "Ice Fog"
  1401. },
  1402. {
  1403. "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials",
  1404. "meta": {
  1405. "attribution-confidence": "50",
  1406. "country": "CN",
  1407. "refs": [
  1408. "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
  1409. "http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
  1410. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf",
  1411. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/",
  1412. "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
  1413. "https://attack.mitre.org/groups/G0011/"
  1414. ],
  1415. "synonyms": [
  1416. "PittyTiger",
  1417. "MANGANESE"
  1418. ]
  1419. },
  1420. "related": [
  1421. {
  1422. "dest-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
  1423. "tags": [
  1424. "estimative-language:likelihood-probability=\"likely\""
  1425. ],
  1426. "type": "similar"
  1427. }
  1428. ],
  1429. "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189",
  1430. "value": "Pitty Panda"
  1431. },
  1432. {
  1433. "meta": {
  1434. "refs": [
  1435. "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
  1436. "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf",
  1437. "https://www.secureworks.com/research/threat-profiles/bronze-woodland"
  1438. ],
  1439. "synonyms": [
  1440. "BRONZE WOODLAND",
  1441. "Rotten Tomato"
  1442. ]
  1443. },
  1444. "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d",
  1445. "value": "Roaming Tiger"
  1446. },
  1447. {
  1448. "meta": {
  1449. "attribution-confidence": "50",
  1450. "cfr-suspected-state-sponsor": "China",
  1451. "cfr-suspected-victims": [
  1452. "United States",
  1453. "Canada",
  1454. "United Kingdom",
  1455. "Switzerland",
  1456. "Hong Kong",
  1457. "Australia",
  1458. "India",
  1459. "Taiwan",
  1460. "China",
  1461. "Denmark"
  1462. ],
  1463. "cfr-target-category": [
  1464. "Private sector",
  1465. "Civil society"
  1466. ],
  1467. "cfr-type-of-incident": "Espionage",
  1468. "country": "CN",
  1469. "refs": [
  1470. "https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
  1471. "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf",
  1472. "https://attack.mitre.org/groups/G0066/"
  1473. ],
  1474. "synonyms": [
  1475. "Sneaky Panda",
  1476. "Elderwood",
  1477. "Elderwood Gang",
  1478. "SIG22"
  1479. ]
  1480. },
  1481. "related": [
  1482. {
  1483. "dest-uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484",
  1484. "tags": [
  1485. "estimative-language:likelihood-probability=\"likely\""
  1486. ],
  1487. "type": "similar"
  1488. }
  1489. ],
  1490. "uuid": "da754aeb-a86d-4874-b388-d1d2028a56be",
  1491. "value": "Beijing Group"
  1492. },
  1493. {
  1494. "meta": {
  1495. "attribution-confidence": "50",
  1496. "country": "CN",
  1497. "synonyms": [
  1498. "Shrouded Crossbow"
  1499. ]
  1500. },
  1501. "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e",
  1502. "value": "Radio Panda"
  1503. },
  1504. {
  1505. "meta": {
  1506. "attribution-confidence": "50",
  1507. "country": "CN",
  1508. "refs": [
  1509. "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"
  1510. ]
  1511. },
  1512. "uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf",
  1513. "value": "APT.3102"
  1514. },
  1515. {
  1516. "meta": {
  1517. "attribution-confidence": "50",
  1518. "cfr-suspected-state-sponsor": "China",
  1519. "cfr-suspected-victims": [
  1520. "United States",
  1521. "United Kingdom",
  1522. "Hong Kong"
  1523. ],
  1524. "cfr-target-category": [
  1525. "Private sector",
  1526. "Military"
  1527. ],
  1528. "cfr-type-of-incident": "Espionage",
  1529. "country": "CN",
  1530. "refs": [
  1531. "http://www.crowdstrike.com/blog/whois-samurai-panda/"
  1532. ],
  1533. "synonyms": [
  1534. "PLA Navy",
  1535. "Wisp Team"
  1536. ]
  1537. },
  1538. "related": [
  1539. {
  1540. "dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
  1541. "tags": [
  1542. "estimative-language:likelihood-probability=\"likely\""
  1543. ],
  1544. "type": "similar"
  1545. },
  1546. {
  1547. "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
  1548. "tags": [
  1549. "estimative-language:likelihood-probability=\"likely\""
  1550. ],
  1551. "type": "similar"
  1552. }
  1553. ],
  1554. "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
  1555. "value": "Samurai Panda"
  1556. },
  1557. {
  1558. "meta": {
  1559. "attribution-confidence": "50",
  1560. "country": "CN"
  1561. },
  1562. "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1",
  1563. "value": "Impersonating Panda"
  1564. },
  1565. {
  1566. "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.",
  1567. "meta": {
  1568. "attribution-confidence": "50",
  1569. "country": "CN",
  1570. "refs": [
  1571. "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
  1572. "https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
  1573. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf"
  1574. ],
  1575. "synonyms": [
  1576. "APT20",
  1577. "APT 20",
  1578. "TH3Bug",
  1579. "Twivy"
  1580. ]
  1581. },
  1582. "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
  1583. "value": "Violin Panda"
  1584. },
  1585. {
  1586. "description": "A group targeting dissident groups in China and at the boundaries.",
  1587. "meta": {
  1588. "attribution-confidence": "50",
  1589. "country": "CN",
  1590. "refs": [
  1591. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  1592. ]
  1593. },
  1594. "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761",
  1595. "value": "Toxic Panda"
  1596. },
  1597. {
  1598. "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.",
  1599. "meta": {
  1600. "attribution-confidence": "50",
  1601. "cfr-suspected-state-sponsor": "China",
  1602. "cfr-suspected-victims": [
  1603. "Hong Kong",
  1604. "United States"
  1605. ],
  1606. "cfr-target-category": [
  1607. "Government",
  1608. "Private sector",
  1609. "Civil society"
  1610. ],
  1611. "cfr-type-of-incident": "Espionage",
  1612. "country": "CN",
  1613. "refs": [
  1614. "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
  1615. "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html",
  1616. "https://www.cfr.org/interactive/cyber-operations/admin338",
  1617. "https://attack.mitre.org/groups/G0018/"
  1618. ],
  1619. "synonyms": [
  1620. "Admin338",
  1621. "Team338",
  1622. "MAGNESIUM",
  1623. "admin@338"
  1624. ]
  1625. },
  1626. "related": [
  1627. {
  1628. "dest-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
  1629. "tags": [
  1630. "estimative-language:likelihood-probability=\"likely\""
  1631. ],
  1632. "type": "similar"
  1633. }
  1634. ],
  1635. "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b",
  1636. "value": "Temper Panda"
  1637. },
  1638. {
  1639. "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'",
  1640. "meta": {
  1641. "attribution-confidence": "50",
  1642. "country": "CN",
  1643. "refs": [
  1644. "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
  1645. "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/",
  1646. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
  1647. "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
  1648. "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
  1649. "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
  1650. "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
  1651. "https://blog.lookout.com/titan-mobile-threat",
  1652. "https://attack.mitre.org/groups/G0081/",
  1653. "https://www.secureworks.com/research/threat-profiles/bronze-hobart"
  1654. ],
  1655. "synonyms": [
  1656. "APT23",
  1657. "APT 23",
  1658. "KeyBoy",
  1659. "TropicTrooper",
  1660. "Tropic Trooper",
  1661. "BRONZE HOBART"
  1662. ]
  1663. },
  1664. "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
  1665. "value": "Pirate Panda"
  1666. },
  1667. {
  1668. "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.",
  1669. "meta": {
  1670. "attribution-confidence": "50",
  1671. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  1672. "cfr-suspected-victims": [
  1673. "United States",
  1674. "Iranian internet activists"
  1675. ],
  1676. "cfr-target-category": [
  1677. "Military",
  1678. "Civil society"
  1679. ],
  1680. "cfr-type-of-incident": "Espionage",
  1681. "country": "IR",
  1682. "refs": [
  1683. "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf",
  1684. "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/",
  1685. "https://www.cfr.org/interactive/cyber-operations/saffron-rose"
  1686. ],
  1687. "synonyms": [
  1688. "SaffronRose",
  1689. "Saffron Rose",
  1690. "AjaxSecurityTeam",
  1691. "Ajax Security Team",
  1692. "Group 26",
  1693. "Sayad"
  1694. ]
  1695. },
  1696. "related": [
  1697. {
  1698. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  1699. "tags": [
  1700. "estimative-language:likelihood-probability=\"very-likely\""
  1701. ],
  1702. "type": "similar"
  1703. },
  1704. {
  1705. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  1706. "tags": [
  1707. "estimative-language:likelihood-probability=\"likely\""
  1708. ],
  1709. "type": "similar"
  1710. },
  1711. {
  1712. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  1713. "tags": [
  1714. "estimative-language:likelihood-probability=\"likely\""
  1715. ],
  1716. "type": "similar"
  1717. },
  1718. {
  1719. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  1720. "tags": [
  1721. "estimative-language:likelihood-probability=\"likely\""
  1722. ],
  1723. "type": "similar"
  1724. },
  1725. {
  1726. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  1727. "tags": [
  1728. "estimative-language:likelihood-probability=\"likely\""
  1729. ],
  1730. "type": "similar"
  1731. },
  1732. {
  1733. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  1734. "tags": [
  1735. "estimative-language:likelihood-probability=\"likely\""
  1736. ],
  1737. "type": "similar"
  1738. },
  1739. {
  1740. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  1741. "tags": [
  1742. "estimative-language:likelihood-probability=\"likely\""
  1743. ],
  1744. "type": "similar"
  1745. },
  1746. {
  1747. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  1748. "tags": [
  1749. "estimative-language:likelihood-probability=\"likely\""
  1750. ],
  1751. "type": "similar"
  1752. },
  1753. {
  1754. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  1755. "tags": [
  1756. "estimative-language:likelihood-probability=\"likely\""
  1757. ],
  1758. "type": "similar"
  1759. }
  1760. ],
  1761. "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  1762. "value": "Flying Kitten"
  1763. },
  1764. {
  1765. "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ",
  1766. "meta": {
  1767. "attribution-confidence": "50",
  1768. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  1769. "cfr-suspected-victims": [
  1770. "Bank of America",
  1771. "US Bancorp",
  1772. "Fifth Third Bank",
  1773. "Citigroup",
  1774. "PNC",
  1775. "BB&T",
  1776. "Wells Fargo",
  1777. "Capital One",
  1778. "HSBC"
  1779. ],
  1780. "cfr-target-category": [
  1781. "Private sector"
  1782. ],
  1783. "cfr-type-of-incident": "Denial of service",
  1784. "country": "IR",
  1785. "refs": [
  1786. "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
  1787. "https://www.cfr.org/interactive/cyber-operations/itsecteam"
  1788. ],
  1789. "synonyms": [
  1790. "ITSecTeam",
  1791. "Threat Group 2889",
  1792. "TG-2889",
  1793. "Ghambar"
  1794. ]
  1795. },
  1796. "related": [
  1797. {
  1798. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  1799. "tags": [
  1800. "estimative-language:likelihood-probability=\"likely\""
  1801. ],
  1802. "type": "similar"
  1803. },
  1804. {
  1805. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  1806. "tags": [
  1807. "estimative-language:likelihood-probability=\"likely\""
  1808. ],
  1809. "type": "similar"
  1810. },
  1811. {
  1812. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  1813. "tags": [
  1814. "estimative-language:likelihood-probability=\"likely\""
  1815. ],
  1816. "type": "similar"
  1817. },
  1818. {
  1819. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  1820. "tags": [
  1821. "estimative-language:likelihood-probability=\"likely\""
  1822. ],
  1823. "type": "similar"
  1824. },
  1825. {
  1826. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  1827. "tags": [
  1828. "estimative-language:likelihood-probability=\"likely\""
  1829. ],
  1830. "type": "similar"
  1831. },
  1832. {
  1833. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  1834. "tags": [
  1835. "estimative-language:likelihood-probability=\"likely\""
  1836. ],
  1837. "type": "similar"
  1838. }
  1839. ],
  1840. "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
  1841. "value": "Cutting Kitten"
  1842. },
  1843. {
  1844. "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.",
  1845. "meta": {
  1846. "attribution-confidence": "50",
  1847. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  1848. "cfr-suspected-victims": [
  1849. "U.S. government/defense sector websites",
  1850. "Saudi Arabia",
  1851. "Israel",
  1852. "Iraq",
  1853. "United Kingdom"
  1854. ],
  1855. "cfr-target-category": [
  1856. "Government",
  1857. "Military"
  1858. ],
  1859. "cfr-type-of-incident": "Espionage",
  1860. "country": "IR",
  1861. "refs": [
  1862. "https://en.wikipedia.org/wiki/Operation_Newscaster",
  1863. "https://iranthreats.github.io/resources/macdownloader-macos-malware/",
  1864. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf",
  1865. "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/",
  1866. "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm",
  1867. "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf",
  1868. "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/",
  1869. "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf",
  1870. "https://www.cfr.org/interactive/cyber-operations/newscaster",
  1871. "https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/",
  1872. "https://securelist.com/freezer-paper-around-free-meat/74503/",
  1873. "https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/",
  1874. "http://www.arabnews.com/node/1195681/media",
  1875. "https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f",
  1876. "https://blog.certfa.com/posts/the-return-of-the-charming-kitten/",
  1877. "https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber",
  1878. "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
  1879. "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
  1880. "https://attack.mitre.org/groups/G0058/",
  1881. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
  1882. ],
  1883. "synonyms": [
  1884. "Newscaster",
  1885. "Parastoo",
  1886. "iKittens",
  1887. "Group 83",
  1888. "Newsbeef",
  1889. "NewsBeef"
  1890. ]
  1891. },
  1892. "related": [
  1893. {
  1894. "dest-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
  1895. "tags": [
  1896. "estimative-language:likelihood-probability=\"likely\""
  1897. ],
  1898. "type": "similar"
  1899. },
  1900. {
  1901. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  1902. "tags": [
  1903. "estimative-language:likelihood-probability=\"likely\""
  1904. ],
  1905. "type": "similar"
  1906. },
  1907. {
  1908. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  1909. "tags": [
  1910. "estimative-language:likelihood-probability=\"likely\""
  1911. ],
  1912. "type": "similar"
  1913. },
  1914. {
  1915. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  1916. "tags": [
  1917. "estimative-language:likelihood-probability=\"likely\""
  1918. ],
  1919. "type": "similar"
  1920. },
  1921. {
  1922. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  1923. "tags": [
  1924. "estimative-language:likelihood-probability=\"likely\""
  1925. ],
  1926. "type": "similar"
  1927. },
  1928. {
  1929. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  1930. "tags": [
  1931. "estimative-language:likelihood-probability=\"likely\""
  1932. ],
  1933. "type": "similar"
  1934. },
  1935. {
  1936. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  1937. "tags": [
  1938. "estimative-language:likelihood-probability=\"likely\""
  1939. ],
  1940. "type": "similar"
  1941. },
  1942. {
  1943. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  1944. "tags": [
  1945. "estimative-language:likelihood-probability=\"likely\""
  1946. ],
  1947. "type": "similar"
  1948. },
  1949. {
  1950. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  1951. "tags": [
  1952. "estimative-language:likelihood-probability=\"likely\""
  1953. ],
  1954. "type": "similar"
  1955. },
  1956. {
  1957. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  1958. "tags": [
  1959. "estimative-language:likelihood-probability=\"likely\""
  1960. ],
  1961. "type": "similar"
  1962. }
  1963. ],
  1964. "uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  1965. "value": "Charming Kitten"
  1966. },
  1967. {
  1968. "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
  1969. "meta": {
  1970. "attribution-confidence": "50",
  1971. "country": "IR",
  1972. "refs": [
  1973. "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
  1974. "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
  1975. "https://www.brighttalk.com/webcast/10703/275683",
  1976. "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
  1977. "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
  1978. "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/"
  1979. ],
  1980. "synonyms": [
  1981. "APT 33",
  1982. "Elfin",
  1983. "MAGNALLIUM",
  1984. "Refined Kitten",
  1985. "HOLMIUM",
  1986. "COBALT TRINITY"
  1987. ]
  1988. },
  1989. "related": [
  1990. {
  1991. "dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f",
  1992. "tags": [
  1993. "estimative-language:likelihood-probability=\"likely\""
  1994. ],
  1995. "type": "similar"
  1996. },
  1997. {
  1998. "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2",
  1999. "tags": [
  2000. "estimative-language:likelihood-probability=\"likely\""
  2001. ],
  2002. "type": "similar"
  2003. }
  2004. ],
  2005. "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
  2006. "value": "APT33"
  2007. },
  2008. {
  2009. "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
  2010. "meta": {
  2011. "attribution-confidence": "50",
  2012. "country": "IR",
  2013. "refs": [
  2014. "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
  2015. "https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140"
  2016. ],
  2017. "synonyms": [
  2018. "Group 42",
  2019. "VOYEUR"
  2020. ]
  2021. },
  2022. "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4",
  2023. "value": "Magic Kitten"
  2024. },
  2025. {
  2026. "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.",
  2027. "meta": {
  2028. "attribution-confidence": "50",
  2029. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  2030. "cfr-suspected-victims": [
  2031. "Saudi Arabia",
  2032. "Venezuela",
  2033. "Afghanistan",
  2034. "United Arab Emirates",
  2035. "Iran",
  2036. "Israel",
  2037. "Iraq",
  2038. "Kuwait",
  2039. "Turkey",
  2040. "Canada",
  2041. "Yemen",
  2042. "United Kingdom",
  2043. "Egypt",
  2044. "Syria",
  2045. "Jordan"
  2046. ],
  2047. "cfr-target-category": [
  2048. "Government",
  2049. "Military"
  2050. ],
  2051. "cfr-type-of-incident": "Espionage",
  2052. "country": "IR",
  2053. "refs": [
  2054. "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
  2055. "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
  2056. "http://www.clearskysec.com/thamar-reservoir/",
  2057. "https://citizenlab.ca/2015/08/iran_two_factor_phishing/",
  2058. "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
  2059. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  2060. "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
  2061. "https://en.wikipedia.org/wiki/Rocket_Kitten",
  2062. "https://www.cfr.org/interactive/cyber-operations/rocket-kitten"
  2063. ],
  2064. "synonyms": [
  2065. "TEMP.Beanie",
  2066. "Operation Woolen Goldfish",
  2067. "Operation Woolen-Goldfish",
  2068. "Thamar Reservoir",
  2069. "Timberworm"
  2070. ]
  2071. },
  2072. "related": [
  2073. {
  2074. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  2075. "tags": [
  2076. "estimative-language:likelihood-probability=\"very-likely\""
  2077. ],
  2078. "type": "similar"
  2079. },
  2080. {
  2081. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  2082. "tags": [
  2083. "estimative-language:likelihood-probability=\"likely\""
  2084. ],
  2085. "type": "similar"
  2086. },
  2087. {
  2088. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  2089. "tags": [
  2090. "estimative-language:likelihood-probability=\"likely\""
  2091. ],
  2092. "type": "similar"
  2093. },
  2094. {
  2095. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  2096. "tags": [
  2097. "estimative-language:likelihood-probability=\"likely\""
  2098. ],
  2099. "type": "similar"
  2100. },
  2101. {
  2102. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  2103. "tags": [
  2104. "estimative-language:likelihood-probability=\"likely\""
  2105. ],
  2106. "type": "similar"
  2107. },
  2108. {
  2109. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  2110. "tags": [
  2111. "estimative-language:likelihood-probability=\"likely\""
  2112. ],
  2113. "type": "similar"
  2114. },
  2115. {
  2116. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  2117. "tags": [
  2118. "estimative-language:likelihood-probability=\"likely\""
  2119. ],
  2120. "type": "similar"
  2121. },
  2122. {
  2123. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  2124. "tags": [
  2125. "estimative-language:likelihood-probability=\"likely\""
  2126. ],
  2127. "type": "similar"
  2128. },
  2129. {
  2130. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  2131. "tags": [
  2132. "estimative-language:likelihood-probability=\"likely\""
  2133. ],
  2134. "type": "similar"
  2135. }
  2136. ],
  2137. "uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  2138. "value": "Rocket Kitten"
  2139. },
  2140. {
  2141. "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.",
  2142. "meta": {
  2143. "attribution-confidence": "50",
  2144. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  2145. "cfr-suspected-victims": [
  2146. "Canada",
  2147. "France",
  2148. "Israel",
  2149. "Mexico",
  2150. "Saudi Arabia",
  2151. "China",
  2152. "Germany",
  2153. "United States",
  2154. "Pakistan",
  2155. "South Korea",
  2156. "United Kingdom",
  2157. "India",
  2158. "Kuwait",
  2159. "Qatar",
  2160. "Turkey"
  2161. ],
  2162. "cfr-target-category": [
  2163. "Private sector",
  2164. "Government"
  2165. ],
  2166. "cfr-type-of-incident": "Espionage",
  2167. "country": "IR",
  2168. "refs": [
  2169. "https://www.cfr.org/interactive/cyber-operations/magic-hound",
  2170. "https://www.secureworks.com/research/the-curious-case-of-mia-ash",
  2171. "https://www.cfr.org/interactive/cyber-operations/operation-cleaver",
  2172. "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf",
  2173. "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
  2174. "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
  2175. "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/",
  2176. "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
  2177. "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
  2178. "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
  2179. "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
  2180. "https://attack.mitre.org/groups/G0059/",
  2181. "https://attack.mitre.org/groups/G0003/"
  2182. ],
  2183. "synonyms": [
  2184. "Operation Cleaver",
  2185. "Tarh Andishan",
  2186. "Alibaba",
  2187. "2889",
  2188. "TG-2889",
  2189. "Cobalt Gypsy",
  2190. "Rocket_Kitten",
  2191. "Cutting Kitten",
  2192. "Group 41",
  2193. "Magic Hound",
  2194. "APT35",
  2195. "APT 35",
  2196. "TEMP.Beanie",
  2197. "Ghambar"
  2198. ]
  2199. },
  2200. "related": [
  2201. {
  2202. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  2203. "tags": [
  2204. "estimative-language:likelihood-probability=\"likely\""
  2205. ],
  2206. "type": "similar"
  2207. },
  2208. {
  2209. "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
  2210. "tags": [
  2211. "estimative-language:likelihood-probability=\"likely\""
  2212. ],
  2213. "type": "similar"
  2214. },
  2215. {
  2216. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  2217. "tags": [
  2218. "estimative-language:likelihood-probability=\"likely\""
  2219. ],
  2220. "type": "similar"
  2221. },
  2222. {
  2223. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  2224. "tags": [
  2225. "estimative-language:likelihood-probability=\"likely\""
  2226. ],
  2227. "type": "similar"
  2228. },
  2229. {
  2230. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  2231. "tags": [
  2232. "estimative-language:likelihood-probability=\"likely\""
  2233. ],
  2234. "type": "similar"
  2235. },
  2236. {
  2237. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  2238. "tags": [
  2239. "estimative-language:likelihood-probability=\"likely\""
  2240. ],
  2241. "type": "similar"
  2242. },
  2243. {
  2244. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  2245. "tags": [
  2246. "estimative-language:likelihood-probability=\"likely\""
  2247. ],
  2248. "type": "similar"
  2249. },
  2250. {
  2251. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  2252. "tags": [
  2253. "estimative-language:likelihood-probability=\"likely\""
  2254. ],
  2255. "type": "similar"
  2256. },
  2257. {
  2258. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  2259. "tags": [
  2260. "estimative-language:likelihood-probability=\"likely\""
  2261. ],
  2262. "type": "similar"
  2263. },
  2264. {
  2265. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  2266. "tags": [
  2267. "estimative-language:likelihood-probability=\"likely\""
  2268. ],
  2269. "type": "similar"
  2270. }
  2271. ],
  2272. "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  2273. "value": "Cleaver"
  2274. },
  2275. {
  2276. "meta": {
  2277. "attribution-confidence": "50",
  2278. "country": "IR"
  2279. },
  2280. "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff",
  2281. "value": "Sands Casino"
  2282. },
  2283. {
  2284. "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.",
  2285. "meta": {
  2286. "attribution-confidence": "50",
  2287. "country": "TN",
  2288. "motive": "Hacktivists-Nationalists",
  2289. "synonyms": [
  2290. "FallagaTeam"
  2291. ]
  2292. },
  2293. "uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b",
  2294. "value": "Rebel Jackal"
  2295. },
  2296. {
  2297. "meta": {
  2298. "attribution-confidence": "50",
  2299. "country": "AE",
  2300. "synonyms": [
  2301. "Vikingdom"
  2302. ]
  2303. },
  2304. "uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1",
  2305. "value": "Viking Jackal"
  2306. },
  2307. {
  2308. "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
  2309. "meta": {
  2310. "attribution-confidence": "50",
  2311. "cfr-suspected-state-sponsor": "Russian Federation",
  2312. "cfr-suspected-victims": [
  2313. "Georgia",
  2314. "France",
  2315. "Jordan",
  2316. "United States",
  2317. "Hungary",
  2318. "World Anti-Doping Agency",
  2319. "Armenia",
  2320. "Tajikistan",
  2321. "Japan",
  2322. "NATO",
  2323. "Ukraine",
  2324. "Belgium",
  2325. "Pakistan",
  2326. "Asia Pacific Economic Cooperation",
  2327. "International Association of Athletics Federations",
  2328. "Turkey",
  2329. "Mongolia",
  2330. "OSCE",
  2331. "United Kingdom",
  2332. "Germany",
  2333. "Poland",
  2334. "European Commission",
  2335. "Afghanistan",
  2336. "Kazakhstan",
  2337. "China"
  2338. ],
  2339. "cfr-target-category": [
  2340. "Government",
  2341. "Military"
  2342. ],
  2343. "cfr-type-of-incident": "Espionage",
  2344. "country": "RU",
  2345. "refs": [
  2346. "https://attack.mitre.org/groups/G0007/",
  2347. "https://en.wikipedia.org/wiki/Fancy_Bear",
  2348. "https://en.wikipedia.org/wiki/Sofacy_Group",
  2349. "https://www.bbc.com/news/technology-37590375",
  2350. "https://www.bbc.co.uk/news/technology-45257081",
  2351. "https://www.cfr.org/interactive/cyber-operations/apt-28",
  2352. "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
  2353. "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
  2354. "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
  2355. "https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
  2356. "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
  2357. "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
  2358. "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
  2359. "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf",
  2360. "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff",
  2361. "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf",
  2362. "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
  2363. "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
  2364. "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
  2365. "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
  2366. "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
  2367. "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
  2368. "https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny",
  2369. "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
  2370. "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/",
  2371. "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/",
  2372. "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
  2373. "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
  2374. "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
  2375. "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
  2376. "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
  2377. "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
  2378. "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
  2379. "https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
  2380. "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
  2381. "https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
  2382. "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
  2383. "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
  2384. "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
  2385. "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
  2386. "https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
  2387. "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
  2388. "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
  2389. "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
  2390. "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
  2391. "https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
  2392. "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
  2393. "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
  2394. "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/"
  2395. ],
  2396. "synonyms": [
  2397. "APT 28",
  2398. "APT28",
  2399. "Pawn Storm",
  2400. "PawnStorm",
  2401. "Fancy Bear",
  2402. "Sednit",
  2403. "SNAKEMACKEREL",
  2404. "TsarTeam",
  2405. "Tsar Team",
  2406. "TG-4127",
  2407. "Group-4127",
  2408. "STRONTIUM",
  2409. "TAG_0700",
  2410. "Swallowtail",
  2411. "IRON TWILIGHT",
  2412. "Group 74",
  2413. "SIG40",
  2414. "Grizzly Steppe",
  2415. "apt_sofacy"
  2416. ]
  2417. },
  2418. "related": [
  2419. {
  2420. "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
  2421. "tags": [
  2422. "estimative-language:likelihood-probability=\"likely\""
  2423. ],
  2424. "type": "similar"
  2425. },
  2426. {
  2427. "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
  2428. "tags": [
  2429. "estimative-language:likelihood-probability=\"likely\""
  2430. ],
  2431. "type": "similar"
  2432. }
  2433. ],
  2434. "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
  2435. "value": "Sofacy"
  2436. },
  2437. {
  2438. "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '",
  2439. "meta": {
  2440. "attribution-confidence": "50",
  2441. "cfr-suspected-state-sponsor": "Russian Federation",
  2442. "cfr-suspected-victims": [
  2443. "United States",
  2444. "China",
  2445. "New Zealand",
  2446. "Ukraine",
  2447. "Romania",
  2448. "Georgia",
  2449. "Japan",
  2450. "South Korea",
  2451. "Belgium",
  2452. "Kazakhstan",
  2453. "Brazil",
  2454. "Mexico",
  2455. "Turkey",
  2456. "Portugal",
  2457. "India"
  2458. ],
  2459. "cfr-target-category": [
  2460. "Government",
  2461. "Private sector"
  2462. ],
  2463. "cfr-type-of-incident": "Espionage",
  2464. "country": "RU",
  2465. "refs": [
  2466. "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/",
  2467. "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf",
  2468. "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf",
  2469. "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
  2470. "https://www.cfr.org/interactive/cyber-operations/dukes",
  2471. "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
  2472. "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
  2473. "https://www.secureworks.com/research/threat-profiles/iron-hemlock"
  2474. ],
  2475. "synonyms": [
  2476. "Dukes",
  2477. "Group 100",
  2478. "Cozy Duke",
  2479. "CozyDuke",
  2480. "EuroAPT",
  2481. "CozyBear",
  2482. "CozyCar",
  2483. "Cozer",
  2484. "Office Monkeys",
  2485. "OfficeMonkeys",
  2486. "APT29",
  2487. "Cozy Bear",
  2488. "The Dukes",
  2489. "Minidionis",
  2490. "SeaDuke",
  2491. "Hammer Toss",
  2492. "YTTRIUM",
  2493. "Iron Hemlock",
  2494. "Grizzly Steppe"
  2495. ]
  2496. },
  2497. "related": [
  2498. {
  2499. "dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
  2500. "tags": [
  2501. "estimative-language:likelihood-probability=\"likely\""
  2502. ],
  2503. "type": "similar"
  2504. }
  2505. ],
  2506. "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
  2507. "value": "APT 29"
  2508. },
  2509. {
  2510. "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'",
  2511. "meta": {
  2512. "attribution-confidence": "50",
  2513. "cfr-suspected-state-sponsor": "Russian Federation",
  2514. "cfr-suspected-victims": [
  2515. "France",
  2516. "Romania",
  2517. "Kazakhstan",
  2518. "Poland",
  2519. "Tajikistan",
  2520. "Russia",
  2521. "United States",
  2522. "Saudi Arabia",
  2523. "Germany",
  2524. "India",
  2525. "Belarus",
  2526. "Netherlands",
  2527. "Iran",
  2528. "Uzbekistan",
  2529. "Iraq"
  2530. ],
  2531. "cfr-target-category": [
  2532. "Government",
  2533. "Military"
  2534. ],
  2535. "cfr-type-of-incident": "Espionage",
  2536. "country": "RU",
  2537. "refs": [
  2538. "https://www.circl.lu/pub/tr-25/",
  2539. "https://securelist.com/introducing-whitebear/81638/",
  2540. "https://securelist.com/the-epic-turla-operation/65545/",
  2541. "https://www.cfr.org/interactive/cyber-operations/turla",
  2542. "https://www.nytimes.com/2010/08/26/technology/26cyber.html",
  2543. "https://securelist.com/blog/research/67962/the-penquin-turla-2/",
  2544. "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/",
  2545. "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
  2546. "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
  2547. "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/",
  2548. "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/",
  2549. "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
  2550. "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
  2551. "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548",
  2552. "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
  2553. "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/",
  2554. "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
  2555. "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
  2556. "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
  2557. "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
  2558. "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
  2559. "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
  2560. "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
  2561. "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
  2562. "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
  2563. "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
  2564. "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
  2565. "https://attack.mitre.org/groups/G0010/",
  2566. "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
  2567. "https://www.secureworks.com/research/threat-profiles/iron-hunter"
  2568. ],
  2569. "synonyms": [
  2570. "Turla",
  2571. "Snake",
  2572. "Venomous Bear",
  2573. "VENOMOUS Bear",
  2574. "Group 88",
  2575. "Waterbug",
  2576. "WRAITH",
  2577. "Turla Team",
  2578. "Uroburos",
  2579. "Pfinet",
  2580. "TAG_0530",
  2581. "KRYPTON",
  2582. "Hippo Team",
  2583. "Pacifier APT",
  2584. "Popeye",
  2585. "SIG23",
  2586. "Iron Hunter",
  2587. "MAKERSMARK"
  2588. ]
  2589. },
  2590. "related": [
  2591. {
  2592. "dest-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
  2593. "tags": [
  2594. "estimative-language:likelihood-probability=\"likely\""
  2595. ],
  2596. "type": "similar"
  2597. },
  2598. {
  2599. "dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11",
  2600. "tags": [
  2601. "estimative-language:likelihood-probability=\"likely\""
  2602. ],
  2603. "type": "similar"
  2604. }
  2605. ],
  2606. "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
  2607. "value": "Turla Group"
  2608. },
  2609. {
  2610. "description": "A Russian group that collects intelligence on the energy industry.",
  2611. "meta": {
  2612. "attribution-confidence": "50",
  2613. "cfr-suspected-state-sponsor": "Russian Federation",
  2614. "cfr-suspected-victims": [
  2615. "United States",
  2616. "Germany",
  2617. "Turkey",
  2618. "China",
  2619. "Spain",
  2620. "France",
  2621. "Ireland",
  2622. "Japan",
  2623. "Italy",
  2624. "Poland"
  2625. ],
  2626. "cfr-target-category": [
  2627. "Private sector",
  2628. "Government"
  2629. ],
  2630. "cfr-type-of-incident": "Espionage",
  2631. "country": "RU",
  2632. "refs": [
  2633. "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
  2634. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
  2635. "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
  2636. "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
  2637. "https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
  2638. "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
  2639. "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
  2640. "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
  2641. "https://www.riskiq.com/blog/labs/energetic-bear/",
  2642. "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
  2643. "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
  2644. "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
  2645. "https://attack.mitre.org/groups/G0035/",
  2646. "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"
  2647. ],
  2648. "synonyms": [
  2649. "Dragonfly",
  2650. "Crouching Yeti",
  2651. "Group 24",
  2652. "Havex",
  2653. "CrouchingYeti",
  2654. "Koala Team",
  2655. "IRON LIBERTY"
  2656. ]
  2657. },
  2658. "related": [
  2659. {
  2660. "dest-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
  2661. "tags": [
  2662. "estimative-language:likelihood-probability=\"likely\""
  2663. ],
  2664. "type": "similar"
  2665. }
  2666. ],
  2667. "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
  2668. "value": "Energetic Bear"
  2669. },
  2670. {
  2671. "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage",
  2672. "meta": {
  2673. "attribution-confidence": "50",
  2674. "cfr-suspected-state-sponsor": "Russian Federation",
  2675. "cfr-suspected-victims": [
  2676. "Russia",
  2677. "Lithuania",
  2678. "Kyrgyzstan",
  2679. "Israel",
  2680. "Ukraine",
  2681. "Belarus",
  2682. "Kazakhstan",
  2683. "Georgia",
  2684. "Poland",
  2685. "Azerbaijan",
  2686. "Iran"
  2687. ],
  2688. "cfr-target-category": [
  2689. "Private sector",
  2690. "Government"
  2691. ],
  2692. "cfr-type-of-incident": "Espionage",
  2693. "country": "RU",
  2694. "refs": [
  2695. "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
  2696. "https://www.us-cert.gov/ncas/alerts/TA17-163A",
  2697. "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
  2698. "https://www.cfr.org/interactive/cyber-operations/black-energy",
  2699. "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
  2700. "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
  2701. "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
  2702. "https://attack.mitre.org/groups/G0034/"
  2703. ],
  2704. "synonyms": [
  2705. "Sandworm Team",
  2706. "Black Energy",
  2707. "BlackEnergy",
  2708. "Quedagh",
  2709. "Voodoo Bear",
  2710. "TEMP.Noble",
  2711. "Iron Viking"
  2712. ]
  2713. },
  2714. "related": [
  2715. {
  2716. "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
  2717. "tags": [
  2718. "estimative-language:likelihood-probability=\"likely\""
  2719. ],
  2720. "type": "similar"
  2721. },
  2722. {
  2723. "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
  2724. "tags": [
  2725. "estimative-language:likelihood-probability=\"likely\""
  2726. ],
  2727. "type": "similar"
  2728. },
  2729. {
  2730. "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
  2731. "tags": [
  2732. "estimative-language:likelihood-probability=\"likely\""
  2733. ],
  2734. "type": "similar"
  2735. },
  2736. {
  2737. "dest-uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce",
  2738. "tags": [
  2739. "estimative-language:likelihood-probability=\"likely\""
  2740. ],
  2741. "type": "similar"
  2742. }
  2743. ],
  2744. "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
  2745. "value": "Sandworm"
  2746. },
  2747. {
  2748. "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.",
  2749. "meta": {
  2750. "attribution-confidence": "50",
  2751. "country": "RU",
  2752. "refs": [
  2753. "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
  2754. "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/",
  2755. "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
  2756. "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/",
  2757. "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/",
  2758. "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
  2759. "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/"
  2760. ],
  2761. "synonyms": [
  2762. "Sandworm"
  2763. ]
  2764. },
  2765. "related": [
  2766. {
  2767. "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
  2768. "tags": [
  2769. "estimative-language:likelihood-probability=\"likely\""
  2770. ],
  2771. "type": "similar"
  2772. },
  2773. {
  2774. "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
  2775. "tags": [
  2776. "estimative-language:likelihood-probability=\"likely\""
  2777. ],
  2778. "type": "similar"
  2779. },
  2780. {
  2781. "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
  2782. "tags": [
  2783. "estimative-language:likelihood-probability=\"likely\""
  2784. ],
  2785. "type": "similar"
  2786. }
  2787. ],
  2788. "uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
  2789. "value": "TeleBots"
  2790. },
  2791. {
  2792. "description": "Groups targeting financial organizations or people with significant financial assets.",
  2793. "meta": {
  2794. "attribution-confidence": "50",
  2795. "country": "RU",
  2796. "motive": "Cybercrime",
  2797. "refs": [
  2798. "https://en.wikipedia.org/wiki/Carbanak",
  2799. "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
  2800. "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf",
  2801. "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
  2802. "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
  2803. "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
  2804. "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/",
  2805. "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
  2806. "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
  2807. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
  2808. "https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
  2809. "https://attack.mitre.org/groups/G0008/",
  2810. "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
  2811. "https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
  2812. "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
  2813. "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
  2814. "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
  2815. "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
  2816. "https://blog.morphisec.com/fin7-attack-modifications-revealed",
  2817. "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
  2818. "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
  2819. "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
  2820. "https://attack.mitre.org/groups/G0046/",
  2821. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
  2822. "https://threatintel.blog/OPBlueRaven-Part1/",
  2823. "https://threatintel.blog/OPBlueRaven-Part2/",
  2824. "https://www.secureworks.com/research/threat-profiles/gold-niagara"
  2825. ],
  2826. "synonyms": [
  2827. "Carbanak",
  2828. "Carbon Spider",
  2829. "FIN7",
  2830. "GOLD NIAGARA"
  2831. ]
  2832. },
  2833. "related": [
  2834. {
  2835. "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
  2836. "tags": [
  2837. "estimative-language:likelihood-probability=\"likely\""
  2838. ],
  2839. "type": "similar"
  2840. },
  2841. {
  2842. "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
  2843. "tags": [
  2844. "estimative-language:likelihood-probability=\"likely\""
  2845. ],
  2846. "type": "similar"
  2847. }
  2848. ],
  2849. "uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
  2850. "value": "Anunak"
  2851. },
  2852. {
  2853. "description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.",
  2854. "meta": {
  2855. "attribution-confidence": "50",
  2856. "cfr-suspected-state-sponsor": "Russian Federation",
  2857. "cfr-suspected-victims": [
  2858. "Hungary",
  2859. "Belarus"
  2860. ],
  2861. "cfr-target-category": [
  2862. "Government",
  2863. "Private sector"
  2864. ],
  2865. "cfr-type-of-incident": "Espionage",
  2866. "country": "RU",
  2867. "refs": [
  2868. "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/",
  2869. "https://www.cfr.org/interactive/cyber-operations/team-spy-crew",
  2870. "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/",
  2871. "https://www.crysys.hu/publications/files/teamspy.pdf",
  2872. "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf",
  2873. "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"
  2874. ],
  2875. "synonyms": [
  2876. "TeamSpy",
  2877. "Team Bear",
  2878. "Berserk Bear",
  2879. "Anger Bear",
  2880. "IRON LYRIC"
  2881. ]
  2882. },
  2883. "related": [
  2884. {
  2885. "dest-uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624",
  2886. "tags": [
  2887. "estimative-language:likelihood-probability=\"likely\""
  2888. ],
  2889. "type": "similar"
  2890. }
  2891. ],
  2892. "uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445",
  2893. "value": "TeamSpy Crew"
  2894. },
  2895. {
  2896. "description": "Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified.\nBuhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses.\nMalicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.",
  2897. "meta": {
  2898. "attribution-confidence": "50",
  2899. "country": "RU",
  2900. "refs": [
  2901. "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/",
  2902. "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf",
  2903. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  2904. "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware",
  2905. "https://www.kaspersky.com/blog/financial-trojans-2019/25690/",
  2906. "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/",
  2907. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
  2908. ]
  2909. },
  2910. "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb",
  2911. "value": "BuhTrap"
  2912. },
  2913. {
  2914. "meta": {
  2915. "attribution-confidence": "50",
  2916. "country": "RU"
  2917. },
  2918. "related": [
  2919. {
  2920. "dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445",
  2921. "tags": [
  2922. "estimative-language:likelihood-probability=\"likely\""
  2923. ],
  2924. "type": "similar"
  2925. }
  2926. ],
  2927. "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624",
  2928. "value": "Berserk Bear"
  2929. },
  2930. {
  2931. "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.",
  2932. "meta": {
  2933. "attribution-confidence": "50",
  2934. "country": "RO",
  2935. "refs": [
  2936. "https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
  2937. "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
  2938. "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
  2939. "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html",
  2940. "https://attack.mitre.org/groups/G0085/"
  2941. ],
  2942. "synonyms": [
  2943. "FIN4"
  2944. ]
  2945. },
  2946. "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57",
  2947. "value": "Wolf Spider"
  2948. },
  2949. {
  2950. "description": "First observed activity in December 2013.",
  2951. "meta": {
  2952. "attribution-confidence": "50",
  2953. "country": "RU"
  2954. },
  2955. "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0",
  2956. "value": "Boulder Bear"
  2957. },
  2958. {
  2959. "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.",
  2960. "meta": {
  2961. "attribution-confidence": "50",
  2962. "country": "RU"
  2963. },
  2964. "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4",
  2965. "value": "Shark Spider"
  2966. },
  2967. {
  2968. "description": "Adversary targeting manufacturing and industrial organizations.",
  2969. "meta": {
  2970. "attribution-confidence": "50",
  2971. "country": "RU",
  2972. "refs": [
  2973. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  2974. ]
  2975. },
  2976. "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd",
  2977. "value": "Union Spider"
  2978. },
  2979. {
  2980. "meta": {
  2981. "attribution-confidence": "50",
  2982. "country": "KP",
  2983. "refs": [
  2984. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  2985. ],
  2986. "synonyms": [
  2987. "OperationTroy",
  2988. "Guardian of Peace",
  2989. "GOP",
  2990. "WHOis Team",
  2991. "Andariel",
  2992. "Subgroup: Andariel"
  2993. ]
  2994. },
  2995. "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7",
  2996. "value": "Silent Chollima"
  2997. },
  2998. {
  2999. "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.",
  3000. "meta": {
  3001. "attribution-confidence": "50",
  3002. "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)",
  3003. "cfr-suspected-victims": [
  3004. "South Korea",
  3005. "Bangladesh Bank",
  3006. "Sony Pictures Entertainment",
  3007. "United States",
  3008. "Thailand",
  3009. "France",
  3010. "China",
  3011. "Hong Kong",
  3012. "United Kingdom",
  3013. "Guatemala",
  3014. "Canada",
  3015. "Bangladesh",
  3016. "Japan",
  3017. "India",
  3018. "Germany",
  3019. "Brazil",
  3020. "Thailand",
  3021. "Australia",
  3022. "Cryptocurrency exchanges in South Korea"
  3023. ],
  3024. "cfr-target-category": [
  3025. "Government",
  3026. "Private sector"
  3027. ],
  3028. "cfr-type-of-incident": [
  3029. "Espionage",
  3030. "Sabotage"
  3031. ],
  3032. "country": "KP",
  3033. "refs": [
  3034. "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
  3035. "https://www.us-cert.gov/ncas/alerts/TA17-164A",
  3036. "https://www.us-cert.gov/ncas/alerts/TA17-318A",
  3037. "https://www.us-cert.gov/ncas/alerts/TA17-318B",
  3038. "https://securelist.com/operation-applejeus/87553/",
  3039. "https://securelist.com/lazarus-under-the-hood/77908/",
  3040. "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
  3041. "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf",
  3042. "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
  3043. "https://www.cfr.org/interactive/cyber-operations/lazarus-group",
  3044. "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret",
  3045. "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea",
  3046. "https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/",
  3047. "https://content.fireeye.com/apt/rpt-apt38",
  3048. "https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/",
  3049. "https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack",
  3050. "https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise",
  3051. "https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html",
  3052. "https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov",
  3053. "https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war",
  3054. "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know",
  3055. "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/",
  3056. "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/",
  3057. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/",
  3058. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/",
  3059. "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A",
  3060. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/",
  3061. "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/",
  3062. "https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/",
  3063. "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
  3064. "https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and",
  3065. "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations",
  3066. "https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies",
  3067. "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c",
  3068. "https://attack.mitre.org/groups/G0032/",
  3069. "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/",
  3070. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3071. "https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105",
  3072. "https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD",
  3073. "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
  3074. "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware",
  3075. "https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/",
  3076. "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
  3077. "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html",
  3078. "https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret",
  3079. "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
  3080. "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
  3081. "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
  3082. "https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html",
  3083. "https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
  3084. "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html",
  3085. "https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/"
  3086. ],
  3087. "synonyms": [
  3088. "Operation DarkSeoul",
  3089. "Dark Seoul",
  3090. "Hidden Cobra",
  3091. "Hastati Group",
  3092. "Andariel",
  3093. "Unit 121",
  3094. "Bureau 121",
  3095. "NewRomanic Cyber Army Team",
  3096. "Bluenoroff",
  3097. "Subgroup: Bluenoroff",
  3098. "Group 77",
  3099. "Labyrinth Chollima",
  3100. "Operation Troy",
  3101. "Operation GhostSecret",
  3102. "Operation AppleJeus",
  3103. "APT38",
  3104. "APT 38",
  3105. "Stardust Chollima",
  3106. "Whois Hacking Team",
  3107. "Zinc",
  3108. "Appleworm",
  3109. "Nickel Academy",
  3110. "APT-C-26",
  3111. "NICKEL GLADSTONE"
  3112. ]
  3113. },
  3114. "related": [
  3115. {
  3116. "dest-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
  3117. "tags": [
  3118. "estimative-language:likelihood-probability=\"likely\""
  3119. ],
  3120. "type": "similar"
  3121. },
  3122. {
  3123. "dest-uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b",
  3124. "tags": [
  3125. "estimative-language:likelihood-probability=\"likely\""
  3126. ],
  3127. "type": "similar"
  3128. },
  3129. {
  3130. "dest-uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
  3131. "tags": [
  3132. "estimative-language:likelihood-probability=\"likely\""
  3133. ],
  3134. "type": "similar"
  3135. },
  3136. {
  3137. "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
  3138. "tags": [
  3139. "estimative-language:likelihood-probability=\"likely\""
  3140. ],
  3141. "type": "linked-to"
  3142. }
  3143. ],
  3144. "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
  3145. "value": "Lazarus Group"
  3146. },
  3147. {
  3148. "meta": {
  3149. "attribution-confidence": "50",
  3150. "country": "IN",
  3151. "refs": [
  3152. "https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
  3153. ],
  3154. "synonyms": [
  3155. "Appin",
  3156. "OperationHangover"
  3157. ]
  3158. },
  3159. "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239",
  3160. "value": "Viceroy Tiger"
  3161. },
  3162. {
  3163. "meta": {
  3164. "attribution-confidence": "50",
  3165. "country": "US",
  3166. "synonyms": [
  3167. "DD4BC",
  3168. "Ambiorx"
  3169. ]
  3170. },
  3171. "uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d",
  3172. "value": "Pizzo Spider"
  3173. },
  3174. {
  3175. "meta": {
  3176. "attribution-confidence": "50",
  3177. "country": "TN",
  3178. "refs": [
  3179. "https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/"
  3180. ],
  3181. "synonyms": [
  3182. "TunisianCyberArmy"
  3183. ]
  3184. },
  3185. "uuid": "59d63dd6-f46f-4334-ad15-30d2e1ee0623",
  3186. "value": "Corsair Jackal"
  3187. },
  3188. {
  3189. "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.",
  3190. "meta": {
  3191. "attribution-confidence": "50",
  3192. "cfr-suspected-state-sponsor": "France",
  3193. "cfr-suspected-victims": [
  3194. "Syria",
  3195. "United States",
  3196. "Netherlands",
  3197. "Russia",
  3198. "Spain",
  3199. "Iran",
  3200. "China",
  3201. "Germany",
  3202. "Algeria",
  3203. "Norway",
  3204. "Malaysia",
  3205. "Turkey",
  3206. "United Kingdom",
  3207. "Ivory Coast",
  3208. "Greece"
  3209. ],
  3210. "cfr-target-category": [
  3211. "Government",
  3212. "Private sector"
  3213. ],
  3214. "cfr-type-of-incident": "Espionage",
  3215. "country": "FR",
  3216. "refs": [
  3217. "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/",
  3218. "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france",
  3219. "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
  3220. "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
  3221. "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
  3222. "https://www.cfr.org/interactive/cyber-operations/snowglobe",
  3223. "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/"
  3224. ],
  3225. "synonyms": [
  3226. "Animal Farm",
  3227. "Snowglobe"
  3228. ]
  3229. },
  3230. "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab",
  3231. "value": "SNOWGLOBE"
  3232. },
  3233. {
  3234. "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear",
  3235. "meta": {
  3236. "attribution-confidence": "50",
  3237. "country": "SY",
  3238. "refs": [
  3239. "https://en.wikipedia.org/wiki/Syrian_Electronic_Army"
  3240. ],
  3241. "synonyms": [
  3242. "SyrianElectronicArmy",
  3243. "SEA"
  3244. ]
  3245. },
  3246. "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d",
  3247. "value": "Deadeye Jackal"
  3248. },
  3249. {
  3250. "description": "Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.",
  3251. "meta": {
  3252. "attribution-confidence": "50",
  3253. "cfr-suspected-state-sponsor": "Pakistan",
  3254. "cfr-target-category": [
  3255. "Civil society",
  3256. "Military",
  3257. "Government"
  3258. ],
  3259. "country": "PK",
  3260. "refs": [
  3261. "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf",
  3262. "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
  3263. "https://www.amnesty.org/en/documents/asa33/8366/2018/en/",
  3264. "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/",
  3265. "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe",
  3266. "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf",
  3267. "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
  3268. "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
  3269. "https://s.tencent.com/research/report/669.html",
  3270. "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
  3271. "https://www.secureworks.com/research/threat-profiles/copper-fieldstone"
  3272. ],
  3273. "synonyms": [
  3274. "C-Major",
  3275. "Transparent Tribe",
  3276. "Mythic Leopard",
  3277. "ProjectM",
  3278. "APT36",
  3279. "APT 36",
  3280. "TMP.Lapis",
  3281. "Green Havildar",
  3282. "COPPER FIELDSTONE"
  3283. ]
  3284. },
  3285. "related": [
  3286. {
  3287. "dest-uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
  3288. "tags": [
  3289. "estimative-language:likelihood-probability=\"likely\""
  3290. ],
  3291. "type": "similar"
  3292. }
  3293. ],
  3294. "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
  3295. "value": "Operation C-Major"
  3296. },
  3297. {
  3298. "description": "This threat actor targets civil society groups and Emirati journalists, activists, and dissidents. ",
  3299. "meta": {
  3300. "attribution-confidence": "50",
  3301. "cfr-suspected-state-sponsor": "United Arab Emirates",
  3302. "cfr-suspected-victims": [
  3303. "United Arab Emirates",
  3304. "United Kingdom"
  3305. ],
  3306. "cfr-target-category": [
  3307. "Civil society"
  3308. ],
  3309. "cfr-type-of-incident": "Espionage",
  3310. "country": "AE",
  3311. "refs": [
  3312. "https://citizenlab.ca/2016/05/stealth-falcon/",
  3313. "https://www.cfr.org/interactive/cyber-operations/stealth-falcon",
  3314. "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/",
  3315. "https://attack.mitre.org/groups/G0038/"
  3316. ],
  3317. "synonyms": [
  3318. "FruityArmor"
  3319. ]
  3320. },
  3321. "related": [
  3322. {
  3323. "dest-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
  3324. "tags": [
  3325. "estimative-language:likelihood-probability=\"likely\""
  3326. ],
  3327. "type": "similar"
  3328. }
  3329. ],
  3330. "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0",
  3331. "value": "Stealth Falcon"
  3332. },
  3333. {
  3334. "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.",
  3335. "meta": {
  3336. "refs": [
  3337. "https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/",
  3338. "https://securelist.com/operation-daybreak/75100/",
  3339. "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
  3340. "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/"
  3341. ],
  3342. "synonyms": [
  3343. "Operation Daybreak",
  3344. "Operation Erebus"
  3345. ]
  3346. },
  3347. "related": [
  3348. {
  3349. "dest-uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c",
  3350. "tags": [
  3351. "estimative-language:likelihood-probability=\"likely\""
  3352. ],
  3353. "type": "similar"
  3354. },
  3355. {
  3356. "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
  3357. "tags": [
  3358. "estimative-language:likelihood-probability=\"likely\""
  3359. ],
  3360. "type": "similar"
  3361. }
  3362. ],
  3363. "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338",
  3364. "value": "ScarCruft"
  3365. },
  3366. {
  3367. "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder",
  3368. "meta": {
  3369. "attribution-confidence": "50",
  3370. "country": "CN",
  3371. "refs": [
  3372. "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf"
  3373. ]
  3374. },
  3375. "uuid": "12ab5c28-5f38-4a2f-bd40-40e9c500f4ac",
  3376. "value": "HummingBad"
  3377. },
  3378. {
  3379. "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.",
  3380. "meta": {
  3381. "attribution-confidence": "50",
  3382. "cfr-suspected-state-sponsor": "India",
  3383. "cfr-suspected-victims": [
  3384. "Bangladesh",
  3385. "Sri Lanka",
  3386. "Pakistan"
  3387. ],
  3388. "cfr-target-category": [
  3389. "Private sector",
  3390. "Military"
  3391. ],
  3392. "cfr-type-of-incident": "Espionage",
  3393. "country": "IN",
  3394. "refs": [
  3395. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3396. "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign",
  3397. "https://www.cymmetria.com/patchwork-targeted-attack/",
  3398. "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
  3399. "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
  3400. "https://attack.mitre.org/groups/G0040/",
  3401. "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
  3402. "https://securelist.com/the-dropping-elephant-actor/75328/",
  3403. "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
  3404. "https://www.secureworks.com/research/threat-profiles/zinc-emerson"
  3405. ],
  3406. "synonyms": [
  3407. "Chinastrats",
  3408. "Patchwork",
  3409. "Monsoon",
  3410. "Sarit",
  3411. "Quilted Tiger",
  3412. "APT-C-09",
  3413. "ZINC EMERSON"
  3414. ]
  3415. },
  3416. "related": [
  3417. {
  3418. "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
  3419. "tags": [
  3420. "estimative-language:likelihood-probability=\"likely\""
  3421. ],
  3422. "type": "similar"
  3423. },
  3424. {
  3425. "dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
  3426. "tags": [
  3427. "estimative-language:likelihood-probability=\"likely\""
  3428. ],
  3429. "type": "similar"
  3430. }
  3431. ],
  3432. "uuid": "18d473a5-831b-47a5-97a1-a32156299825",
  3433. "value": "Dropping Elephant"
  3434. },
  3435. {
  3436. "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.",
  3437. "meta": {
  3438. "attribution-confidence": "50",
  3439. "country": "CN",
  3440. "refs": [
  3441. "https://attack.mitre.org/wiki/Groups",
  3442. "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/",
  3443. "https://attack.mitre.org/groups/G0029/"
  3444. ]
  3445. },
  3446. "related": [
  3447. {
  3448. "dest-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
  3449. "tags": [
  3450. "estimative-language:likelihood-probability=\"likely\""
  3451. ],
  3452. "type": "similar"
  3453. }
  3454. ],
  3455. "uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e",
  3456. "value": "Scarlet Mimic"
  3457. },
  3458. {
  3459. "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.",
  3460. "meta": {
  3461. "attribution-confidence": "50",
  3462. "country": "BR",
  3463. "refs": [
  3464. "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/",
  3465. "https://attack.mitre.org/wiki/Groups",
  3466. "https://attack.mitre.org/groups/G0033/"
  3467. ]
  3468. },
  3469. "related": [
  3470. {
  3471. "dest-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
  3472. "tags": [
  3473. "estimative-language:likelihood-probability=\"likely\""
  3474. ],
  3475. "type": "similar"
  3476. }
  3477. ],
  3478. "uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d",
  3479. "value": "Poseidon Group"
  3480. },
  3481. {
  3482. "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.",
  3483. "meta": {
  3484. "attribution-confidence": "50",
  3485. "cfr-suspected-state-sponsor": "China",
  3486. "cfr-suspected-victims": [
  3487. "United States"
  3488. ],
  3489. "cfr-target-category": [
  3490. "Private sector"
  3491. ],
  3492. "cfr-type-of-incident": "Espionage",
  3493. "country": "CN",
  3494. "refs": [
  3495. "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
  3496. "https://attack.mitre.org/wiki/Groups",
  3497. "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor",
  3498. "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf",
  3499. "https://www.cfr.org/interactive/cyber-operations/moafee",
  3500. "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
  3501. "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
  3502. "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
  3503. "https://attack.mitre.org/groups/G0017/",
  3504. "https://attack.mitre.org/groups/G0002/",
  3505. "https://www.secureworks.com/research/threat-profiles/bronze-overbrook"
  3506. ],
  3507. "synonyms": [
  3508. "Moafee",
  3509. "BRONZE OVERBROOK"
  3510. ]
  3511. },
  3512. "related": [
  3513. {
  3514. "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
  3515. "tags": [
  3516. "estimative-language:likelihood-probability=\"likely\""
  3517. ],
  3518. "type": "similar"
  3519. },
  3520. {
  3521. "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
  3522. "tags": [
  3523. "estimative-language:likelihood-probability=\"likely\""
  3524. ],
  3525. "type": "similar"
  3526. }
  3527. ],
  3528. "uuid": "a9b44750-992c-4743-8922-129880d277ea",
  3529. "value": "DragonOK"
  3530. },
  3531. {
  3532. "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.",
  3533. "meta": {
  3534. "attribution-confidence": "50",
  3535. "cfr-suspected-state-sponsor": " China",
  3536. "cfr-suspected-victims": [
  3537. "United States",
  3538. "United Kingdom",
  3539. "France"
  3540. ],
  3541. "cfr-target-category": [
  3542. "Government",
  3543. "Private sector"
  3544. ],
  3545. "cfr-type-of-incident": "Espionage",
  3546. "country": "CN",
  3547. "refs": [
  3548. "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
  3549. "https://attack.mitre.org",
  3550. "https://www.cfr.org/interactive/cyber-operations/emissary-panda"
  3551. ],
  3552. "synonyms": [
  3553. "TG-3390",
  3554. "Emissary Panda"
  3555. ]
  3556. },
  3557. "related": [
  3558. {
  3559. "dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
  3560. "tags": [
  3561. "estimative-language:likelihood-probability=\"likely\""
  3562. ],
  3563. "type": "similar"
  3564. },
  3565. {
  3566. "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
  3567. "tags": [
  3568. "estimative-language:likelihood-probability=\"likely\""
  3569. ],
  3570. "type": "similar"
  3571. },
  3572. {
  3573. "dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
  3574. "tags": [
  3575. "estimative-language:likelihood-probability=\"likely\""
  3576. ],
  3577. "type": "similar"
  3578. }
  3579. ],
  3580. "uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
  3581. "value": "Threat Group-3390"
  3582. },
  3583. {
  3584. "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.",
  3585. "meta": {
  3586. "attribution-confidence": "50",
  3587. "cfr-suspected-state-sponsor": "United States",
  3588. "cfr-suspected-victims": [
  3589. "Russia",
  3590. "Iran",
  3591. "Belgium",
  3592. "China",
  3593. "Sweden",
  3594. "Rwanda"
  3595. ],
  3596. "cfr-target-category": [
  3597. "Government",
  3598. "Military"
  3599. ],
  3600. "cfr-type-of-incident": "Espionage",
  3601. "country": "US",
  3602. "refs": [
  3603. "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/",
  3604. "https://www.cfr.org/interactive/cyber-operations/project-sauron",
  3605. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3606. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf",
  3607. "https://attack.mitre.org/groups/G0041/"
  3608. ],
  3609. "synonyms": [
  3610. "Strider",
  3611. "Sauron",
  3612. "Project Sauron"
  3613. ]
  3614. },
  3615. "related": [
  3616. {
  3617. "dest-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
  3618. "tags": [
  3619. "estimative-language:likelihood-probability=\"likely\""
  3620. ],
  3621. "type": "similar"
  3622. }
  3623. ],
  3624. "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7",
  3625. "value": "ProjectSauron"
  3626. },
  3627. {
  3628. "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.",
  3629. "meta": {
  3630. "attribution-confidence": "50",
  3631. "cfr-suspected-state-sponsor": "China",
  3632. "cfr-suspected-victims": [
  3633. "India",
  3634. "Saudi Arabia",
  3635. "Vietnam",
  3636. "Myanmar",
  3637. "Singapore",
  3638. "Thailand",
  3639. "Malaysia",
  3640. "Cambodia",
  3641. "China",
  3642. "Phillipines",
  3643. "South Korea",
  3644. "United States",
  3645. "Indonesia",
  3646. "Laos"
  3647. ],
  3648. "cfr-target-category": [
  3649. "Government",
  3650. "Private sector"
  3651. ],
  3652. "cfr-type-of-incident": "Espionage",
  3653. "country": "CN",
  3654. "refs": [
  3655. "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
  3656. "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
  3657. "https://attack.mitre.org/wiki/Group/G0013",
  3658. "https://www.cfr.org/interactive/cyber-operations/apt-30"
  3659. ],
  3660. "synonyms": [
  3661. "APT30"
  3662. ]
  3663. },
  3664. "related": [
  3665. {
  3666. "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
  3667. "tags": [
  3668. "estimative-language:likelihood-probability=\"likely\""
  3669. ],
  3670. "type": "similar"
  3671. },
  3672. {
  3673. "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
  3674. "tags": [
  3675. "estimative-language:likelihood-probability=\"likely\""
  3676. ],
  3677. "type": "similar"
  3678. },
  3679. {
  3680. "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
  3681. "tags": [
  3682. "estimative-language:likelihood-probability=\"likely\""
  3683. ],
  3684. "type": "similar"
  3685. },
  3686. {
  3687. "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
  3688. "tags": [
  3689. "estimative-language:likelihood-probability=\"likely\""
  3690. ],
  3691. "type": "similar"
  3692. }
  3693. ],
  3694. "uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
  3695. "value": "APT 30"
  3696. },
  3697. {
  3698. "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns",
  3699. "meta": {
  3700. "attribution-confidence": "50",
  3701. "country": "CN",
  3702. "refs": [
  3703. "https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene"
  3704. ]
  3705. },
  3706. "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f",
  3707. "value": "TA530"
  3708. },
  3709. {
  3710. "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.",
  3711. "meta": {
  3712. "attribution-confidence": "50",
  3713. "country": "RU",
  3714. "refs": [
  3715. "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/",
  3716. "https://attack.mitre.org/groups/G0036/"
  3717. ]
  3718. },
  3719. "related": [
  3720. {
  3721. "dest-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
  3722. "tags": [
  3723. "estimative-language:likelihood-probability=\"likely\""
  3724. ],
  3725. "type": "similar"
  3726. }
  3727. ],
  3728. "uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0",
  3729. "value": "GCMAN"
  3730. },
  3731. {
  3732. "description": "Suckfly is a China-based threat group that has been active since at least 2014",
  3733. "meta": {
  3734. "attribution-confidence": "50",
  3735. "country": "CN",
  3736. "refs": [
  3737. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3738. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3739. "https://attack.mitre.org/groups/G0039/"
  3740. ]
  3741. },
  3742. "related": [
  3743. {
  3744. "dest-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
  3745. "tags": [
  3746. "estimative-language:likelihood-probability=\"likely\""
  3747. ],
  3748. "type": "similar"
  3749. }
  3750. ],
  3751. "uuid": "5abb12e7-5066-4f84-a109-49a037205c76",
  3752. "value": "Suckfly"
  3753. },
  3754. {
  3755. "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
  3756. "meta": {
  3757. "refs": [
  3758. "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
  3759. "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
  3760. "https://attack.mitre.org/groups/G0037/",
  3761. "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"
  3762. ],
  3763. "synonyms": [
  3764. "Skeleton Spider",
  3765. "ITG08"
  3766. ]
  3767. },
  3768. "related": [
  3769. {
  3770. "dest-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
  3771. "tags": [
  3772. "estimative-language:likelihood-probability=\"likely\""
  3773. ],
  3774. "type": "similar"
  3775. }
  3776. ],
  3777. "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
  3778. "value": "FIN6"
  3779. },
  3780. {
  3781. "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
  3782. "meta": {
  3783. "attribution-confidence": "50",
  3784. "country": "LY"
  3785. },
  3786. "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731",
  3787. "value": "Libyan Scorpions"
  3788. },
  3789. {
  3790. "meta": {
  3791. "refs": [
  3792. "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
  3793. ],
  3794. "synonyms": [
  3795. "CorporacaoXRat",
  3796. "CorporationXRat"
  3797. ]
  3798. },
  3799. "uuid": "43ec65d1-a334-4c44-9a44-0fd21f27249d",
  3800. "value": "TeamXRat"
  3801. },
  3802. {
  3803. "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.",
  3804. "meta": {
  3805. "attribution-confidence": "50",
  3806. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  3807. "cfr-suspected-victims": [
  3808. "Israel",
  3809. "Kuwait",
  3810. "United States",
  3811. "Turkey",
  3812. "Saudi Arabia",
  3813. "Qatar",
  3814. "Lebanon"
  3815. ],
  3816. "cfr-target-category": [
  3817. "Government",
  3818. "Private sector",
  3819. "Civil society"
  3820. ],
  3821. "cfr-type-of-incident": "Espionage",
  3822. "country": "IR",
  3823. "refs": [
  3824. "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
  3825. "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
  3826. "https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/",
  3827. "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
  3828. "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
  3829. "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/",
  3830. "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/",
  3831. "https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/",
  3832. "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
  3833. "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/",
  3834. "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/",
  3835. "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
  3836. "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
  3837. "https://pan-unit42.github.io/playbook_viewer/",
  3838. "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
  3839. "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
  3840. "https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf",
  3841. "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a",
  3842. "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json",
  3843. "https://www.cfr.org/interactive/cyber-operations/oilrig",
  3844. "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/",
  3845. "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
  3846. "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks",
  3847. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  3848. "https://www.clearskysec.com/oilrig/",
  3849. "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
  3850. "https://attack.mitre.org/groups/G0049/",
  3851. "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
  3852. "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
  3853. ],
  3854. "synonyms": [
  3855. "Twisted Kitten",
  3856. "Cobalt Gypsy",
  3857. "Crambus",
  3858. "Helix Kitten",
  3859. "APT 34",
  3860. "APT34",
  3861. "IRN2"
  3862. ]
  3863. },
  3864. "related": [
  3865. {
  3866. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  3867. "tags": [
  3868. "estimative-language:likelihood-probability=\"likely\""
  3869. ],
  3870. "type": "similar"
  3871. },
  3872. {
  3873. "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
  3874. "tags": [
  3875. "estimative-language:likelihood-probability=\"likely\""
  3876. ],
  3877. "type": "similar"
  3878. },
  3879. {
  3880. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  3881. "tags": [
  3882. "estimative-language:likelihood-probability=\"likely\""
  3883. ],
  3884. "type": "similar"
  3885. },
  3886. {
  3887. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  3888. "tags": [
  3889. "estimative-language:likelihood-probability=\"likely\""
  3890. ],
  3891. "type": "similar"
  3892. },
  3893. {
  3894. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  3895. "tags": [
  3896. "estimative-language:likelihood-probability=\"likely\""
  3897. ],
  3898. "type": "similar"
  3899. },
  3900. {
  3901. "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
  3902. "tags": [
  3903. "estimative-language:likelihood-probability=\"likely\""
  3904. ],
  3905. "type": "similar"
  3906. },
  3907. {
  3908. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  3909. "tags": [
  3910. "estimative-language:likelihood-probability=\"likely\""
  3911. ],
  3912. "type": "similar"
  3913. },
  3914. {
  3915. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  3916. "tags": [
  3917. "estimative-language:likelihood-probability=\"likely\""
  3918. ],
  3919. "type": "similar"
  3920. },
  3921. {
  3922. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  3923. "tags": [
  3924. "estimative-language:likelihood-probability=\"likely\""
  3925. ],
  3926. "type": "similar"
  3927. },
  3928. {
  3929. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  3930. "tags": [
  3931. "estimative-language:likelihood-probability=\"likely\""
  3932. ],
  3933. "type": "similar"
  3934. },
  3935. {
  3936. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  3937. "tags": [
  3938. "estimative-language:likelihood-probability=\"likely\""
  3939. ],
  3940. "type": "similar"
  3941. }
  3942. ],
  3943. "uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  3944. "value": "OilRig"
  3945. },
  3946. {
  3947. "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .",
  3948. "meta": {
  3949. "refs": [
  3950. "https://blog.checkpoint.com/2015/03/31/volatilecedar/",
  3951. "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
  3952. "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/"
  3953. ],
  3954. "synonyms": [
  3955. "Reuse team",
  3956. "Malware reusers",
  3957. "Dancing Salome"
  3958. ]
  3959. },
  3960. "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a",
  3961. "value": "Volatile Cedar"
  3962. },
  3963. {
  3964. "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
  3965. "meta": {
  3966. "synonyms": [
  3967. "Reuse team",
  3968. "Dancing Salome"
  3969. ]
  3970. },
  3971. "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632",
  3972. "value": "Malware reusers"
  3973. },
  3974. {
  3975. "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
  3976. "meta": {
  3977. "refs": [
  3978. "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
  3979. ]
  3980. },
  3981. "related": [
  3982. {
  3983. "dest-uuid": "99784b80-6298-45ba-885c-0ed37bfd8324",
  3984. "tags": [
  3985. "estimative-language:likelihood-probability=\"likely\""
  3986. ],
  3987. "type": "similar"
  3988. }
  3989. ],
  3990. "uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404",
  3991. "value": "TERBIUM"
  3992. },
  3993. {
  3994. "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
  3995. "meta": {
  3996. "refs": [
  3997. "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
  3998. "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/",
  3999. "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/",
  4000. "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
  4001. "https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html",
  4002. "https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html",
  4003. "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
  4004. "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/",
  4005. "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
  4006. "https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
  4007. "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
  4008. "https://www.kaspersky.com/blog/gaza-cybergang/26363/",
  4009. "https://attack.mitre.org/groups/G0021/",
  4010. "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga"
  4011. ],
  4012. "synonyms": [
  4013. "Gaza Hackers Team",
  4014. "Gaza cybergang",
  4015. "Gaza Cybergang",
  4016. "Operation Molerats",
  4017. "Extreme Jackal",
  4018. "Moonlight",
  4019. "ALUMINUM SARATOGA"
  4020. ]
  4021. },
  4022. "related": [
  4023. {
  4024. "dest-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
  4025. "tags": [
  4026. "estimative-language:likelihood-probability=\"likely\""
  4027. ],
  4028. "type": "similar"
  4029. }
  4030. ],
  4031. "uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde",
  4032. "value": "Molerats"
  4033. },
  4034. {
  4035. "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
  4036. "meta": {
  4037. "attribution-confidence": "50",
  4038. "country": "TR",
  4039. "refs": [
  4040. "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
  4041. "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users",
  4042. "https://attack.mitre.org/groups/G0055/",
  4043. "https://attack.mitre.org/groups/G0056/"
  4044. ],
  4045. "synonyms": [
  4046. "StrongPity"
  4047. ]
  4048. },
  4049. "related": [
  4050. {
  4051. "dest-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c",
  4052. "tags": [
  4053. "estimative-language:likelihood-probability=\"likely\""
  4054. ],
  4055. "type": "similar"
  4056. },
  4057. {
  4058. "dest-uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f",
  4059. "tags": [
  4060. "estimative-language:likelihood-probability=\"likely\""
  4061. ],
  4062. "type": "similar"
  4063. }
  4064. ],
  4065. "uuid": "43894e2a-174e-4931-94a8-2296afe8f650",
  4066. "value": "PROMETHIUM"
  4067. },
  4068. {
  4069. "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
  4070. "meta": {
  4071. "refs": [
  4072. "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
  4073. ]
  4074. },
  4075. "related": [
  4076. {
  4077. "dest-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653",
  4078. "tags": [
  4079. "estimative-language:likelihood-probability=\"likely\""
  4080. ],
  4081. "type": "similar"
  4082. },
  4083. {
  4084. "dest-uuid": "47b5007a-3fb1-466a-9578-629e6e735493",
  4085. "tags": [
  4086. "estimative-language:likelihood-probability=\"likely\""
  4087. ],
  4088. "type": "similar"
  4089. }
  4090. ],
  4091. "uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb",
  4092. "value": "NEODYMIUM"
  4093. },
  4094. {
  4095. "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.",
  4096. "meta": {
  4097. "refs": [
  4098. "https://citizenlab.ca/2015/12/packrat-report/"
  4099. ]
  4100. },
  4101. "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7",
  4102. "value": "Packrat"
  4103. },
  4104. {
  4105. "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
  4106. "meta": {
  4107. "attribution-confidence": "50",
  4108. "country": "IR",
  4109. "refs": [
  4110. "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
  4111. ]
  4112. },
  4113. "uuid": "03f13462-003c-4296-8784-bccea16710a9",
  4114. "value": "Cadelle"
  4115. },
  4116. {
  4117. "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.",
  4118. "meta": {
  4119. "attribution-confidence": "50",
  4120. "country": "CN",
  4121. "refs": [
  4122. "https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html"
  4123. ]
  4124. },
  4125. "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965",
  4126. "value": "PassCV"
  4127. },
  4128. {
  4129. "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.",
  4130. "meta": {
  4131. "attribution-confidence": "50",
  4132. "country": "TR",
  4133. "motive": "Hacktivists-Nationalists"
  4134. },
  4135. "uuid": "a03e2b4b-617f-4d28-ac4b-9943f792aa22",
  4136. "value": "Sath-ı Müdafaa"
  4137. },
  4138. {
  4139. "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam",
  4140. "meta": {
  4141. "attribution-confidence": "50",
  4142. "country": "TR",
  4143. "motive": "Hacktivists-Nationalists",
  4144. "synonyms": [
  4145. "Lion Soldiers Team",
  4146. "Phantom Turk"
  4147. ]
  4148. },
  4149. "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a",
  4150. "value": "Aslan Neferler Tim"
  4151. },
  4152. {
  4153. "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.",
  4154. "meta": {
  4155. "attribution-confidence": "50",
  4156. "country": "TR",
  4157. "motive": "Hacktivists-Nationalists",
  4158. "synonyms": [
  4159. "Crescent and Star"
  4160. ]
  4161. },
  4162. "uuid": "ab1771de-25bb-4688-b132-eabb5d6452a1",
  4163. "value": "Ayyıldız Tim"
  4164. },
  4165. {
  4166. "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ",
  4167. "meta": {
  4168. "attribution-confidence": "50",
  4169. "country": "TR",
  4170. "motive": "Hacktivists-Nationalists",
  4171. "synonyms": [
  4172. "Turk Hack Team"
  4173. ]
  4174. },
  4175. "uuid": "7ae74dc6-ded3-4873-a803-abb4160d10c0",
  4176. "value": "TurkHackTeam"
  4177. },
  4178. {
  4179. "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame",
  4180. "meta": {
  4181. "attribution-confidence": "50",
  4182. "cfr-suspected-state-sponsor": "United States",
  4183. "cfr-suspected-victims": [
  4184. "Iran",
  4185. "Afghanistan",
  4186. "Syria",
  4187. "Yemen",
  4188. "Kenya",
  4189. "Russia",
  4190. "India",
  4191. "Mali",
  4192. "Algeria",
  4193. "United Kingdom",
  4194. "Pakistan",
  4195. "China",
  4196. "Lebanon",
  4197. "United Arab Emirates",
  4198. "Libya"
  4199. ],
  4200. "cfr-target-category": [
  4201. "Government",
  4202. "Military"
  4203. ],
  4204. "cfr-type-of-incident": "Espionage",
  4205. "country": "US",
  4206. "refs": [
  4207. "https://en.wikipedia.org/wiki/Equation_Group",
  4208. "https://www.cfr.org/interactive/cyber-operations/equation-group",
  4209. "https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/",
  4210. "https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
  4211. "https://en.wikipedia.org/wiki/Stuxnet",
  4212. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
  4213. "https://attack.mitre.org/groups/G0020/",
  4214. "https://www.secureworks.com/research/threat-profiles/platinum-terminal"
  4215. ],
  4216. "synonyms": [
  4217. "Tilded Team",
  4218. "Lamberts",
  4219. "EQGRP",
  4220. "Longhorn",
  4221. "PLATINUM TERMINAL"
  4222. ]
  4223. },
  4224. "related": [
  4225. {
  4226. "dest-uuid": "2f3311cd-8476-4be7-9005-ead920afc781",
  4227. "tags": [
  4228. "estimative-language:likelihood-probability=\"likely\""
  4229. ],
  4230. "type": "similar"
  4231. }
  4232. ],
  4233. "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840",
  4234. "value": "Equation Group"
  4235. },
  4236. {
  4237. "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.",
  4238. "meta": {
  4239. "attribution-confidence": "50",
  4240. "country": "IR",
  4241. "refs": [
  4242. "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
  4243. "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/",
  4244. "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/",
  4245. "https://www.clearskysec.com/greenbug/"
  4246. ]
  4247. },
  4248. "related": [
  4249. {
  4250. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  4251. "tags": [
  4252. "estimative-language:likelihood-probability=\"likely\""
  4253. ],
  4254. "type": "similar"
  4255. },
  4256. {
  4257. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  4258. "tags": [
  4259. "estimative-language:likelihood-probability=\"likely\""
  4260. ],
  4261. "type": "similar"
  4262. }
  4263. ],
  4264. "uuid": "47204403-34c9-4d25-a006-296a0939d1a2",
  4265. "value": "Greenbug"
  4266. },
  4267. {
  4268. "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
  4269. "meta": {
  4270. "refs": [
  4271. "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
  4272. "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
  4273. "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
  4274. "https://attack.mitre.org/groups/G0047/",
  4275. "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon",
  4276. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
  4277. "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/"
  4278. ],
  4279. "synonyms": [
  4280. "Primitive Bear"
  4281. ]
  4282. },
  4283. "related": [
  4284. {
  4285. "dest-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
  4286. "tags": [
  4287. "estimative-language:likelihood-probability=\"likely\""
  4288. ],
  4289. "type": "similar"
  4290. }
  4291. ],
  4292. "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb",
  4293. "value": "Gamaredon Group"
  4294. },
  4295. {
  4296. "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.",
  4297. "meta": {
  4298. "attribution-confidence": "50",
  4299. "country": "CN",
  4300. "refs": [
  4301. "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242"
  4302. ],
  4303. "synonyms": [
  4304. "Zhenbao",
  4305. "TEMP.Zhenbao"
  4306. ]
  4307. },
  4308. "uuid": "1f2762d9-a4b5-4457-ac51-00be05be9e23",
  4309. "value": "Hammer Panda"
  4310. },
  4311. {
  4312. "description": "Infy is a group of suspected Iranian origin.\nSince early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents.\nThanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.",
  4313. "meta": {
  4314. "attribution-confidence": "50",
  4315. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  4316. "cfr-suspected-victims": [
  4317. "Israel",
  4318. "Iran",
  4319. "France",
  4320. "China",
  4321. "Sweden",
  4322. "United States",
  4323. "United Kingdom",
  4324. "Germany",
  4325. "Syria",
  4326. "Italy",
  4327. "Denmark",
  4328. "Canada",
  4329. "Russia",
  4330. "Saudi Arabia",
  4331. "Bahrain"
  4332. ],
  4333. "cfr-target-category": [
  4334. "Government",
  4335. "Private sector"
  4336. ],
  4337. "cfr-type-of-incident": "Espionage",
  4338. "country": "IR",
  4339. "refs": [
  4340. "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf",
  4341. "https://iranthreats.github.io/",
  4342. "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
  4343. "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/",
  4344. "https://www.cfr.org/interactive/cyber-operations/prince-persia",
  4345. "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
  4346. "https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/"
  4347. ],
  4348. "synonyms": [
  4349. "Operation Mermaid",
  4350. "Prince of Persia"
  4351. ]
  4352. },
  4353. "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e",
  4354. "value": "Infy"
  4355. },
  4356. {
  4357. "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.",
  4358. "meta": {
  4359. "attribution-confidence": "50",
  4360. "country": "IR",
  4361. "refs": [
  4362. "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf",
  4363. "https://iranthreats.github.io/"
  4364. ]
  4365. },
  4366. "uuid": "80f9184d-1df3-4ad0-a452-cdb90fe57216",
  4367. "value": "Sima"
  4368. },
  4369. {
  4370. "description": "Blue Termite is a group of suspected Chinese origin active in Japan.",
  4371. "meta": {
  4372. "attribution-confidence": "50",
  4373. "cfr-suspected-state-sponsor": "Unknown",
  4374. "cfr-suspected-victims": [
  4375. "Japan"
  4376. ],
  4377. "cfr-target-category": [
  4378. "Government",
  4379. "Private sector"
  4380. ],
  4381. "cfr-type-of-incident": "Espionage",
  4382. "country": "CN",
  4383. "refs": [
  4384. "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/",
  4385. "https://www.cfr.org/interactive/cyber-operations/blue-termite"
  4386. ],
  4387. "synonyms": [
  4388. "Cloudy Omega",
  4389. "Emdivi"
  4390. ]
  4391. },
  4392. "uuid": "a250af72-f66c-4d02-9f36-ab764ce9fe85",
  4393. "value": "Blue Termite"
  4394. },
  4395. {
  4396. "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.",
  4397. "meta": {
  4398. "attribution-confidence": "50",
  4399. "country": "UA",
  4400. "refs": [
  4401. "http://www.welivesecurity.com/2016/05/18/groundbait"
  4402. ]
  4403. },
  4404. "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73",
  4405. "value": "Groundbait"
  4406. },
  4407. {
  4408. "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name \"Vault 7.\"",
  4409. "meta": {
  4410. "attribution-confidence": "50",
  4411. "cfr-suspected-state-sponsor": "United States",
  4412. "cfr-suspected-victims": [
  4413. "Global"
  4414. ],
  4415. "cfr-target-category": [
  4416. "Private sector",
  4417. "Government"
  4418. ],
  4419. "cfr-type-of-incident": "Espionage",
  4420. "country": "US",
  4421. "refs": [
  4422. "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
  4423. "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/",
  4424. "https://www.cfr.org/interactive/cyber-operations/longhorn",
  4425. "http://blogs.360.cn/post/APT-C-39_CIA_EN.html"
  4426. ],
  4427. "synonyms": [
  4428. "Lamberts",
  4429. "the Lamberts",
  4430. "APT-C-39"
  4431. ]
  4432. },
  4433. "related": [
  4434. {
  4435. "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840",
  4436. "tags": [
  4437. "estimative-language:likelihood-probability=\"likely\""
  4438. ],
  4439. "type": "similar"
  4440. }
  4441. ],
  4442. "uuid": "2f3311cd-8476-4be7-9005-ead920afc781",
  4443. "value": "Longhorn"
  4444. },
  4445. {
  4446. "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.",
  4447. "meta": {
  4448. "refs": [
  4449. "https://www.f-secure.com/documents/996508/1030745/callisto-group"
  4450. ]
  4451. },
  4452. "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
  4453. "value": "Callisto"
  4454. },
  4455. {
  4456. "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.",
  4457. "meta": {
  4458. "attribution-confidence": "50",
  4459. "cfr-suspected-state-sponsor": "Vietnam",
  4460. "cfr-suspected-victims": [
  4461. "China",
  4462. "Germany",
  4463. "United States",
  4464. "Vietnam",
  4465. "Philippines",
  4466. "Association of Southeast Asian Nations"
  4467. ],
  4468. "cfr-target-category": [
  4469. "Government",
  4470. "Private sector",
  4471. "Civil society"
  4472. ],
  4473. "cfr-type-of-incident": "Espionage",
  4474. "country": "VN",
  4475. "refs": [
  4476. "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
  4477. "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/",
  4478. "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/",
  4479. "https://www.brighttalk.com/webcast/10703/261205",
  4480. "https://github.com/eset/malware-research/tree/master/oceanlotus",
  4481. "https://www.cfr.org/interactive/cyber-operations/ocean-lotus",
  4482. "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
  4483. "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
  4484. "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
  4485. "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html"
  4486. ],
  4487. "synonyms": [
  4488. "OceanLotus Group",
  4489. "Ocean Lotus",
  4490. "OceanLotus",
  4491. "Cobalt Kitty",
  4492. "APT-C-00",
  4493. "SeaLotus",
  4494. "Sea Lotus",
  4495. "APT-32",
  4496. "APT 32",
  4497. "Ocean Buffalo",
  4498. "POND LOACH",
  4499. "TIN WOODLAWN"
  4500. ]
  4501. },
  4502. "related": [
  4503. {
  4504. "dest-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
  4505. "tags": [
  4506. "estimative-language:likelihood-probability=\"likely\""
  4507. ],
  4508. "type": "similar"
  4509. },
  4510. {
  4511. "dest-uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf",
  4512. "tags": [
  4513. "estimative-language:likelihood-probability=\"likely\""
  4514. ],
  4515. "type": "similar"
  4516. }
  4517. ],
  4518. "uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7",
  4519. "value": "APT32"
  4520. },
  4521. {
  4522. "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ",
  4523. "meta": {
  4524. "attribution-confidence": "50",
  4525. "country": "NG",
  4526. "refs": [
  4527. "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf"
  4528. ]
  4529. },
  4530. "uuid": "acbfd9e4-f78c-4ae0-9b52-c35ed679e546",
  4531. "value": "SilverTerrier"
  4532. },
  4533. {
  4534. "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.\n Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.\n This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.",
  4535. "meta": {
  4536. "refs": [
  4537. "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks",
  4538. "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
  4539. "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/",
  4540. "https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html",
  4541. "https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766",
  4542. "https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219",
  4543. "https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/"
  4544. ],
  4545. "synonyms": [
  4546. "Butterfly",
  4547. "Morpho",
  4548. "Sphinx Moth"
  4549. ]
  4550. },
  4551. "uuid": "e7df3572-0c96-4968-8e5a-803ef4219762",
  4552. "value": "WildNeutron"
  4553. },
  4554. {
  4555. "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
  4556. "meta": {
  4557. "refs": [
  4558. "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf",
  4559. "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
  4560. "https://attack.mitre.org/groups/G0068/"
  4561. ],
  4562. "synonyms": [
  4563. "TwoForOne"
  4564. ]
  4565. },
  4566. "related": [
  4567. {
  4568. "dest-uuid": "f9c06633-dcff-48a1-8588-759e7cec5694",
  4569. "tags": [
  4570. "estimative-language:likelihood-probability=\"likely\""
  4571. ],
  4572. "type": "similar"
  4573. },
  4574. {
  4575. "dest-uuid": "154e97b5-47ef-415a-99a6-2157f1b50339",
  4576. "tags": [
  4577. "estimative-language:likelihood-probability=\"likely\""
  4578. ],
  4579. "type": "similar"
  4580. }
  4581. ],
  4582. "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a",
  4583. "value": "PLATINUM"
  4584. },
  4585. {
  4586. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.",
  4587. "meta": {
  4588. "capabilities": "CRASHOVERRIDE",
  4589. "mode-of-operation": "Electric grid disruption and long-term persistence",
  4590. "refs": [
  4591. "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
  4592. "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
  4593. "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
  4594. "https://dragos.com/adversaries.html"
  4595. ],
  4596. "since": "2016",
  4597. "synonyms": [
  4598. "Sandworm"
  4599. ],
  4600. "victimology": "Ukraine, Electric Utilities"
  4601. },
  4602. "related": [
  4603. {
  4604. "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
  4605. "tags": [
  4606. "estimative-language:likelihood-probability=\"likely\""
  4607. ],
  4608. "type": "similar"
  4609. },
  4610. {
  4611. "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
  4612. "tags": [
  4613. "estimative-language:likelihood-probability=\"likely\""
  4614. ],
  4615. "type": "similar"
  4616. },
  4617. {
  4618. "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
  4619. "tags": [
  4620. "estimative-language:likelihood-probability=\"likely\""
  4621. ],
  4622. "type": "similar"
  4623. }
  4624. ],
  4625. "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
  4626. "value": "ELECTRUM"
  4627. },
  4628. {
  4629. "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.",
  4630. "meta": {
  4631. "refs": [
  4632. "https://dragos.com/blog/20180802Raspite.html",
  4633. "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
  4634. "https://attack.mitre.org/groups/G0077/"
  4635. ],
  4636. "since": "2017",
  4637. "synonyms": [
  4638. "LeafMiner",
  4639. "Raspite"
  4640. ],
  4641. "victimology": "Electric utility sector"
  4642. },
  4643. "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e",
  4644. "value": "RASPITE"
  4645. },
  4646. {
  4647. "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.",
  4648. "meta": {
  4649. "refs": [
  4650. "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
  4651. "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
  4652. "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
  4653. "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
  4654. "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
  4655. "https://attack.mitre.org/groups/G0061"
  4656. ]
  4657. },
  4658. "related": [
  4659. {
  4660. "dest-uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826",
  4661. "tags": [
  4662. "estimative-language:likelihood-probability=\"likely\""
  4663. ],
  4664. "type": "similar"
  4665. }
  4666. ],
  4667. "uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73",
  4668. "value": "FIN8"
  4669. },
  4670. {
  4671. "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.",
  4672. "meta": {
  4673. "attribution-confidence": "50",
  4674. "cfr-suspected-state-sponsor": "Unknown",
  4675. "cfr-suspected-victims": [
  4676. "Venezuela",
  4677. "Russia",
  4678. "Cuba",
  4679. "China",
  4680. "Belgium",
  4681. "Ecuador",
  4682. "Brazil",
  4683. "Spain",
  4684. "Germany",
  4685. "France",
  4686. "Colombia",
  4687. "Peru",
  4688. "Sweden",
  4689. "United States",
  4690. "Malaysia"
  4691. ],
  4692. "cfr-target-category": [
  4693. "Military",
  4694. "Government"
  4695. ],
  4696. "cfr-type-of-incident": "Espionage",
  4697. "refs": [
  4698. "https://securelist.com/el-machete/66108/",
  4699. "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
  4700. "https://www.cfr.org/interactive/cyber-operations/machete",
  4701. "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html",
  4702. "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/"
  4703. ],
  4704. "synonyms": [
  4705. "Machete",
  4706. "machete-apt",
  4707. "APT-C-43"
  4708. ]
  4709. },
  4710. "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3",
  4711. "value": "El Machete"
  4712. },
  4713. {
  4714. "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.",
  4715. "meta": {
  4716. "refs": [
  4717. "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
  4718. "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/",
  4719. "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish",
  4720. "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/",
  4721. "https://www.group-ib.com/blog/cobalt",
  4722. "https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX",
  4723. "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target",
  4724. "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/",
  4725. "https://www.riskiq.com/blog/labs/cobalt-strike/",
  4726. "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/",
  4727. "https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/",
  4728. "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
  4729. "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
  4730. "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
  4731. "https://attack.mitre.org/groups/G0080/",
  4732. "http://www.secureworks.com/research/threat-profiles/gold-kingswood"
  4733. ],
  4734. "synonyms": [
  4735. "Cobalt group",
  4736. "Cobalt Group",
  4737. "Cobalt gang",
  4738. "Cobalt Gang",
  4739. "GOLD KINGSWOOD",
  4740. "Cobalt Spider"
  4741. ]
  4742. },
  4743. "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
  4744. "value": "Cobalt"
  4745. },
  4746. {
  4747. "meta": {
  4748. "attribution-confidence": "50",
  4749. "country": "CN",
  4750. "refs": [
  4751. "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts",
  4752. "https://attack.mitre.org/groups/G0062/"
  4753. ]
  4754. },
  4755. "related": [
  4756. {
  4757. "dest-uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481",
  4758. "tags": [
  4759. "estimative-language:likelihood-probability=\"likely\""
  4760. ],
  4761. "type": "similar"
  4762. }
  4763. ],
  4764. "uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314",
  4765. "value": "TA459"
  4766. },
  4767. {
  4768. "meta": {
  4769. "attribution-confidence": "50",
  4770. "country": "RU",
  4771. "refs": [
  4772. "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter"
  4773. ]
  4774. },
  4775. "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8",
  4776. "value": "Cyber Berkut"
  4777. },
  4778. {
  4779. "meta": {
  4780. "attribution-confidence": "50",
  4781. "cfr-suspected-state-sponsor": "China",
  4782. "cfr-suspected-victims": [
  4783. "Eastern Europe",
  4784. "Japan",
  4785. "South Korea",
  4786. "Taiwan",
  4787. "US"
  4788. ],
  4789. "cfr-target-category": [
  4790. "Military",
  4791. "Government",
  4792. "Private sector"
  4793. ],
  4794. "country": "CN",
  4795. "refs": [
  4796. "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/",
  4797. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
  4798. "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/",
  4799. "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403"
  4800. ],
  4801. "synonyms": [
  4802. "CactusPete",
  4803. "Karma Panda"
  4804. ]
  4805. },
  4806. "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
  4807. "value": "Tonto Team"
  4808. },
  4809. {
  4810. "meta": {
  4811. "refs": [
  4812. "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/"
  4813. ]
  4814. },
  4815. "uuid": "fb745fe1-5478-4d47-ad3d-7389fa4a6f77",
  4816. "value": "Danti"
  4817. },
  4818. {
  4819. "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies",
  4820. "meta": {
  4821. "refs": [
  4822. "https://www.fireeye.com/current-threats/apt-groups.html",
  4823. "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf",
  4824. "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood"
  4825. ],
  4826. "synonyms": [
  4827. "MANGANESE",
  4828. "BRONZE FLEETWOOD"
  4829. ]
  4830. },
  4831. "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
  4832. "value": "APT5"
  4833. },
  4834. {
  4835. "meta": {
  4836. "attribution-confidence": "50",
  4837. "country": "CN",
  4838. "refs": [
  4839. "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild",
  4840. "https://www.secureworks.com/research/threat-profiles/bronze-olive"
  4841. ],
  4842. "synonyms": [
  4843. "APT22",
  4844. "BRONZE OLIVE"
  4845. ]
  4846. },
  4847. "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
  4848. "value": "APT 22"
  4849. },
  4850. {
  4851. "description": "This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes.",
  4852. "meta": {
  4853. "attribution-confidence": "50",
  4854. "cfr-suspected-state-sponsor": "China",
  4855. "cfr-suspected-victims": [
  4856. "Japan",
  4857. "China",
  4858. "Korea (Republic of)",
  4859. "Russian Federation"
  4860. ],
  4861. "cfr-target-category": [
  4862. "Private sector"
  4863. ],
  4864. "cfr-type-of-incident": "Espionage",
  4865. "country": "CN",
  4866. "refs": [
  4867. "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
  4868. "https://www.secureworks.jp/resources/rp-bronze-butler",
  4869. "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/",
  4870. "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html",
  4871. "https://www.cfr.org/interactive/cyber-operations/bronze-butler",
  4872. "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
  4873. "https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
  4874. "https://attack.mitre.org/groups/G0060/",
  4875. "https://www.secureworks.com/research/threat-profiles/bronze-butler"
  4876. ],
  4877. "synonyms": [
  4878. "Bronze Butler",
  4879. "RedBaldKnight"
  4880. ]
  4881. },
  4882. "related": [
  4883. {
  4884. "dest-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
  4885. "tags": [
  4886. "estimative-language:likelihood-probability=\"likely\""
  4887. ],
  4888. "type": "similar"
  4889. }
  4890. ],
  4891. "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8",
  4892. "value": "Tick"
  4893. },
  4894. {
  4895. "meta": {
  4896. "attribution-confidence": "50",
  4897. "country": "CN",
  4898. "refs": [
  4899. "https://www.secureworks.com/research/threat-profiles/bronze-express"
  4900. ],
  4901. "synonyms": [
  4902. "APT26",
  4903. "Hippo Team",
  4904. "JerseyMikes",
  4905. "Turbine Panda",
  4906. "BRONZE EXPRESS"
  4907. ]
  4908. },
  4909. "related": [
  4910. {
  4911. "dest-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
  4912. "tags": [
  4913. "estimative-language:likelihood-probability=\"likely\""
  4914. ],
  4915. "type": "similar"
  4916. },
  4917. {
  4918. "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
  4919. "tags": [
  4920. "estimative-language:likelihood-probability=\"likely\""
  4921. ],
  4922. "type": "similar"
  4923. }
  4924. ],
  4925. "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11",
  4926. "value": "APT 26"
  4927. },
  4928. {
  4929. "meta": {
  4930. "attribution-confidence": "50",
  4931. "country": "CN",
  4932. "refs": [
  4933. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  4934. ]
  4935. },
  4936. "uuid": "67adfa07-869f-4052-9d56-b88a51489902",
  4937. "value": "Sabre Panda"
  4938. },
  4939. {
  4940. "meta": {
  4941. "attribution-confidence": "50",
  4942. "country": "CN",
  4943. "refs": [
  4944. "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?"
  4945. ]
  4946. },
  4947. "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766",
  4948. "value": "Big Panda"
  4949. },
  4950. {
  4951. "meta": {
  4952. "attribution-confidence": "50",
  4953. "country": "CN",
  4954. "refs": [
  4955. "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
  4956. ]
  4957. },
  4958. "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c",
  4959. "value": "Poisonous Panda"
  4960. },
  4961. {
  4962. "meta": {
  4963. "refs": [
  4964. "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
  4965. ]
  4966. },
  4967. "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15",
  4968. "value": "Ghost Jackal"
  4969. },
  4970. {
  4971. "meta": {
  4972. "attribution-confidence": "50",
  4973. "country": "KP",
  4974. "refs": [
  4975. "https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html"
  4976. ]
  4977. },
  4978. "uuid": "73c636ae-e55c-4167-bf40-315789698adb",
  4979. "value": "TEMP.Hermit"
  4980. },
  4981. {
  4982. "meta": {
  4983. "attribution-confidence": "50",
  4984. "cfr-suspected-state-sponsor": "China",
  4985. "cfr-suspected-victims": [
  4986. "Myanmar",
  4987. "Germany",
  4988. "Singapore",
  4989. "Canada",
  4990. "India",
  4991. "United States",
  4992. "South Korea"
  4993. ],
  4994. "cfr-target-category": [
  4995. "Government",
  4996. "Private sector"
  4997. ],
  4998. "cfr-type-of-incident": "Espionage",
  4999. "country": "CN",
  5000. "refs": [
  5001. "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
  5002. "https://www.cfr.org/interactive/cyber-operations/mofang",
  5003. "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
  5004. "https://www.secureworks.com/research/threat-profiles/bronze-walker"
  5005. ],
  5006. "synonyms": [
  5007. "Superman",
  5008. "BRONZE WALKER"
  5009. ]
  5010. },
  5011. "uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344",
  5012. "value": "Mofang"
  5013. },
  5014. {
  5015. "meta": {
  5016. "attribution-confidence": "50",
  5017. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  5018. "cfr-suspected-victims": [
  5019. "Israel",
  5020. "Jordan",
  5021. "Saudi Arabia",
  5022. "Germany",
  5023. "United States"
  5024. ],
  5025. "cfr-target-category": [
  5026. "Government",
  5027. "Private sector",
  5028. "Civil society"
  5029. ],
  5030. "cfr-type-of-incident": "Espionage",
  5031. "country": "IR",
  5032. "refs": [
  5033. "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf",
  5034. "https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr",
  5035. "http://www.clearskysec.com/copykitten-jpost/",
  5036. "http://www.clearskysec.com/tulip/",
  5037. "https://www.cfr.org/interactive/cyber-operations/copykittens",
  5038. "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
  5039. "https://attack.mitre.org/groups/G0052/"
  5040. ],
  5041. "synonyms": [
  5042. "Slayer Kitten"
  5043. ]
  5044. },
  5045. "related": [
  5046. {
  5047. "dest-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
  5048. "tags": [
  5049. "estimative-language:likelihood-probability=\"likely\""
  5050. ],
  5051. "type": "similar"
  5052. }
  5053. ],
  5054. "uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae",
  5055. "value": "CopyKittens"
  5056. },
  5057. {
  5058. "meta": {
  5059. "refs": [
  5060. "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
  5061. ]
  5062. },
  5063. "uuid": "9035bfbf-a73f-4948-9df2-bd893e9cafef",
  5064. "value": "EvilPost"
  5065. },
  5066. {
  5067. "description": "The referenced link links this group to Temper Panda",
  5068. "meta": {
  5069. "attribution-confidence": "50",
  5070. "country": "CN",
  5071. "refs": [
  5072. "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/"
  5073. ]
  5074. },
  5075. "uuid": "70b80bcc-58e3-4a09-a3bf-98c0412bb7d3",
  5076. "value": "SVCMONDR"
  5077. },
  5078. {
  5079. "meta": {
  5080. "attribution-confidence": "50",
  5081. "country": "CN",
  5082. "refs": [
  5083. "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"
  5084. ]
  5085. },
  5086. "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab",
  5087. "value": "Test Panda"
  5088. },
  5089. {
  5090. "description": "Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.\nCommon applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.",
  5091. "meta": {
  5092. "attribution-confidence": "50",
  5093. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  5094. "cfr-suspected-victims": [
  5095. "Iran",
  5096. "Pakistan",
  5097. "Israel",
  5098. "United States"
  5099. ],
  5100. "cfr-target-category": [
  5101. "Government",
  5102. "Private sector"
  5103. ],
  5104. "cfr-type-of-incident": "Espionage",
  5105. "country": "IR",
  5106. "refs": [
  5107. "https://securelist.com/the-madi-campaign-part-i-5/33693/",
  5108. "https://securelist.com/the-madi-campaign-part-ii-53/33701/",
  5109. "https://www.cfr.org/interactive/cyber-operations/madi",
  5110. "https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east",
  5111. "https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/",
  5112. "https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns"
  5113. ]
  5114. },
  5115. "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2",
  5116. "value": "Madi"
  5117. },
  5118. {
  5119. "meta": {
  5120. "attribution-confidence": "50",
  5121. "country": "CN",
  5122. "refs": [
  5123. "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"
  5124. ]
  5125. },
  5126. "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce",
  5127. "value": "Electric Panda"
  5128. },
  5129. {
  5130. "meta": {
  5131. "attribution-confidence": "50",
  5132. "cfr-suspected-state-sponsor": "China",
  5133. "cfr-suspected-victims": [
  5134. "United States",
  5135. "United Kingdom",
  5136. "Hong Kong"
  5137. ],
  5138. "cfr-target-category": [
  5139. "Private sector",
  5140. "Military"
  5141. ],
  5142. "cfr-type-of-incident": "Espionage",
  5143. "country": "CN",
  5144. "refs": [
  5145. "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
  5146. "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
  5147. "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919",
  5148. "https://www.cfr.org/interactive/cyber-operations/sykipot",
  5149. "https://www.secureworks.com/research/threat-profiles/bronze-edison"
  5150. ],
  5151. "synonyms": [
  5152. "PLA Navy",
  5153. "APT4",
  5154. "APT 4",
  5155. "BRONZE EDISON",
  5156. "Sykipot"
  5157. ]
  5158. },
  5159. "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
  5160. "value": "Maverick Panda"
  5161. },
  5162. {
  5163. "description": "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.",
  5164. "meta": {
  5165. "attribution-confidence": "50",
  5166. "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)",
  5167. "cfr-suspected-victims": [
  5168. "Ministry of Unification",
  5169. "Sejong Institute",
  5170. "Korea Institute for Defense Analyses"
  5171. ],
  5172. "cfr-target-category": [
  5173. "Government",
  5174. "Private sector"
  5175. ],
  5176. "cfr-type-of-incident": "Espionage",
  5177. "country": "KP",
  5178. "refs": [
  5179. "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/",
  5180. "https://www.cfr.org/interactive/cyber-operations/kimsuky",
  5181. "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
  5182. "https://youtu.be/hAsKp43AZmM?t=1027",
  5183. "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1",
  5184. "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia",
  5185. "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
  5186. "https://attack.mitre.org/groups/G0086/",
  5187. "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
  5188. "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
  5189. ],
  5190. "synonyms": [
  5191. "Velvet Chollima",
  5192. "Black Banshee",
  5193. "Thallium",
  5194. "Operation Stolen Pencil"
  5195. ]
  5196. },
  5197. "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
  5198. "value": "Kimsuky"
  5199. },
  5200. {
  5201. "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.",
  5202. "meta": {
  5203. "refs": [
  5204. "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html",
  5205. "https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html",
  5206. "https://www.jpcert.or.jp/magazine/acreport-ChChes.html"
  5207. ]
  5208. },
  5209. "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5",
  5210. "value": "Snake Wine"
  5211. },
  5212. {
  5213. "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.\nThe Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name \"Mask\" comes from the Spanish slang word \"Careto\" (\"Ugly Face\" or “Mask”) which the authors included in some of the malware modules.\n More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).",
  5214. "meta": {
  5215. "attribution-confidence": "50",
  5216. "cfr-suspected-state-sponsor": "Spain",
  5217. "cfr-suspected-victims": [
  5218. "Morocco",
  5219. "France",
  5220. "Libya",
  5221. "Venezuela",
  5222. "Poland",
  5223. "Brazil",
  5224. "Spain",
  5225. "United States",
  5226. "South Africa",
  5227. "Tunisia",
  5228. "United Kingdom",
  5229. "Switzerland",
  5230. "Iran",
  5231. "Germany"
  5232. ],
  5233. "cfr-target-category": [
  5234. "Government",
  5235. "Private sector"
  5236. ],
  5237. "cfr-type-of-incident": "Espionage",
  5238. "country": "ES",
  5239. "refs": [
  5240. "https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/",
  5241. "https://www.cfr.org/interactive/cyber-operations/careto",
  5242. "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"
  5243. ],
  5244. "synonyms": [
  5245. "The Mask",
  5246. "Mask",
  5247. "Ugly Face"
  5248. ]
  5249. },
  5250. "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d",
  5251. "value": "Careto"
  5252. },
  5253. {
  5254. "meta": {
  5255. "attribution-confidence": "50",
  5256. "country": "CN",
  5257. "refs": [
  5258. "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"
  5259. ]
  5260. },
  5261. "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0",
  5262. "value": "Gibberish Panda"
  5263. },
  5264. {
  5265. "description": "This threat actor targets the South Korean government, transportation, and energy sectors.",
  5266. "meta": {
  5267. "attribution-confidence": "50",
  5268. "cfr-suspected-state-sponsor": "Unknown",
  5269. "cfr-suspected-victims": [
  5270. "South Korea"
  5271. ],
  5272. "cfr-target-category": [
  5273. "Government",
  5274. "Private sector"
  5275. ],
  5276. "cfr-type-of-incident": "Espionage",
  5277. "country": "KP",
  5278. "refs": [
  5279. "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml",
  5280. "https://www.cfr.org/interactive/cyber-operations/onion-dog"
  5281. ]
  5282. },
  5283. "uuid": "5898e11e-a023-464d-975c-b36fb1639e69",
  5284. "value": "OnionDog"
  5285. },
  5286. {
  5287. "meta": {
  5288. "attribution-confidence": "50",
  5289. "country": "IR",
  5290. "refs": [
  5291. "http://www.crowdstrike.com/blog/whois-clever-kitten/"
  5292. ],
  5293. "synonyms": [
  5294. "Group 41"
  5295. ]
  5296. },
  5297. "related": [
  5298. {
  5299. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  5300. "tags": [
  5301. "estimative-language:likelihood-probability=\"likely\""
  5302. ],
  5303. "type": "similar"
  5304. },
  5305. {
  5306. "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
  5307. "tags": [
  5308. "estimative-language:likelihood-probability=\"likely\""
  5309. ],
  5310. "type": "similar"
  5311. },
  5312. {
  5313. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  5314. "tags": [
  5315. "estimative-language:likelihood-probability=\"likely\""
  5316. ],
  5317. "type": "similar"
  5318. },
  5319. {
  5320. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  5321. "tags": [
  5322. "estimative-language:likelihood-probability=\"likely\""
  5323. ],
  5324. "type": "similar"
  5325. },
  5326. {
  5327. "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  5328. "tags": [
  5329. "estimative-language:likelihood-probability=\"likely\""
  5330. ],
  5331. "type": "similar"
  5332. },
  5333. {
  5334. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  5335. "tags": [
  5336. "estimative-language:likelihood-probability=\"likely\""
  5337. ],
  5338. "type": "similar"
  5339. },
  5340. {
  5341. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  5342. "tags": [
  5343. "estimative-language:likelihood-probability=\"likely\""
  5344. ],
  5345. "type": "similar"
  5346. },
  5347. {
  5348. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  5349. "tags": [
  5350. "estimative-language:likelihood-probability=\"likely\""
  5351. ],
  5352. "type": "similar"
  5353. },
  5354. {
  5355. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  5356. "tags": [
  5357. "estimative-language:likelihood-probability=\"likely\""
  5358. ],
  5359. "type": "similar"
  5360. },
  5361. {
  5362. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  5363. "tags": [
  5364. "estimative-language:likelihood-probability=\"likely\""
  5365. ],
  5366. "type": "similar"
  5367. }
  5368. ],
  5369. "uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  5370. "value": "Clever Kitten"
  5371. },
  5372. {
  5373. "meta": {
  5374. "refs": [
  5375. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  5376. ]
  5377. },
  5378. "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77",
  5379. "value": "Andromeda Spider"
  5380. },
  5381. {
  5382. "meta": {
  5383. "refs": [
  5384. "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division",
  5385. "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697"
  5386. ],
  5387. "synonyms": [
  5388. "Islamic State Hacking Division",
  5389. "CCA",
  5390. "United Cyber Caliphate",
  5391. "UUC",
  5392. "CyberCaliphate"
  5393. ]
  5394. },
  5395. "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0",
  5396. "value": "Cyber Caliphate Army"
  5397. },
  5398. {
  5399. "meta": {
  5400. "attribution-confidence": "50",
  5401. "country": "RU",
  5402. "refs": [
  5403. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  5404. ]
  5405. },
  5406. "uuid": "430ba885-cd24-492e-804c-815176ed9b1e",
  5407. "value": "Magnetic Spider"
  5408. },
  5409. {
  5410. "description": "Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.",
  5411. "meta": {
  5412. "attribution-confidence": "50",
  5413. "country": "CN",
  5414. "refs": [
  5415. "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
  5416. "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
  5417. "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
  5418. ]
  5419. },
  5420. "uuid": "73e4728a-955e-426a-b144-8cb95131f2ca",
  5421. "value": "Group 27"
  5422. },
  5423. {
  5424. "meta": {
  5425. "refs": [
  5426. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  5427. ]
  5428. },
  5429. "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50",
  5430. "value": "Singing Spider"
  5431. },
  5432. {
  5433. "meta": {
  5434. "attribution-confidence": "50",
  5435. "country": "IR",
  5436. "refs": [
  5437. "http://pastebin.com/u/QassamCyberFighters",
  5438. "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html"
  5439. ],
  5440. "synonyms": [
  5441. "Fraternal Jackal"
  5442. ]
  5443. },
  5444. "uuid": "22c2b363-5d8f-4b04-96db-1b6cf4d7e8db",
  5445. "value": "Cyber fighters of Izz Ad-Din Al Qassam"
  5446. },
  5447. {
  5448. "description": "The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.\nDetails regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.\n“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.",
  5449. "meta": {
  5450. "attribution-confidence": "50",
  5451. "country": "CN",
  5452. "refs": [
  5453. "https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/"
  5454. ],
  5455. "synonyms": [
  5456. "1.php Group",
  5457. "APT6"
  5458. ]
  5459. },
  5460. "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7",
  5461. "value": "APT 6"
  5462. },
  5463. {
  5464. "meta": {
  5465. "refs": [
  5466. "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf",
  5467. "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html",
  5468. "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/",
  5469. "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/",
  5470. "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
  5471. "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View",
  5472. "http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
  5473. "https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
  5474. "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
  5475. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf"
  5476. ],
  5477. "synonyms": [
  5478. "Desert Falcon",
  5479. "Arid Viper",
  5480. "APT-C-23"
  5481. ]
  5482. },
  5483. "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6",
  5484. "value": "AridViper"
  5485. },
  5486. {
  5487. "meta": {
  5488. "refs": [
  5489. "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
  5490. ]
  5491. },
  5492. "uuid": "445c7b62-028b-455e-9d65-74899b7006a4",
  5493. "value": "Dextorous Spider"
  5494. },
  5495. {
  5496. "meta": {
  5497. "attribution-confidence": "50",
  5498. "cfr-suspected-state-sponsor": "Israel",
  5499. "cfr-suspected-victims": [
  5500. "Iran",
  5501. "Sudan"
  5502. ],
  5503. "cfr-target-category": [
  5504. "Military",
  5505. "Government",
  5506. "Private sector"
  5507. ],
  5508. "cfr-type-of-incident": "Espionage",
  5509. "country": "IL",
  5510. "refs": [
  5511. "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/",
  5512. "https://archive.org/details/Stuxnet",
  5513. "https://www.cfr.org/interactive/cyber-operations/duqu",
  5514. "https://www.cfr.org/interactive/cyber-operations/duqu-20"
  5515. ],
  5516. "synonyms": [
  5517. "Duqu Group"
  5518. ]
  5519. },
  5520. "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02",
  5521. "value": "Unit 8200"
  5522. },
  5523. {
  5524. "description": "As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity.\nFrom February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.",
  5525. "meta": {
  5526. "attribution-confidence": "50",
  5527. "cfr-suspected-state-sponsor": "Russian Federation",
  5528. "cfr-suspected-victims": [
  5529. "United States",
  5530. "South Korea",
  5531. "United Kingdom",
  5532. "Uzbekistan"
  5533. ],
  5534. "cfr-target-category": [
  5535. "Government",
  5536. "Private sector"
  5537. ],
  5538. "cfr-type-of-incident": "Espionage",
  5539. "country": "RU",
  5540. "refs": [
  5541. "https://securelist.com/introducing-whitebear/81638/",
  5542. "https://www.cfr.org/interactive/cyber-operations/whitebear"
  5543. ],
  5544. "synonyms": [
  5545. "Skipper Turla"
  5546. ]
  5547. },
  5548. "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6",
  5549. "value": "White Bear"
  5550. },
  5551. {
  5552. "meta": {
  5553. "attribution-confidence": "50",
  5554. "country": "CN",
  5555. "refs": [
  5556. "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
  5557. ]
  5558. },
  5559. "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7",
  5560. "value": "Pale Panda"
  5561. },
  5562. {
  5563. "meta": {
  5564. "attribution-confidence": "50",
  5565. "country": "CN",
  5566. "refs": [
  5567. "http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm"
  5568. ]
  5569. },
  5570. "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994",
  5571. "value": "Mana Team"
  5572. },
  5573. {
  5574. "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ",
  5575. "meta": {
  5576. "attribution-confidence": "50",
  5577. "cfr-suspected-state-sponsor": "Unknown",
  5578. "cfr-suspected-victims": [
  5579. "Argentina",
  5580. "Ecuador",
  5581. "Brazil",
  5582. "Brunei",
  5583. "Peru",
  5584. "Malaysia"
  5585. ],
  5586. "cfr-target-category": [
  5587. "Government"
  5588. ],
  5589. "cfr-type-of-incident": "Espionage",
  5590. "refs": [
  5591. "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments",
  5592. "https://www.cfr.org/interactive/cyber-operations/sowbug",
  5593. "https://attack.mitre.org/groups/G0054/"
  5594. ]
  5595. },
  5596. "related": [
  5597. {
  5598. "dest-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
  5599. "tags": [
  5600. "estimative-language:likelihood-probability=\"likely\""
  5601. ],
  5602. "type": "similar"
  5603. }
  5604. ],
  5605. "uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5",
  5606. "value": "Sowbug"
  5607. },
  5608. {
  5609. "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.",
  5610. "meta": {
  5611. "attribution-confidence": "50",
  5612. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  5613. "cfr-suspected-victims": [
  5614. "Saudi Arabia",
  5615. "Georgia",
  5616. "Turkey",
  5617. "Iraq",
  5618. "Israel",
  5619. "India",
  5620. "United Arab Emirates",
  5621. "Pakistan",
  5622. "United States"
  5623. ],
  5624. "cfr-target-category": [
  5625. "Government"
  5626. ],
  5627. "cfr-type-of-incident": "Espionage",
  5628. "country": "IR",
  5629. "refs": [
  5630. "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
  5631. "https://www.cfr.org/interactive/cyber-operations/muddywater",
  5632. "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
  5633. "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/",
  5634. "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/",
  5635. "https://securelist.com/muddywater/88059/",
  5636. "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group",
  5637. "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
  5638. "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/",
  5639. "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
  5640. "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
  5641. "https://attack.mitre.org/groups/G0069/",
  5642. "http://www.secureworks.com/research/threat-profiles/cobalt-ulster"
  5643. ],
  5644. "synonyms": [
  5645. "TEMP.Zagros",
  5646. "Static Kitten",
  5647. "Seedworm",
  5648. "MERCURY",
  5649. "COBALT ULSTER"
  5650. ]
  5651. },
  5652. "related": [
  5653. {
  5654. "dest-uuid": "269e8108-68c6-4f99-b911-14b2e765dec2",
  5655. "tags": [
  5656. "estimative-language:likelihood-probability=\"likely\""
  5657. ],
  5658. "type": "similar"
  5659. }
  5660. ],
  5661. "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b",
  5662. "value": "MuddyWater"
  5663. },
  5664. {
  5665. "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.",
  5666. "meta": {
  5667. "refs": [
  5668. "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/",
  5669. "https://www.group-ib.com/blog/moneytaker"
  5670. ]
  5671. },
  5672. "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f",
  5673. "value": "MoneyTaker"
  5674. },
  5675. {
  5676. "description": "We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.",
  5677. "meta": {
  5678. "refs": [
  5679. "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
  5680. "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
  5681. "https://securelist.com/apt-trends-report-q2-2019/91897/",
  5682. "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
  5683. "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/"
  5684. ],
  5685. "synonyms": [
  5686. "SixLittleMonkeys"
  5687. ]
  5688. },
  5689. "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
  5690. "value": "Microcin"
  5691. },
  5692. {
  5693. "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.",
  5694. "meta": {
  5695. "attribution-confidence": "50",
  5696. "country": "LB",
  5697. "refs": [
  5698. "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
  5699. "https://attack.mitre.org/groups/G0070/"
  5700. ]
  5701. },
  5702. "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94",
  5703. "value": "Dark Caracal"
  5704. },
  5705. {
  5706. "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.",
  5707. "meta": {
  5708. "refs": [
  5709. "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"
  5710. ]
  5711. },
  5712. "uuid": "8c21ce09-33c3-412c-bb55-323765e89a60",
  5713. "value": "Nexus Zeta"
  5714. },
  5715. {
  5716. "description": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities",
  5717. "meta": {
  5718. "attribution-confidence": "50",
  5719. "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)",
  5720. "cfr-suspected-victims": [
  5721. "Republic of Korea",
  5722. "Japan",
  5723. "Vietnam"
  5724. ],
  5725. "cfr-target-category": [
  5726. "Government",
  5727. "Private sector"
  5728. ],
  5729. "country": "KP",
  5730. "refs": [
  5731. "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html",
  5732. "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
  5733. "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
  5734. "https://twitter.com/mstoned7/status/966126706107953152",
  5735. "https://www.cfr.org/interactive/cyber-operations/apt-37",
  5736. "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/",
  5737. "https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/",
  5738. "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
  5739. "https://attack.mitre.org/groups/G0067/"
  5740. ],
  5741. "synonyms": [
  5742. "APT 37",
  5743. "Group 123",
  5744. "Group123",
  5745. "Starcruft",
  5746. "Reaper",
  5747. "Reaper Group",
  5748. "Red Eyes",
  5749. "Ricochet Chollima",
  5750. "StarCruft",
  5751. "Operation Daybreak",
  5752. "Operation Erebus",
  5753. "Venus 121"
  5754. ]
  5755. },
  5756. "related": [
  5757. {
  5758. "dest-uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c",
  5759. "tags": [
  5760. "estimative-language:likelihood-probability=\"likely\""
  5761. ],
  5762. "type": "similar"
  5763. },
  5764. {
  5765. "dest-uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338",
  5766. "tags": [
  5767. "estimative-language:likelihood-probability=\"likely\""
  5768. ],
  5769. "type": "similar"
  5770. },
  5771. {
  5772. "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
  5773. "tags": [
  5774. "estimative-language:likelihood-probability=\"likely\""
  5775. ],
  5776. "type": "linked-to"
  5777. }
  5778. ],
  5779. "uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
  5780. "value": "APT37"
  5781. },
  5782. {
  5783. "description": "Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.",
  5784. "meta": {
  5785. "attribution-confidence": "50",
  5786. "cfr-suspected-state-sponsor": "China",
  5787. "cfr-suspected-victims": [
  5788. "United States",
  5789. "Hong Kong",
  5790. "The Philippines",
  5791. "Asia Pacific Economic Cooperation",
  5792. "Cambodia",
  5793. "Belgium",
  5794. "Germany",
  5795. "Philippines",
  5796. "Malaysia",
  5797. "Norway",
  5798. "Saudi Arabia",
  5799. "Switzerland",
  5800. "United Kingdom"
  5801. ],
  5802. "cfr-target-category": [
  5803. "Government",
  5804. "Private sector"
  5805. ],
  5806. "cfr-type-of-incident": "Espionage",
  5807. "country": "CN",
  5808. "refs": [
  5809. "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
  5810. "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
  5811. "https://www.cfr.org/interactive/cyber-operations/apt-40",
  5812. "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html",
  5813. "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/",
  5814. "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html",
  5815. "https://attack.mitre.org/groups/G0065/",
  5816. "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
  5817. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
  5818. "https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company",
  5819. "https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu",
  5820. "https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
  5821. "https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
  5822. "https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
  5823. "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
  5824. "https://www.mycert.org.my/portal/advisory?id=MA-774.022020",
  5825. "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign",
  5826. "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/"
  5827. ],
  5828. "synonyms": [
  5829. "TEMP.Periscope",
  5830. "TEMP.Jumper",
  5831. "APT 40",
  5832. "APT40",
  5833. "BRONZE MOHAWK",
  5834. "GADOLINIUM",
  5835. "Kryptonite Panda"
  5836. ]
  5837. },
  5838. "related": [
  5839. {
  5840. "dest-uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e",
  5841. "tags": [
  5842. "estimative-language:likelihood-probability=\"likely\""
  5843. ],
  5844. "type": "similar"
  5845. }
  5846. ],
  5847. "uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9",
  5848. "value": "Leviathan"
  5849. },
  5850. {
  5851. "description": "Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.",
  5852. "meta": {
  5853. "attribution-confidence": "50",
  5854. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  5855. "cfr-suspected-victims": [
  5856. "Middle East"
  5857. ],
  5858. "cfr-target-category": [
  5859. "Government",
  5860. "Private sector"
  5861. ],
  5862. "cfr-type-of-incident": "Espionage",
  5863. "country": "IR",
  5864. "refs": [
  5865. "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
  5866. "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ",
  5867. "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
  5868. "https://www.cfr.org/interactive/cyber-operations/apt-34"
  5869. ],
  5870. "synonyms": [
  5871. "APT 34"
  5872. ]
  5873. },
  5874. "related": [
  5875. {
  5876. "dest-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
  5877. "tags": [
  5878. "estimative-language:likelihood-probability=\"likely\""
  5879. ],
  5880. "type": "similar"
  5881. }
  5882. ],
  5883. "uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda",
  5884. "value": "APT34"
  5885. },
  5886. {
  5887. "description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.",
  5888. "meta": {
  5889. "attribution-confidence": "50",
  5890. "country": "IR",
  5891. "refs": [
  5892. "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf"
  5893. ],
  5894. "synonyms": [
  5895. "APT 35",
  5896. "Newscaster Team"
  5897. ]
  5898. },
  5899. "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
  5900. "value": "APT35"
  5901. },
  5902. {
  5903. "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
  5904. "meta": {
  5905. "refs": [
  5906. "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia",
  5907. "https://attack.mitre.org/groups/G0071/"
  5908. ]
  5909. },
  5910. "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c",
  5911. "value": "Orangeworm"
  5912. },
  5913. {
  5914. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities.\nALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.\nALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.",
  5915. "meta": {
  5916. "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec",
  5917. "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
  5918. "refs": [
  5919. "https://dragos.com/adversaries.html",
  5920. "https://dragos.com/blog/20180510Allanite.html"
  5921. ],
  5922. "since": "2017",
  5923. "synonyms": [
  5924. "Palmetto Fusion",
  5925. "Allanite"
  5926. ],
  5927. "victimology": "Electric utilities, US and UK"
  5928. },
  5929. "uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470",
  5930. "value": "ALLANITE"
  5931. },
  5932. {
  5933. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”",
  5934. "meta": {
  5935. "attribution-confidence": "50",
  5936. "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
  5937. "cfr-suspected-state-sponsor": "Unknown",
  5938. "cfr-suspected-victims": [
  5939. "Iraq",
  5940. "United Kingdom",
  5941. "Pakistan",
  5942. "Israel"
  5943. ],
  5944. "cfr-target-category": [
  5945. "Private sector"
  5946. ],
  5947. "cfr-type-of-incident": "Espionage",
  5948. "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
  5949. "refs": [
  5950. "https://dragos.com/adversaries.html",
  5951. "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
  5952. "https://www.cfr.org/interactive/cyber-operations/chrysene"
  5953. ],
  5954. "since": "2017",
  5955. "synonyms": [
  5956. "OilRig",
  5957. "Greenbug"
  5958. ],
  5959. "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America"
  5960. },
  5961. "related": [
  5962. {
  5963. "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
  5964. "tags": [
  5965. "estimative-language:likelihood-probability=\"likely\""
  5966. ],
  5967. "type": "similar"
  5968. },
  5969. {
  5970. "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
  5971. "tags": [
  5972. "estimative-language:likelihood-probability=\"likely\""
  5973. ],
  5974. "type": "similar"
  5975. },
  5976. {
  5977. "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
  5978. "tags": [
  5979. "estimative-language:likelihood-probability=\"likely\""
  5980. ],
  5981. "type": "similar"
  5982. },
  5983. {
  5984. "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
  5985. "tags": [
  5986. "estimative-language:likelihood-probability=\"likely\""
  5987. ],
  5988. "type": "similar"
  5989. },
  5990. {
  5991. "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
  5992. "tags": [
  5993. "estimative-language:likelihood-probability=\"likely\""
  5994. ],
  5995. "type": "similar"
  5996. },
  5997. {
  5998. "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
  5999. "tags": [
  6000. "estimative-language:likelihood-probability=\"likely\""
  6001. ],
  6002. "type": "similar"
  6003. },
  6004. {
  6005. "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
  6006. "tags": [
  6007. "estimative-language:likelihood-probability=\"likely\""
  6008. ],
  6009. "type": "similar"
  6010. },
  6011. {
  6012. "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
  6013. "tags": [
  6014. "estimative-language:likelihood-probability=\"likely\""
  6015. ],
  6016. "type": "similar"
  6017. },
  6018. {
  6019. "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
  6020. "tags": [
  6021. "estimative-language:likelihood-probability=\"likely\""
  6022. ],
  6023. "type": "similar"
  6024. },
  6025. {
  6026. "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
  6027. "tags": [
  6028. "estimative-language:likelihood-probability=\"likely\""
  6029. ],
  6030. "type": "similar"
  6031. },
  6032. {
  6033. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  6034. "tags": [
  6035. "estimative-language:likelihood-probability=\"likely\""
  6036. ],
  6037. "type": "similar"
  6038. },
  6039. {
  6040. "dest-uuid": "47204403-34c9-4d25-a006-296a0939d1a2",
  6041. "tags": [
  6042. "estimative-language:likelihood-probability=\"likely\""
  6043. ],
  6044. "type": "similar"
  6045. }
  6046. ],
  6047. "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
  6048. "value": "CHRYSENE"
  6049. },
  6050. {
  6051. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor compromises the networks of companies involved in electric power, specifically looking for intellectual property and information about the companies’ operations.",
  6052. "meta": {
  6053. "attribution-confidence": "50",
  6054. "capabilities": "Encoded binaries in documents, evasion techniques",
  6055. "cfr-suspected-state-sponsor": "Unknown",
  6056. "cfr-suspected-victims": [
  6057. "United States"
  6058. ],
  6059. "cfr-target-category": [
  6060. "Private sector"
  6061. ],
  6062. "cfr-type-of-incident": "Espionage",
  6063. "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
  6064. "refs": [
  6065. "https://dragos.com/adversaries.html",
  6066. "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
  6067. "https://www.cfr.org/interactive/cyber-operations/covellite"
  6068. ],
  6069. "since": "2017",
  6070. "synonyms": [
  6071. "Lazarus",
  6072. "Hidden Cobra"
  6073. ],
  6074. "victimology": "Electric Utilities, US"
  6075. },
  6076. "related": [
  6077. {
  6078. "dest-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
  6079. "tags": [
  6080. "estimative-language:likelihood-probability=\"likely\""
  6081. ],
  6082. "type": "similar"
  6083. },
  6084. {
  6085. "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
  6086. "tags": [
  6087. "estimative-language:likelihood-probability=\"likely\""
  6088. ],
  6089. "type": "similar"
  6090. }
  6091. ],
  6092. "uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b",
  6093. "value": "COVELLITE"
  6094. },
  6095. {
  6096. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti",
  6097. "meta": {
  6098. "attribution-confidence": "50",
  6099. "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
  6100. "cfr-suspected-state-sponsor": "Unknown",
  6101. "cfr-suspected-victims": [
  6102. "Turkey"
  6103. ],
  6104. "cfr-target-category": [
  6105. "Private sector"
  6106. ],
  6107. "cfr-type-of-incident": "Espionage",
  6108. "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
  6109. "refs": [
  6110. "https://dragos.com/adversaries.html",
  6111. "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
  6112. "https://www.cfr.org/interactive/cyber-operations/dymalloy"
  6113. ],
  6114. "since": "2016",
  6115. "synonyms": [
  6116. "Dragonfly 2.0",
  6117. "Dragonfly2",
  6118. "Berserker Bear"
  6119. ],
  6120. "victimology": "Turkey, Europe, US"
  6121. },
  6122. "uuid": "a08ab076-33c1-4350-b021-650c34277f2d",
  6123. "value": "DYMALLOY"
  6124. },
  6125. {
  6126. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
  6127. "meta": {
  6128. "attribution-confidence": "50",
  6129. "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
  6130. "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
  6131. "cfr-suspected-victims": [
  6132. "United States",
  6133. "Saudi Arabia",
  6134. "South Korea"
  6135. ],
  6136. "cfr-target-category": [
  6137. "Private sector"
  6138. ],
  6139. "cfr-type-of-incident": "Espionage",
  6140. "country": "IR",
  6141. "mode-of-operation": "IT network limited, information gathering against industrial orgs",
  6142. "refs": [
  6143. "https://dragos.com/adversaries.html",
  6144. "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
  6145. "https://www.cfr.org/interactive/cyber-operations/apt-33"
  6146. ],
  6147. "since": "2016",
  6148. "synonyms": [
  6149. "APT33"
  6150. ],
  6151. "victimology": "Petrochemical, Aerospace, Saudi Arabia"
  6152. },
  6153. "related": [
  6154. {
  6155. "dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f",
  6156. "tags": [
  6157. "estimative-language:likelihood-probability=\"likely\""
  6158. ],
  6159. "type": "similar"
  6160. },
  6161. {
  6162. "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
  6163. "tags": [
  6164. "estimative-language:likelihood-probability=\"likely\""
  6165. ],
  6166. "type": "similar"
  6167. }
  6168. ],
  6169. "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2",
  6170. "value": "MAGNALLIUM"
  6171. },
  6172. {
  6173. "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
  6174. "meta": {
  6175. "capabilities": "TRISIS, custom credential harvesting",
  6176. "mode-of-operation": "Focused on physical destruction and long-term persistence",
  6177. "refs": [
  6178. "https://dragos.com/adversaries.html"
  6179. ],
  6180. "since": "2014",
  6181. "synonyms": [],
  6182. "victimology": "Oil and Gas, Middle East"
  6183. },
  6184. "uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f",
  6185. "value": "XENOTIME"
  6186. },
  6187. {
  6188. "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.",
  6189. "meta": {
  6190. "refs": [
  6191. "https://securelist.com/whos-who-in-the-zoo/85394/"
  6192. ]
  6193. },
  6194. "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568",
  6195. "value": "ZooPark"
  6196. },
  6197. {
  6198. "description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger",
  6199. "meta": {
  6200. "attribution-confidence": "50",
  6201. "cfr-suspected-state-sponsor": "Unknown",
  6202. "cfr-suspected-victims": [
  6203. "United States",
  6204. "Japan",
  6205. "Taiwan",
  6206. "India",
  6207. "Canada",
  6208. "China",
  6209. "Thailand",
  6210. "Israel",
  6211. "Australia",
  6212. "Republic of Korea",
  6213. "Russia",
  6214. "Iran"
  6215. ],
  6216. "cfr-target-category": [
  6217. "Government",
  6218. "Private sector"
  6219. ],
  6220. "cfr-type-of-incident": "Espionage",
  6221. "refs": [
  6222. "https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
  6223. "https://www.secureworks.com/research/bronze-union",
  6224. "http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states",
  6225. "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
  6226. "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
  6227. "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
  6228. "https://securelist.com/luckymouse-ndisproxy-driver/87914/",
  6229. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
  6230. "https://www.cfr.org/interactive/cyber-operations/iron-tiger",
  6231. "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
  6232. "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
  6233. "https://securelist.com/luckymouse-hits-national-data-center/86083/",
  6234. "https://attack.mitre.org/groups/G0027/",
  6235. "https://www.secureworks.com/research/threat-profiles/bronze-union",
  6236. "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/"
  6237. ],
  6238. "synonyms": [
  6239. "Emissary Panda",
  6240. "APT27",
  6241. "APT 27",
  6242. "Threat Group 3390",
  6243. "Bronze Union",
  6244. "Iron Tiger",
  6245. "TG-3390",
  6246. "TEMP.Hippo",
  6247. "Group 35",
  6248. "ZipToken"
  6249. ]
  6250. },
  6251. "related": [
  6252. {
  6253. "dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
  6254. "tags": [
  6255. "estimative-language:likelihood-probability=\"likely\""
  6256. ],
  6257. "type": "similar"
  6258. },
  6259. {
  6260. "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
  6261. "tags": [
  6262. "estimative-language:likelihood-probability=\"likely\""
  6263. ],
  6264. "type": "similar"
  6265. },
  6266. {
  6267. "dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
  6268. "tags": [
  6269. "estimative-language:likelihood-probability=\"likely\""
  6270. ],
  6271. "type": "similar"
  6272. }
  6273. ],
  6274. "uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
  6275. "value": "LuckyMouse"
  6276. },
  6277. {
  6278. "description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
  6279. "meta": {
  6280. "attribution-confidence": "50",
  6281. "cfr-suspected-state-sponsor": "China",
  6282. "cfr-suspected-victims": [
  6283. "Singapore",
  6284. "Cambodia"
  6285. ],
  6286. "cfr-target-category": [
  6287. "Government",
  6288. "Civil society"
  6289. ],
  6290. "cfr-type-of-incident": "Espionage",
  6291. "country": "CN",
  6292. "refs": [
  6293. "https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
  6294. "https://www.cfr.org/interactive/cyber-operations/rancor",
  6295. "https://attack.mitre.org/groups/G0075/"
  6296. ],
  6297. "synonyms": [
  6298. "Rancor group",
  6299. "Rancor",
  6300. "Rancor Group"
  6301. ]
  6302. },
  6303. "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
  6304. "value": "RANCOR"
  6305. },
  6306. {
  6307. "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.",
  6308. "meta": {
  6309. "refs": [
  6310. "https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
  6311. "https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
  6312. ]
  6313. },
  6314. "uuid": "a3cc5105-3bc6-498b-8d53-981e12d86909",
  6315. "value": "The Big Bang"
  6316. },
  6317. {
  6318. "description": "In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.",
  6319. "meta": {
  6320. "refs": [
  6321. "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
  6322. ]
  6323. },
  6324. "uuid": "a7bc4ef2-971a-11e8-9bf0-13aa7d6d8651",
  6325. "value": "Subaat"
  6326. },
  6327. {
  6328. "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
  6329. "meta": {
  6330. "refs": [
  6331. "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
  6332. "https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
  6333. "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/",
  6334. "https://attack.mitre.org/groups/G0078/"
  6335. ],
  6336. "synonyms": [
  6337. "Gorgon Group",
  6338. "Subaat"
  6339. ]
  6340. },
  6341. "uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
  6342. "value": "The Gorgon Group"
  6343. },
  6344. {
  6345. "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).",
  6346. "meta": {
  6347. "refs": [
  6348. "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
  6349. "https://mobile.twitter.com/360TIC/status/1083289987339042817",
  6350. "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/",
  6351. "https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/",
  6352. "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/",
  6353. "https://attack.mitre.org/groups/G0079/"
  6354. ],
  6355. "synonyms": [
  6356. "LazyMeerkat"
  6357. ]
  6358. },
  6359. "uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",
  6360. "value": "DarkHydrus"
  6361. },
  6362. {
  6363. "description": "Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.",
  6364. "meta": {
  6365. "refs": [
  6366. "https://www.recordedfuture.com/redalpha-cyber-campaigns/",
  6367. "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf"
  6368. ]
  6369. },
  6370. "uuid": "71a3b962-9a36-11e8-88f8-b31d20c6fa2a",
  6371. "value": "RedAlpha"
  6372. },
  6373. {
  6374. "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
  6375. "meta": {
  6376. "refs": [
  6377. "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
  6378. "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
  6379. "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
  6380. ],
  6381. "synonyms": [
  6382. "DoNot Team",
  6383. "Donot Team",
  6384. "APT-C-35"
  6385. ]
  6386. },
  6387. "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
  6388. "value": "APT-C-35"
  6389. },
  6390. {
  6391. "description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un",
  6392. "meta": {
  6393. "attribution-confidence": "50",
  6394. "cfr-suspected-state-sponsor": "China",
  6395. "cfr-suspected-victims": [
  6396. "South Korea",
  6397. "Japan"
  6398. ],
  6399. "cfr-target-category": [
  6400. "Government",
  6401. "Private sector"
  6402. ],
  6403. "country": "CN",
  6404. "refs": [
  6405. "https://www.cfr.org/interactive/cyber-operations/temptick"
  6406. ]
  6407. },
  6408. "uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762",
  6409. "value": "TempTick"
  6410. },
  6411. {
  6412. "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.",
  6413. "meta": {
  6414. "attribution-confidence": "50",
  6415. "cfr-suspected-state-sponsor": "Unknown",
  6416. "cfr-suspected-victims": [
  6417. "Palestine",
  6418. "United Arab Emirates",
  6419. "Qatar",
  6420. "Somalia",
  6421. "Syria",
  6422. "Canada",
  6423. "Germany",
  6424. "Serbia",
  6425. "Kuwait",
  6426. "Egypt",
  6427. "Saudi Arabia",
  6428. "Chile",
  6429. "Iraq",
  6430. "India",
  6431. "United States",
  6432. "Israel",
  6433. "Russia",
  6434. "South Korea",
  6435. "Jordan",
  6436. "Djibouti",
  6437. "Lebonon",
  6438. "Morocco",
  6439. "Iran",
  6440. "United Kingdom",
  6441. "Afghanistan",
  6442. "Oman",
  6443. "Denmark"
  6444. ],
  6445. "cfr-target-category": [
  6446. "Government",
  6447. "Civil society"
  6448. ],
  6449. "cfr-type-of-incident": "Espionage",
  6450. "refs": [
  6451. "https://www.cfr.org/interactive/cyber-operations/operation-parliament",
  6452. "https://securelist.com/operation-parliament-who-is-doing-what/85237/",
  6453. "https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
  6454. ]
  6455. },
  6456. "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d",
  6457. "value": "Operation Parliament"
  6458. },
  6459. {
  6460. "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
  6461. "meta": {
  6462. "attribution-confidence": "50",
  6463. "cfr-suspected-state-sponsor": "Unknown",
  6464. "cfr-suspected-victims": [
  6465. "South Africa",
  6466. "Malaysia",
  6467. "Kenya",
  6468. "Suriname",
  6469. "United Kingdom"
  6470. ],
  6471. "cfr-target-category": [
  6472. "Government",
  6473. "Private sector"
  6474. ],
  6475. "cfr-type-of-incident": "Espionage",
  6476. "refs": [
  6477. "https://www.cfr.org/interactive/cyber-operations/inception-framework",
  6478. "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
  6479. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
  6480. "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/",
  6481. "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
  6482. "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
  6483. "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
  6484. "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
  6485. "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf"
  6486. ]
  6487. },
  6488. "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
  6489. "value": "Inception Framework"
  6490. },
  6491. {
  6492. "description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
  6493. "meta": {
  6494. "attribution-confidence": "50",
  6495. "cfr-suspected-state-sponsor": "China",
  6496. "cfr-suspected-victims": [
  6497. "United States",
  6498. "South Korea",
  6499. "United Kingdom",
  6500. "China",
  6501. "Japan"
  6502. ],
  6503. "cfr-target-category": [
  6504. "Private sector"
  6505. ],
  6506. "cfr-type-of-incident": "Espionage",
  6507. "country": "CN",
  6508. "refs": [
  6509. "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
  6510. ]
  6511. },
  6512. "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
  6513. "value": "Winnti Umbrella"
  6514. },
  6515. {
  6516. "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.",
  6517. "meta": {
  6518. "attribution-confidence": "50",
  6519. "cfr-suspected-state-sponsor": "China",
  6520. "cfr-suspected-victims": [
  6521. "Uighurs"
  6522. ],
  6523. "cfr-target-category": [
  6524. "Civil society"
  6525. ],
  6526. "cfr-type-of-incident": "Espionage",
  6527. "country": "CN",
  6528. "refs": [
  6529. "https://www.cfr.org/interactive/cyber-operations/henbox"
  6530. ]
  6531. },
  6532. "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
  6533. "value": "HenBox"
  6534. },
  6535. {
  6536. "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.",
  6537. "meta": {
  6538. "attribution-confidence": "50",
  6539. "cfr-suspected-state-sponsor": "China",
  6540. "cfr-suspected-victims": [
  6541. "United States"
  6542. ],
  6543. "cfr-target-category": [
  6544. "Civil society"
  6545. ],
  6546. "cfr-type-of-incident": "Espionage",
  6547. "country": "CN",
  6548. "refs": [
  6549. "https://www.cfr.org/interactive/cyber-operations/mustang-panda",
  6550. "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
  6551. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
  6552. "https://www.secureworks.com/research/threat-profiles/bronze-president"
  6553. ],
  6554. "synonyms": [
  6555. "BRONZE PRESIDENT",
  6556. "HoneyMyte",
  6557. "Red Lich"
  6558. ]
  6559. },
  6560. "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
  6561. "value": "Mustang Panda"
  6562. },
  6563. {
  6564. "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
  6565. "meta": {
  6566. "attribution-confidence": "50",
  6567. "cfr-suspected-state-sponsor": "Unknown",
  6568. "cfr-suspected-victims": [
  6569. "United States"
  6570. ],
  6571. "cfr-target-category": [
  6572. "Private sector"
  6573. ],
  6574. "cfr-type-of-incident": "Espionage",
  6575. "refs": [
  6576. "https://www.cfr.org/interactive/cyber-operations/thrip",
  6577. "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets",
  6578. "https://attack.mitre.org/groups/G0076/",
  6579. "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
  6580. ],
  6581. "synonyms": [
  6582. "LOTUS PANDA"
  6583. ]
  6584. },
  6585. "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
  6586. "value": "Thrip"
  6587. },
  6588. {
  6589. "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
  6590. "meta": {
  6591. "attribution-confidence": "50",
  6592. "cfr-suspected-state-sponsor": "Pakistan",
  6593. "cfr-suspected-victims": [
  6594. "Pakistan",
  6595. "Iraq",
  6596. "Australia",
  6597. "Afghanistan",
  6598. "United Arab Emirates",
  6599. "Germany",
  6600. "India",
  6601. "United States"
  6602. ],
  6603. "cfr-target-category": [
  6604. "Government",
  6605. "Civil society"
  6606. ],
  6607. "cfr-type-of-incident": "Espionage",
  6608. "country": "PK",
  6609. "refs": [
  6610. "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
  6611. ]
  6612. },
  6613. "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c",
  6614. "value": " Stealth Mango and Tangelo "
  6615. },
  6616. {
  6617. "description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.",
  6618. "meta": {
  6619. "refs": [
  6620. "https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/",
  6621. "https://twitter.com/craiu/status/1311920398259367942"
  6622. ],
  6623. "synonyms": [
  6624. "IAmTheKing"
  6625. ]
  6626. },
  6627. "uuid": "abd89986-b1b0-11e8-b857-efe290264006",
  6628. "value": "PowerPool"
  6629. },
  6630. {
  6631. "description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.",
  6632. "meta": {
  6633. "refs": [
  6634. "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
  6635. "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
  6636. ]
  6637. },
  6638. "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
  6639. "value": "Bahamut"
  6640. },
  6641. {
  6642. "description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.",
  6643. "meta": {
  6644. "refs": [
  6645. "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
  6646. ],
  6647. "synonyms": [
  6648. "Iron Cyber Group"
  6649. ]
  6650. },
  6651. "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905",
  6652. "value": "Iron Group"
  6653. },
  6654. {
  6655. "description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.",
  6656. "meta": {
  6657. "attribution-confidence": "50",
  6658. "cfr-suspected-state-sponsor": "Russian Federation",
  6659. "cfr-suspected-victims": [
  6660. "Ukraine",
  6661. "Austria",
  6662. "Russia",
  6663. "Saudi Arabia"
  6664. ],
  6665. "cfr-target-category": [
  6666. "Private sector"
  6667. ],
  6668. "cfr-type-of-incident": "Espionage",
  6669. "country": "RU",
  6670. "refs": [
  6671. "https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"
  6672. ]
  6673. },
  6674. "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
  6675. "value": "Operation BugDrop"
  6676. },
  6677. {
  6678. "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
  6679. "meta": {
  6680. "attribution-confidence": "50",
  6681. "cfr-suspected-state-sponsor": "Russian Federation",
  6682. "cfr-suspected-victims": [
  6683. "Russia",
  6684. "Belgium",
  6685. "Armenia",
  6686. "Ukraine",
  6687. "Belarus",
  6688. "Kazakhstan",
  6689. "India",
  6690. "Iran",
  6691. "United States",
  6692. "Greece",
  6693. "Azerbaijan",
  6694. "Afghanistan",
  6695. "Turkmenistan",
  6696. "Vietnam",
  6697. "Italy"
  6698. ],
  6699. "cfr-target-category": [
  6700. "Government",
  6701. "Private sector"
  6702. ],
  6703. "cfr-type-of-incident": "Espionage",
  6704. "country": "RU",
  6705. "refs": [
  6706. "https://www.cfr.org/interactive/cyber-operations/red-october"
  6707. ],
  6708. "synonyms": [
  6709. "the Rocra"
  6710. ]
  6711. },
  6712. "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
  6713. "value": "Red October"
  6714. },
  6715. {
  6716. "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
  6717. "meta": {
  6718. "attribution-confidence": "50",
  6719. "cfr-suspected-state-sponsor": "Russian Federation",
  6720. "cfr-suspected-victims": [
  6721. "Russia",
  6722. "India",
  6723. "Kazakhstan",
  6724. "Czech Republic",
  6725. "Belarus"
  6726. ],
  6727. "cfr-target-category": [
  6728. "Government"
  6729. ],
  6730. "cfr-type-of-incident": "Espionage",
  6731. "country": "RU",
  6732. "refs": [
  6733. "https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
  6734. ]
  6735. },
  6736. "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
  6737. "value": "Cloud Atlas"
  6738. },
  6739. {
  6740. "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
  6741. "meta": {
  6742. "attribution-confidence": "50",
  6743. "cfr-suspected-state-sponsor": "China",
  6744. "cfr-suspected-victims": [
  6745. "China",
  6746. "Myanmar",
  6747. "Hong Kong",
  6748. "Taiwan"
  6749. ],
  6750. "cfr-target-category": [
  6751. "Civil society",
  6752. "Government"
  6753. ],
  6754. "cfr-type-of-incident": "Espionage",
  6755. "country": "CN",
  6756. "refs": [
  6757. "https://www.cfr.org/interactive/cyber-operations/unnamed-actor"
  6758. ]
  6759. },
  6760. "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e",
  6761. "value": "Unnamed Actor"
  6762. },
  6763. {
  6764. "description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”",
  6765. "meta": {
  6766. "refs": [
  6767. "https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/",
  6768. "https://www.cyberscoop.com/cobalt-dickens-iran-mabna-institiute-dell-secureworks/"
  6769. ],
  6770. "synonyms": [
  6771. "Cobalt Dickens"
  6772. ]
  6773. },
  6774. "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a",
  6775. "value": "COBALT DICKENS"
  6776. },
  6777. {
  6778. "description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.",
  6779. "meta": {
  6780. "refs": [
  6781. "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/",
  6782. "https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/",
  6783. "https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/",
  6784. "https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/",
  6785. "https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/"
  6786. ]
  6787. },
  6788. "uuid": "0768fd50-c547-11e8-9aa5-776183769eab",
  6789. "value": "MageCart"
  6790. },
  6791. {
  6792. "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
  6793. "meta": {
  6794. "refs": [
  6795. "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
  6796. ]
  6797. },
  6798. "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee",
  6799. "value": "Domestic Kitten"
  6800. },
  6801. {
  6802. "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
  6803. "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
  6804. "value": "FASTCash"
  6805. },
  6806. {
  6807. "description": "According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials.\nRecently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.",
  6808. "meta": {
  6809. "refs": [
  6810. "https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/"
  6811. ],
  6812. "synonyms": [
  6813. "Roaming Mantis Group"
  6814. ],
  6815. "threat-actor-classification": [
  6816. "campaign"
  6817. ]
  6818. },
  6819. "uuid": "b27beb94-ce25-11e8-8e11-2f1a59bd0e91",
  6820. "value": "Roaming Mantis"
  6821. },
  6822. {
  6823. "description": "ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks",
  6824. "meta": {
  6825. "refs": [
  6826. "https://www.eset.com/int/greyenergy-exposed/",
  6827. "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
  6828. ]
  6829. },
  6830. "related": [
  6831. {
  6832. "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
  6833. "tags": [
  6834. "estimative-language:likelihood-probability=\"likely\""
  6835. ],
  6836. "type": "similar"
  6837. }
  6838. ],
  6839. "uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce",
  6840. "value": "GreyEnergy"
  6841. },
  6842. {
  6843. "description": "The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.",
  6844. "meta": {
  6845. "refs": [
  6846. "https://en.wikipedia.org/wiki/The_Shadow_Brokers",
  6847. "https://securelist.com/darkpulsar/88199/",
  6848. "https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html",
  6849. "https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files",
  6850. "https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023",
  6851. "https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/",
  6852. "https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html",
  6853. "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/",
  6854. "http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html",
  6855. "https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/",
  6856. "https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/"
  6857. ],
  6858. "synonyms": [
  6859. "The ShadowBrokers",
  6860. "TSB",
  6861. "Shadow Brokers",
  6862. "ShadowBrokers"
  6863. ]
  6864. },
  6865. "uuid": "d5e90854-d5c9-11e8-98b9-1f98eb80d30a",
  6866. "value": "The Shadow Brokers"
  6867. },
  6868. {
  6869. "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.",
  6870. "meta": {
  6871. "refs": [
  6872. "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html",
  6873. "https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf"
  6874. ],
  6875. "synonyms": [
  6876. "Operation EvilTraffic"
  6877. ]
  6878. },
  6879. "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa",
  6880. "value": "EvilTraffic"
  6881. },
  6882. {
  6883. "description": "HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.",
  6884. "meta": {
  6885. "refs": [
  6886. "https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/"
  6887. ]
  6888. },
  6889. "uuid": "dce617eb-a3b6-4a9a-bd76-575c424f9761",
  6890. "value": "HookAds"
  6891. },
  6892. {
  6893. "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.",
  6894. "meta": {
  6895. "refs": [
  6896. "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
  6897. ]
  6898. },
  6899. "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8",
  6900. "value": "INDRIK SPIDER"
  6901. },
  6902. {
  6903. "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.",
  6904. "meta": {
  6905. "refs": [
  6906. "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html",
  6907. "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
  6908. "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
  6909. "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
  6910. "https://krebsonsecurity.com/tag/dnspionage/",
  6911. "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
  6912. ],
  6913. "synonyms": [
  6914. "COBALT EDGEWATER"
  6915. ]
  6916. },
  6917. "uuid": "608a903a-8145-4fd1-84bc-235e278480bf",
  6918. "value": "DNSpionage"
  6919. },
  6920. {
  6921. "description": "Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.",
  6922. "meta": {
  6923. "refs": [
  6924. "https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/"
  6925. ]
  6926. },
  6927. "uuid": "db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2",
  6928. "value": "DarkVishnya"
  6929. },
  6930. {
  6931. "description": "What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.\nSince it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.",
  6932. "meta": {
  6933. "refs": [
  6934. "http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN"
  6935. ]
  6936. },
  6937. "uuid": "08ff3cb6-c292-4360-a978-6f05775881ed",
  6938. "value": "Operation Poison Needles"
  6939. },
  6940. {
  6941. "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).",
  6942. "meta": {
  6943. "refs": [
  6944. "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
  6945. ],
  6946. "synonyms": [
  6947. "Golden Chickens",
  6948. "Golden Chickens01",
  6949. "Golden Chickens 01"
  6950. ]
  6951. },
  6952. "related": [
  6953. {
  6954. "dest-uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8",
  6955. "tags": [
  6956. "estimative-language:likelihood-probability=\"likely\""
  6957. ],
  6958. "type": "similar"
  6959. }
  6960. ],
  6961. "uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d",
  6962. "value": "GC01"
  6963. },
  6964. {
  6965. "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).",
  6966. "meta": {
  6967. "refs": [
  6968. "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
  6969. ],
  6970. "synonyms": [
  6971. "Golden Chickens",
  6972. "Golden Chickens02",
  6973. "Golden Chickens 02"
  6974. ]
  6975. },
  6976. "related": [
  6977. {
  6978. "dest-uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d",
  6979. "tags": [
  6980. "estimative-language:likelihood-probability=\"likely\""
  6981. ],
  6982. "type": "similar"
  6983. }
  6984. ],
  6985. "uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8",
  6986. "value": "GC02"
  6987. },
  6988. {
  6989. "description": "The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign t