APT Groups and Operations

Topic Comment
Motive Cyber security companies and Antivirus vendors use diffferent names for the same threat actors and
often refer to the reports and group names of each other. However, it is a difficult task to keep track of
the different names and naming schemes. I wanted to create a reference that answers questions like "I
read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China
Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So,
does he talk about Chinese or Russian attackers?"
Hints - Each active country / region has its own tab
- The "Other" tab contains actors from certain regions not covered by the main tabs
- The "Unknown" tab is used for groups and operations with no attribution
- Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that
groups tracked by one vendor are divided into two different groups by another vendor
Disclaimer Attribution is a very complex issue. This list is an intent to map together the findings of different
vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident
analysis. Groups often change their toolsets or exchange them with other groups. This makes
attribution of certain operations extremely difficult. However, we decided that even an uncertain
mapping is better than no mapping at all. Be aware that information published here may be wrong,
quickly outdated, or may change based on evolving information.
People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken
from some fee-based platform. Please let me know if confidential information has been disclosed.
Known Issues - Groups named after the malware (families) they've used
- Groups named after a certain operation
- Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets
Overlaps Names that appear multiple times are shaded in a light grey
First Release 12/26/2015
Last Updated 8/15/2018
License CC Creative Commons - Attribution 4.0 International (CC BY 4.0)
https://creativecommons.org/licenses/by/4.0/
Access Rights Everyone: READ / COMMENT
Invited Editors: READ / COMMENT / WRITE
Support Please contact me (@cyb3rops) if you would like to modify or add content to these lists.
I will gladly give you write access to this list if:
- I know you personally or from my Twitter stream
- you are a threat intel researcher / malware analyst with some reference
- you are a vendor representative
- you are an author of the listed sources (see '_Sources' work sheet)
Please provide you email address if you are interested in helping me (preferably Gmail - this allows
native access via the connected Google account)
Search Engine https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
Short URL https://apt.threattracking.com
Contributors
Name / Nickname Twitter Handle
Pasquale Stirparo @pstirparo
David Bizeul @davidbizeul
Brian Bell @Biebermalware
Ziv Chang @Gasgas4Ggyy
Joel Esler @joelesler
Kristopher Bleich @kc0iqx_bleich
Maite Moreno @mmorenog
Monnappa K A @monnappa22
J. Capmany @theweeZ
Paul Hutchinson @AllAboutAPT
Boris Ivanov @BlackCaesar1973
Andre Gironda @andregironda
Devon Ackerman @aboutdfir
Carlos Fragoso @cfragoso
Eyal Sela @eyalsela
Florian Egloff @egflo
And many helpful people that just commented on cells - thank you!
China
Common Name CrowdStrike IRL Kaspersky Secureworks Mandiant FireEye Symantec iSight Cisco (Sourcefire/VRT
Palo> Alto
Talos)
Unit 42 Other Names Operation 1 Operation 2 Operation 3 Operation 4 Toolset / Malware Targets Modus Operandi Overlaps to Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9 Link 10 Link 11 Link 12 Link 13 Link 14 Link 15
Comment Crew Comment Panda PLA Unit 61398 TG-8223 APT 1 BrownFox Group 3 GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor
Shady RAT GhostNet WEBC2, BISCUIT and many others U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
units, Unit http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2&
61398. The group, which
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators
FireEye called APT
https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network
1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT 1 and the PLA, offered insight into APT 1's operational malware and methodologies, a
APT 2 Putter Panda PLA Unit 61486 TG-6952 APT 2 Group 36 SearchFire MSUpdater This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors inhttp://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
the United States for
http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/
espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398.
UPS Gothic Panda TG-0110 APT 3 Buckeye UPS Team Group 6 Boyusec – the Guangzhou Boyu Information Technology
Clandestine
Company,
Fox Ltd Double Tap Clandestine Wolf Shotput, Pirpi, PlugX/Sogu, Kaba, Cookie Cutter, many 0days: IE, Firefox, and
This
Flash,
threat
SportLoader,
actor targets
Shadow
and compromises
Brokers exploits,
entities
DoublePulsar,
in the defense,
Bemstour,
construction,
Filensfer
technology, and transportation sectors. Up until 2015,
https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html
it was primarily focused
http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/
on U.S. and UK
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
entities, but it shifted
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/
to Hong Kongâ€“based
https://www.fireeye.com/current-threats/apt-groups.html
targets afterward.
https://www.recordedfuture.com/chinese-mss-behind-apt3/
Aerospace andhttp://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/
Defence; Construction
https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm
and Engineering; https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/
Energy; High Tech; Nonprofit;
https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
Telecommunications; Transportation
IXESHE Numbered Panda TG-2754 (tentative)APT 12 BeeBus Calc Team Group 22 DynCalc, Crimson Iron, DNSCalc NYT Oct 2012 Etumbot, Riptide, Hightide, ThreeByte, Waterspout, Mswab, Gh0st, ShowNews,
This3001
threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asiaâ€”including electronics manufacturers and telecommunications
http://www.crowdstrike.com/blog/whois-numbered-panda/
companiesâ€”for
http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17
espionage
http://blog.crowdstrike.com/whois-numbered-panda/
purposes. http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/
http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/
http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/
http://blog.macnica.net/blog/2017/08/post-fb81.html
APT 16 APT 16 ELMER backdoor This threat actor targets and compromises Japanese and Taiwanese
Spear
entities
phishing
in theemail
finance,
delivering
tech, media,
a malicious
and government
Microsoft Word
sectors.
document
https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html
exploiting EPShttps://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
dict copy use-after-free
https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER).
Hidden Lynx Aurora Panda APT 17 Deputy Dog Hidden Lynx Tailgater Team Group 8 Axiom, SportsFans, Winnti Umbrella Ephemeral Hydra BLACKCOFFEE, WEBCnC, Joy RAT, PlugX, Trojan.Naid, Backdoor.Moudoor,Government,
Backdoor.Vasport,
defenseBackdoor.Boda,
& aerospace, industrial
Trojan.Hydraq,
engineering,
ZxShell,
NGOs
Sakula, China Chopper, DestroyRAT http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf
http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2
https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf
http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/
https://401trg.com/burning-umbrella/
https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/
Wekby Dynamite Panda TG-0416 APT 18 HTTPBrowser, TokenControl, HcdLoader, PisLoader Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation
https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828
http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
Axiom APT 17 Tailgater Team Group 72 Dogfish (iDefense), Deputy Dog (iDefense), Winnti SMN
Umbrella Winnti, Gh0st RAT, PoisonIvy, HydraQ, Hikit, ZxShell, Deputy Dog, Derusbi, PlugX, HTRAN, HDRoot, Fscan, Timestomper Shell Crew Use "Skeleton Key" on
http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/
DCs http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf
http://www.novetta.com/2015/04/operation-smn-winnti-update/
https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/
https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
Winnti Group Wicked Panda Winnti Umbrella, BARIUM, LEAD Winnti, AceHash, PlugX, Webshells, ZxShell Deep Panda, Wicked Spider http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/
https://www.protectwise.com/blog/winnti-evolution-going-open-source.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/
https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf
Shell Crew Deep Panda WebMasters APT 19 KungFu Kittens Group 13 Sh3llCr3w, PinkPanther, Winnti Group Anthem OPM Anthem Hack Sakula/Sakurel, Derusbi, Scanbox Framework, many Webshells including China Chopper, WCE Axiom, Winnti http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf
https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Naikon Lotus Panda PLA Unit 78020 Naikon APT 30 Thrip MsnMM Naikon Camera Shy RARSTONE, BACKSPACe, NETEAGLE, XSControl satellite communications operator, Telecoms, and Defense Companies, Hong Kong https://securelist.com/analysis/publications/69953/the-naikon-apt/
http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/
https://www.threatconnect.com/camerashy/
http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
PLATINUM TwoForOne Hellsing Hotpatching techniques, CVE-2015-2545, AMT Feature FW evasion primarily targets governmental organizations, defense institutes, intelligence
South Eastagencies,
Asia and telecommunication providers in South and Southeast Asia https://threatpost.com/platinum-apt-first-to-abuse-intel-chip-management-feature/126166/
https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/
https://securelist.com/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/
http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf
https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/
http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/
Lotus Blossom Spring Dragon Lotus Blossom ST Group, Esile Operation Lotus Blossom Elise Backdoor, Lstudio, CVE-2017-11882 https://securelist.com/blog/research/70726/the-spring-dragon-apt/
http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/
https://securelist.com/blog/research/70726/the-spring-dragon-apt/
http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments
http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/
https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
APT 6 APT 6 1.php Group Poison Ivy, US Government Organizations Overlaps with Operation
https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years
Night Dragon https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf
APT 26 APT 26 Hippo Team JerseyMikes
Mirage Vixen Panda Ke3Chang GREF APT 15 Playful Dragon Social Network Team Mirage Team, Lurid, Social Network Team, Royal APT,
Umbrella
Metushy,
Revolution
Winnti Umbrella Mirage, (Nvidia program side-loading) PlugX, XSLCmd, TidePool, BS2005, RoyalCli, iWebRat, Russian-language decoy document Some vendors trackhttp://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/
this group in up to 3https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
separate groups https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf
http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://github.com/nccgroup/Royal_APT
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/
NetTraveler NetTraveler APT 21 NetTraveler This threat actor targets computer networks associated with Tibetan and Uighur activists for espionage purposes. https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/
https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/
Ice Fog Dagger Panda IceFog Dagger Three (C2 software), Fucobha Backdoor This threat actor targets government institutions, military contractors, maritime and shipbuilding
Linksgroups,
to Onion
telecommunications
Dog operators,
https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/
and others, primarily
https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/
in Japan and South
http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf
Korea. http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451
https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain
Beijing Group Sneaky Panda Hydraq, SIG22, Elderwood, Elderwood Gang Aurora Hydraq, Elderwood Project This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors,
Possibly
as well
assisted
as nonprofits
inhttps://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved
Operation
and financial
Aurora, firms.
the
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
RSA incident, and http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China
the Joint Strike Fighter
https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
Program compromise
APT 22 China Chopper http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild
Suckfly Nidiran, Korplug, PlugX Indian organisations and Republic of Korea http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
APT 4 Samurai Panda PLA Navy APT 4 APT 4 Wisp Team “PdPD” (50 64 50 44)
http://www.crowdstrike.com/blog/whois-samurai-panda/
marker for encrypted binaries
Pitty Tiger Pitty Panda Pitty Tiger PittyTiger, Paladin RAT http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2
Scarlet Mimic Scarlet Mimic FakeM, Psylo, MobileOrder Uyghur and Tibetan activists as well as those who are interested in their causes http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
C0d0so Codoso APT 19 Sunshop Group Bassos Campaign Bergard Trojan, Derusbi, TXER Forbes, Defense, Finance, Energy, Government, Political Dissidents,Watering
Global Think
Hole Tanks https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf
http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/
https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks
SVCMONDR CVE-2015-2545 Taiwan, Thailand Tamper Panda “PdPD” (50 64 50 44)
https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
marker for encrypted binaries
Wisp Team APT 4 Wisp Team Defense Industrial Base, US Government iSight has mentioned
https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/
tracking a China-nexus
https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/
group they dub https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/
"Wisp Team" - have not resolved this w/ other naming conventions
Mana Team Mana Team Australia iSight has mentioned
https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/
tracking a China-nexus activity they dub "Mana Team", targeting Australian interests - have not resolved this w/ other naming conventions
TEMP.Zhenbao TEMP.Zhenbao https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/
http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report
SPIVY Hong Kong dissidents http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
Mofang ShimRAT, ShimRATReporter Government, military, Critical Infrastructure,Automotive Industry*,Weapon Industry*, This threat
Superman
actor compromises government andhttps://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/
critical infrastructure
https://www.threatconnect.com/china-superman-apt/
entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore
DragonOK DragonOK DragonOK CVE-2015-1641, Sysget, IsSpace, Rambo Backdoor Japan http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/
https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor
http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf
Group 27 Group 27 Seven Pointed Dagger Trochilus RAT, PlugX, EvilGrab, 3102 variant of 9002 RAT Seven Pointed Dagger, Trochilus RAT https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf
https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/
Tonto Team Tonto Team https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==
TA459 PlugX, NetTraveler, ZeroT, PCrat, Gh0st Central Asian countries, Russia, Belarus, Mongolia, and others https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter
Tick BRONZE BUTLER Tick REDBALDKNIGHT whoami, procdump, VBS, WCE, Mimikatz, gsecdump, PsExec, Daserf, Gofarer, Datper https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan
https://www.secureworks.jp/resources/rp-bronze-butler
https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/
http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html
Lucky Cat Shadow Network, SabPub A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace,
http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/
engineering, and shipping
http://www.nartv.org/mirror/shadows-in-the-cloud.pdf
industries inhttps://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/
India and Japan. http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign
http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
TEMP.Periscope Leviathan APT 40 Temp.Periscope Temp.Jumper AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP, China
maritime-related
Chopper, Beacon,
targets
BLACKCOFFEE,
across multiple
CVE-2017-11882
verticals, including engineering firms, shipping and transportation, manufacturing, defense,https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
government offices,https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
and research universities
https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
PassCV TG-3279 Winnti Umbrella, China Cracking Group, Sabre, Kitkiot, Conpee, Etso, Runxx, dnsenum, s (custom port scanner), rdp_crk,
Gamingicmp_shell,
CompaniesJynxkit, Gh0st RAT, NetCommander, Carberp RAT Winnti Personas: Laurentiuhttps://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
Moon, Sincoder https://401trg.com/burning-umbrella/
https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2
BARIUM TG-2633 Winnti Umbrella, BRONZE ATLAS Winnti Rootkit malware Electronic gaming, multimedia, Internet content industries, technology companies Winnti https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc
https://401trg.pw/burning-umbrella/
LEAD Winnti Umbrella Bayer Cyber Attack Winnti Rootkit malware Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies,
Winnti manufacturing https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc
https://401trg.pw/burning-umbrella/
https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media
Iron Group Rocke XBash Cybercrime, Cryptomining, Cryptojacking https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html
https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/
https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z
Anchor Panda Anchor Panda Adobe Gh0st, Poison Ivy, Torn RAT This threat actor targets government and private sector entities interested in maritime issues in the South China“PdPD”
Sea for(50
espionage
64 50 44)
purposes.
http://www.crowdstrike.com/blog/whois-anchor-panda/
marker for
Maritime
encrypted
satellite
binaries
systems, aerospace companies, and defense contractors.
Big Panda Financial services firms Mentioned by Alperovitch
http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?
in 2013 article as targeting financial services industry
Electric Panda Listed on slide 8 http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
Eloquent Panda Mentioned slide 15 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
BRONZE UNION,
Emissary Panda Emissary Panda LuckyMouse TG-3390 APT 27 TEMP.Hippo Group 35 ZipToken, Iron Tiger Iron Tiger A Tale of Two Targets PlugX, China Chopper Webshell, HttpBrowser, Hunter, ASPXTool, wce, gsecdump,
US Gov nbtscan,
and contractors,
htran Western think tanks http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/
http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/
https://www.secureworks.com/research/bronze-union
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
https://securelist.com/luckymouse-hits-national-data-center/86083/
https://securelist.com/luckymouse-ndisproxy-driver/87914/
https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
Foxy Panda Foxy Panda Technology & Communications Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Gibberish Panda Gibberish Panda Listed slide 8 http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
Cycldek, Conimes
Goblin Panda Goblin Panda Cycldek ZeGhost, PlugX Southeast Asia, Government of Vietnam Weaponizer leaked, http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/
new activity wronglyhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/
attributed to this long
inactive group, possible
https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html
links to Icefog/Dagger Panda and Temp.Periscope/APT40
Hammer Panda Russia http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242
Hurricane Panda Hurricane Panda APT 31 Black Vine TEMP.Avengers Zirconium Umbrella Revolution Op. Poisoned Hurricane China Chopper Webshell, PlugX, Mimikatz, Sakula Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture,used
Technology,
free DNSJapan,
servers
http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/
United
provided
States,
by Hurricane
United
http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
Kingdom,
ElectricIndia, Canada,
http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula
Brazil, South Africa,
https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012
Australia, Thailand,
http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29
South Korea, France,
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85
Switzerland, Sweden,
https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R
Finland, Norway
https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf
Impersonating Panda Impersonating Panda Financial sector
Judgement Panda Spear-phishing, URL “web bugs” and scheduled tasks to automate credential
Upstream
harvesting
providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
Karma Panda Karma Panda Dissident groups Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Keyhole Panda Keyhole Panda temp.bottle Electronics & Communications Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Kryptonite Panda 8.t exploit document builder Cambodia https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
Mustang Panda Mining sector in Mongolia https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
Night Dragon Night Dragon Night Dragon A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical
https://kc.mcafee.com/corporate/index?page=content&id=KB71150
(OpNightDragon)http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
Nightshade Panda Nightshade Panda APT 9 Poison Ivy, PlugX https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/
Nomad Panda 8.t exploit document builder Central Asian nations https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
Pale Panda PlugX Mentioned in 2014 Crowdstrike
http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
Global Threat Intel Report pg 22
Pirate Panda Pirate Panda KeyBoys Southeast Asia http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/
https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks
https://citizenlab.ca/2016/11/parliament-keyboy/
Poisonous Panda Poisonous Panda Energy technology, G20, NGOs, Dissident Groups Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Predator Panda Predator Panda PlugX Southeast Asia Mentioned pg 22 & 42
Radio Panda Radio Panda
Sabre Panda Umbrella Revolution Listed in 2014 Global
Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28)
Spicy Panda Listed in 2014 Global
Threat Report - no more details pg 9
Stone Panda Stone Panda APT 10 MenuPass Team menuPass Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish
menuPass Dust Storm Cloud Hopper ChessMaster Poison Ivy, EvilGrab, IEChecker, ChChes, PlugX, RedLeaves, Quasar, CobaltStrike,
Healthcare;
Trochilus,
Pharma,UPPERCUT
Defense,(aka
Aerospace,
ANEL), StoneNetLoader
Government, MSP, Data exfil over common TCP
Compromise
services (RDP,
& Persistence:
HTTPS)
Profile slide
BUGJUICE,
13 & 14http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
SOGU, SNUGRIDE, Group
http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
27 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf
https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/
https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/
https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/
https://www.us-cert.gov/ncas/alerts/TA17-117A
https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
https://www.lac.co.jp/lacwatch/people/20180521_001638.html
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
Temper Panda Temper Panda Admin338 Team338 admin@338 338 Team Umbrella Revolution admin@338 Poison Ivy, jRat, LOWBALL, BUBBLEWRAP Target Gov + Military, DIB, Finiancial/Think Tanks “PdPD” (50 64 50 44)
https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html
marker for encrypted
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
binaries https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
Test Panda Test Panda Listed slide 8 http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
Toxic Panda Toxic Panda Dissident Groups Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Union Panda Union Panda Industrial companies Listed slide 4 http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
Violin Panda Violin Panda APT 8 APT 20 Covert Grove Nitro Attacks th3bug Poison Ivy, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA Energy, Chemical Industry, Healthcare and Pharma Listed slide 12 http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf
Wet Panda Wet Panda PlugX Energy Mentioned in 2014 Global
Threat Report http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777
using PlugX (pg 22)
? Four Element Sword UP007, SLServer, Grabber, T9000, Kivars, PlugX, Gh0StRAT, Agent.XST Tibetans, Hong Kong, Taiwanese interests and human rights workers,
Active
Uyghur Interests IXESHE (see PWC report) https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/
https://citizenlab.org/2016/04/between-hong-kong-and-burma/
http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html
? INOCNATION IXESHE (malware), Etumbot, Numberedhttps://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf
Panda
? Poisoned Helmand Afghan Government Watering Hole Operation Poisoned Hurricane https://www.threatconnect.com/operation-poisoned-helmand/
? Titan Rain USA http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html
? Maverick Panda PLA Navy Sykipot, Getkys, Wyksol DIB (Defence Industrial Base) and other government organizations https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments
http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
Russia
Common Name Other Name 1 Other Name 2 Other Name 3 Other Name 4 Other Name 5 Other Name 6 Other Name 7 Other Name 8 Other Name 9 Other Name 10 Other Name 11 Other Name 12 Secureworks Operation 1 Operation 2 Operation 3 Operation 4 Operation 5 Operation 6 Operation 7 Toolset / Malware Targets Modus Operandi
Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9 Link 10 Link 11 Link 12 Link 13 Link 14 Link 15 Link 16 Link 17 Link 18 Link 19 Link 20
Sofacy APT 28 Sednit Pawn Storm Group 74 Tsar Team Fancy Bear Strontium Swallowtail SIG40 IRON TWILIGHT Russian Doll Bundestag TV5 Monde "Cyber Caliphate"
EFF Attack DNC Hack OpOlympics CHOPSTICK, CORESHELL, Winexe, SOURFACE, OLDBAIT, Sofacy, United States government Called out by DHS & FBI as responsible for cyber https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf
https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye
https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/
http://fancybear.net/http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf
https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP
https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
XAgent, XTunnel, WinIDS, Foozer, DownRange, Sedreco Dropper, attacks associated with US election 2016.
Komplex, DealersChoice, Downdelph, Sednit, USBStealer, Sedkit,
HideDrv (Rootkit), Grizzly Steppe, LoJax Allegedly attributed the first UEFI rootkit seen in
the wild: LoJax (2018)
APT 29 Dukes Group 100 Cozy Duke EuroAPT Cozy Bear CozyCar Cozer Office Monkeys Minidionis SeaDuke Hammer Toss Fritillary IRON HEMLOCK Hammertoss, OnionDuke, CosmicDuke, MiniDuke, CozyDuke, This threat actor targets government ministries and agencies in phishing Active campaign post 2016 US presidential https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf
https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
http://www.volexity.com/blog/
https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
/ TEMP. SeaDuke, SeaDaddy implant developed in Python and compiled Europe, the US, Central Asia, East Africa, and the Middle East, emails election
Monkeys with py2exe, AdobeARM, ATI-Agent, MiniDionis, Grizzly Steppe, associated with DNC attacks
Vernaldrop, Tadpole, Spikerush, POSHSPY
Turla Group Snake Venomous Bear Group 88 Waterbug Turla Team Krypton Uroburos SIG23 MAKERSMARK IRON HUNTER Satellite Turla Epic Turla The 'Penquin' Turla Witchcoven RUAG hack Mosquito Moonlight Maze systeminfo, net, tasklist, gpresult, wce, pwdump, Uroburos, Turla, Targeting several governments and sensitive businesses such https://securelist.com/analysis/publications/65545/the-epic-turla-operation/
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/
https://securelist.com/blog/research/67962/the-penquin-turla-2/
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/
https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843
https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
https://www.ncsc.gov.uk/alerts/turla-group-malware
https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf
https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/
Agent.BTZ, Tavdig, Wipbot, Agent.dne, AdobeARM, ATI-Agent, as the defense industry
MiniDionis, WhiteBear, Gazer, Neuron, Nautilus
Energetic Bear Dragonfly Crouching Yeti Group 24 Koala Team Berserk Bear Anger Bear Dymalloy Havex PEACEPIPE Fertger IRON LIBERTY Havex RAT, Oldrea, LightsOut ExploitKit, Inveigh, PsExec, This threat actor targets companies in the education, energy, Active Detected in Middle East networks in 2014, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/
https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html
https://securelist.com/energetic-bear-crouching-yeti/85345/
https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf
Persistence through .LNK file manipulations, Nmap, Dirsearch, construction, information technology, and pharmaceutical Compromise via spear phish or SWC, Motivation
Sqlmap, Sublist3r, Wpscan, Impacket, SMBTrap, Commix, Subbrute, sectors for the purposes of espionage. It uses malware tailored somewhat unclear
PHPMailer, Web Shells (PHP) to target industrial control systems. Energy, Middle East oil and
natural gas as the goal, dedicated to gather relevant
information, technology company in Western Europe that
produces civil, military and critical infrastructure
communications equipment
Sandworm Sandworm Team TEMP.Noble Electrum TeleBots Quedagh Group BE2 APT Black Energy Iridium IRON VIKING Black Energy Ukrenergo NPetya, NotPetya CVE-2014-4114, W32/Industroyer, CrashOverride This threat actor targets industrial control systems, using a tool Linked to Kiev Dec2016 ICS cyberattack http://www.isightpartners.com/2014/10/cve-2014-4114/
http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
called Black Energy, associated with electricity and power
generation for espionage, denial of service, and data
destruction purposes.
FIN7 Overlaps with Carbanak https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf
https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
Inception Framework Red October Cloud Atlas This threat actor targets governments and diplomatic https://securelist.com/blog/incidents/57647/the-red-october-campaign/
http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/
https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies
https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware
organizations for espionage purposes. Suspected Operator in
Ukraine working for Russia or its allies.
TeamSpy Crew SIG39 TeamSpy Malicious TeamViewer versions, JAVA RATs This threat actor primarily compromises government entities http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf
and human rights activists in Eastern Europe and Central Asia
for espionage purposes. It has also compromised private and
public sector entities in the Middle East and in Western
countries.
BuhTrap AmmyAdmin, LURK, NSIS, Mimikatz, CVE-2012-0158, http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/
http://www.group-ib.com/brochures/gib-buhtrap-report.pdf
PuntoSwitcher (like Keylogger)
Carberb USA http://itlaw.wikia.com/wiki/Moonlight_Maze
??? RUAG Espionage Turla Family, Uroburos, Snake (Carbon) Rootkit, Swiss defence department https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Tavdig/Wipbot/Epic, Mimikatz, dsquery, dsget
FSB 16th & 18th Centers Gamaredon Group OP Armageddon https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf
http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/
Cyber Berkut Bellingcat During Ukrainian Revolution https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter
WhiteBear Skipper Turla Kopiluwak embassies and diplomatic/foreign affair organizations, defense-related organizations
Associated with Turla https://securelist.com/introducing-whitebear/81638/
??? BugDrop This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.
GRU GTsST (Main Center for Special Technology) NotPetya https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.23e3c7810049
VOODOO BEAR OlympicDestroyer https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
TEMP.Veles Xenotime Trisis/Triton Oil refinery, other infrastructure https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
https://dragos.com/resource/xenotime/
https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
North Korea
Common Name CrowdStrike Talos Group Dell Secure Other Name Other Name Other Name Other Name Other Name Other Name Other Name Other Name Rep. of Korea Operation 1 Operation 2 Operation 3 Operation 4 Operation 5 Operation 6 Operation 7 Operation 8 Operation 9 Toolset / Malware Targets Modus Operandi Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9 Link 10 Link 11 Link 12 Link 13 Link 14 Link 15 Link 16 Link 17
Works 1 2 3 4 5 6 7 8 FSI
Lazarus Group Labyrinth Group 77 Hastati Bureau 121 Unit 121 Whois NewRomanic Zinc Appleworm Hidden Cobra Nickel Troy Blockbuster Dark Seoul Applejeus Tdrop, Tdrop2, Troy, Destover, FallChill RAT, Volgmer, Believed to be responsible for Dark Seoul, Ten Days of Rain, the Delivery: usually via spear phishing email. Threat Recon.nshc.net alias=SectorA01
http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf
http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks
http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/
https://www.us-cert.gov/ncas/alerts/TA17-318B
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/
https://www.darkreading.com/vulnerabilities---threats/lazarus-group-fancy-bear-most-active-threat-groups-in-2017/d/d-id/1330954?print=yes
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
https://securelist.com/operation-applejeus/87553/
https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing
https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/
Chollima Group Hacking Cyber Army Academy Hawup, Manuscrypt, WolfRAT, SheepRAT, Sony Pictures Entertainment attack, the SWIFT-related bank Infrastructure: C2 often based on compromised servers,
Team Team HtDnDownLoader heists, and WannaCry. Known to the U.S. government as Hidden moving to own servers paid by bitcoin to preserve anonymity
Cobra. Targeting also BitCoin Exchanges, financial sector, Persistency: tipically launching ransomware after operation to
technology/engineering sector destroy evidences
Group123 Ricochet Group 123 ScarCruft Red Eyes Reaper APT37 Venus 121 Reaper Erebus Golden Evil New Are you FreeMilk North Evil New KARAE, SOUNDWAVE, ZUMKONG, RICECURRY, Primarily South Korea – though also Japan, Vietnam and the FireEye iSIGHT Intelligence https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/
https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc
https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
https://unit42.paloaltonetworks.com/unit42-reaper-groups-updated-mobile-arsenal/
https://blog.alyac.co.kr/1985
Chollima (금성121) Time Year Happy? Korean Year 2018 CORALDECK, POORAIM, SLOWDRIFT, MILKDROP, Middle East – in various industry verticals, including chemicals, believes that APT37 is
Human GELCAPSULE, DOGCALL, HAPPYWORK, RUHAPPY, electronics, manufacturing, aerospace, automotive, and aligned with the activity
Rights SHUTTERSPEED, Flash Exploit CVE-2016-4117, healthcare; Scarcruft Tracking: Russia, Nepal, South Korea, China, publicly reported as
ROKRAT, KEVDROID India, Kuwait and Romania Scarcruft and Group123
Dark Hotel Luder Karba Tapaoux Nemim APT-C-06 SIG25 Dubnium Fallout Team Dark Hotel Inexsmar Daybreak Win32.Karba, Win32.Pioneer, CVE-2015-8651 Japan, Taiwan, China, Russia, and South Korea, North Korea Information on Chinese forum indicating group may have https://securelist.com/blog/research/66779/the-darkhotel-apt/
http://drops.wooyun.org/tips/11726
https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/
http://www.wired.com/2014/11/darkhotel-malware/
https://securelist.com/operation-daybreak/75100/
https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf
https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/
https://github.com/aptnotes/data/issues/56
targeted CVE-2015-8651, most likely a South Korean actor
Government, Utilities, High-Tech, Automotive
Silent Andariel Campaign DesertWolf Vanxatm Mayday INITROY XEDA Sony RifDoor, Phandoor Information gathering and profit Lazarus subgroup https://www.scmagazineuk.com/war-plans-including-assassination-plan-stolen-by-north-korean-hackers/article/699089/
https://gsec.hitb.org/materials/sg2017/D1%20-%20Ashley%20Shen%20and%20Moonbeom%20Park%20-%20A%20Deep%20Dive%20into%20the%20Digital%20Weapons%20of%20the%20North%20Korean%20Cyber%20Army.pdf
http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do
http://online.wsj.com/public/resources/documents/print/WSJ_-A006-20170728.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/
Andariel Chollima Rifle
Kimsuki KPortScan, PsExec, Procdump, Mimikatz, Eternal suite This threat actor targets South Korean think tanks, industry, http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/
http://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/
https://apt.securelist.com/#!/threat/972
of exploits, NirSoft MailPassView/Network Password nuclear power operators, and the Ministry of Unification for
Recovery/Remote Desktop espionage purposes.
PassView/SniffPass/WebBrowserPassView,
Mechanical, Grease
NoName malware with name "mySingleMessenger.exe" NorthKorea vs Samsung http://securityfactory.tistory.com/332
OnionDog This threat actor targets the South Korean government, False Positive. APT Training http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml
by SK Government http://zhuiri.360.cn/upload/APT-C-03-en.pdf
http://www.chinadaily.com.cn/china/2016-03/09/content_23794129.htm
http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml
transportation, and energy sectors.
TEMP.Hermit https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/
http://www.scmagazine.com/sony-hackers-are-still-hacking-researchers-say/article/474166/
? Honeybee MaoCheng Dropper Humanitarian Aid Groups https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
Stardust Chollima Stardust APT38 FASTCash Far Eastern Dimens, MBR Killer Latin America, Mexico, Costa Rica, Chile, Argentina, financial https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html
Chollima Internationa institutions in Asia and Africa in 2018
l Bank
Velvet Chollima Kimsuky? https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr
Media, government, but mainly financial institutions in order to https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html
raise money for the North Korean regime: Russia, Turkey, US,
Poland, Mexico, Brazil, Ururguay, Taiwan, Malaysia, Chile,
Vietnam, Philippines
Iran
Common Name Other Name 1 Other Name 2 Other Name 3 Other Name 4 Other Name 5 FireEye Name Cisco Name Secureworks Symantec Operation 1 Operation 2 Operation 3 Toolset / Malware Targets Modus Operandi Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9 Link 10 Link 11 Link 12 Link 13 Link 14 Link 15 Link 16 Link 17 Link 18
Cutting Kitten TG-2889 Ghambar COBALT GYPSY Cleaver TinyZBot, PupyRAT This threat actor targets governments and private sector entities for espionage and http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/
https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
https://www.secureworks.com/research/the-curious-case-of-mia-ash
sabotage purposes. It is believed to be responsible for compromising U.S. Navy
computers at the Navy Marine Corps Intranet in San Diego, the U.S. energy company
Calpine Corporation, Saudi Aramco, Pemex, Qatar Airways, and Korean Air
Shamoon VOLATILE KITTEN Shamoon / Disttrack This threat actor targets energy sector, oil and gas industry as well as wiper https://en.wikipedia.org/wiki/Shamoon
http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html
transportation and telecommunication services.
Clever Kitten Group 41 Acunetix Web Vulnerability Scanner, PHP Webshell RC http://www.crowdstrike.com/blog/whois-clever-kitten/
SHELL
Madi This threat actor compromises engineering firms, government entities, and financial Social engineering https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/
https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/
and academic institutions in the United States, Israel, Iran, and Pakistan
Cyber fighters of Izz Ad-Din Al Qassam Fraternal Jackal Ababil / ApAbabil The websites of Bank of America, JPMorgan Chase, Wells Fargo, and other U.S. DoS http://pastebin.com/u/QassamCyberFighters
http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html
http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html
https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
financial institutions suffered simultaneous outages due to a coordinated denial of
service cyberattack in September 2012. Attackers flooded bank servers with junk
traffic, preventing users from online banking. An Iranian group called Izz ad-Din al-
Qassam Cyber Fighters initially claimed responsibility for the incident. At the time,
the media reported that U.S. intelligence believed the denial of service was in
response to U.S. imposed economic sanctions to counter Iran's nuclear program.
Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were
eventually indicted by the U.S. Department of Justice in 2016 for their involvement
in the incident.
Chafer Cadelle HELIX KITTEN APT 39 Remexi, PsExec, Mimikatz, Web Shells (aspx spy, b374k), Airlines, Airports, Transportation, Logistics - worldwide Uses the same C2 http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets
https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
https://securelist.com/chafer-used-remexi-malware/89538/
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
nbtscan, plink, RemCom, VNC Bypass scanner, infrastructure as
CoreSecurity tools, Impacket / Python exploits, NSSM, OilRig
Remcom, HTTPTunnel, Cadelspy, PLink, SSH Tunnels to
Windows Servers
Prince of Persia Infy This threat actor targets governments and businesses of multiple countries, https://iranthreats.github.io/
http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/
https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/
including the United States, Israel, and Denmark.
Sima focus on dissidents, woman rights activists, human rights organizations https://iranthreats.github.io/
Oilrig Cobalt Gypsy Twisted Kitten Crambus HELIX KITTEN Chrysene APT 34 Helminth, ISMDoor, Clayslide, QUADAGENT, OopsIE, ALMA Uses the same C2 https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
http://www.clearskysec.com/oilrig/
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf
http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20
https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/&refURL=&referrer=#56749aa2468a
https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a
https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/
https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/
https://www.dragos.com/blog/20180517Chrysene.html
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html
Communicator, customized Mimikatz, Invoke-Obfuscation, infrastructure as
POWBAT, POWRUNER (PS Backdoor), BONDUPDATER, Chafer - which
malicious RTF files CVE-2017-0199 and CVE-2017-11882, caused a major
ELVENDOOR, PLink, PsExec, SSH Tunnels to Windows mixup of OilRig
Servers, Webshells (TwoFace, DarkSeaGreenShell, campaigns falsely
LittleFace) attributed to
Chafer
CopyKittens Slayer Kitten DarkHydrus LazyMeerkat Wilted Tulip TDTESS backdoor, Vminst, NetSrv, Cobalt Strike, ZPP, Israel’s Ministry of Foreign Affairs and some well-known Israeli academic DarkHydrus C2 https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf
https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/
http://www.clearskysec.com/copykitten-jpost/
http://www.clearskysec.com/tulip/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Matryoshka v1 and Matryoshka v2 researchers specializing in Middle East Studies. Israel, Saudi Arabia, United States, Infra Overlap
Jordan, Germany
Charming Kitten Parastoo iKittens, MacDownloader
NEWSCASTER NewsBeef Phosphorus APT 35 Group 83 ALFA TEaM Shell, DROPSHOT, TURNEDUP, SHAPESHIFT, This threat actor uses watering hole attacks and fake profiles to lure targets from Fake Social Media https://iranthreats.github.io/resources/macdownloader-macos-malware/
https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/
https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks
https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf
https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/
https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf
https://cryptome.org/2012/11/parastoo-hacks-iaea.htm
https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/
http://www.clearskysec.com/charmingkitten/
https://noticeofpleadings.com/phosphorus/files/Sealing.pdf?fbclid=IwAR1HMnynb0AaGyCI-8ejHjH-pNORfuHYOzQdsTrSpin2eRww6rRh-6VK2SI
malicious HTA files the U.S. government for espionage purposes. Account
Greenbug ISMdoor Saudi Arabia Sub group of APT https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/
http://www.clearskysec.com/ismagent/
34 according to
Mandiant
Magic Hound Timberworm MAGNALLIUM Elfin APT 33 Stonedrill/Shamoon2.0 Shamoon, POWERTON, Ruler, PUPYRAT, POSHC2 (.NET A threat actor used malware known as Shamoon 2.0 to exfiltrate and delete data possibly http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/
https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://webcache.googleusercontent.com/search?q=cache:Dicnr9-eKKYJ:https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf+&cd=6&hl=en&ct=clnk&gl=ie
https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
backdoor), TURNEDUP, AutoIt backdoor, Gpppassword, from computers in the Saudi transportation sector. associated with
LaZagne, Quasar RAT, Remcos, SniffPass, DarkComet, Rocket Kitten and
AutoIt FTP tool, .NET FTP tool, PowerShell downloader Cobalt Gypsy
(registry.ps1), POSHC2 backdoor
Rocket Kitten Flying Kitten TEMP.Beanie Saffron Rose Ajax Security Team Group 26 Woolen Goldfish Thamar Reservoir GHOLE / Core Impact, CWoolger, FireMalv, .NETWoolger, Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf
http://www.clearskysec.com/thamar-reservoir/
https://citizenlab.org/2015/08/iran_two_factor_phishing/
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
MPK, Open source tools, Puppy RAT, MagicHound.Leash target countries, notable Iran researchers, human rights activists, media and
(IRC Bot) journalists, academic institutions and various scholars, including scientists in the
fields of physics and nuclear sciences. It seeks out material related to diplomacy,
defense, security, journalism, and human rights for espionage purposes.
? Mermaid This threat actor is based in the Middle East (possibly Iran) and targets English- and https://ti.360.com/upload/report/file/mryxdgkb20160707en.pdf
Persian-language organizations. It is alleged to be the same group behind a
compromise of the Danish Ministry of Foreign Affairs.
ITSecTeam One of the threat actors responsible for the denial of service attacks against U.S in http://pastebin.com/mCHia4W5
http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html
https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
2012/2013. Three individuals associated with the group believed to be have been
working on behalf of Iran's Islamic Revolutionary Guard Corps were indicted by the
Justice Department in 2016.
MuddyWater TEMP.Zagros Seedworm Static Kitten SectorD02 POWERSTATS, PoweMuddy, LaZagne, Crackmapexec individuals in Asia and the Middle East, government and defense entities in Central Struggle with https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
https://sec0wn.blogspot.co.il/2018/03/a-quick-dip-into-muddywaters-recent.html
https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html
https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/
and Southwest Asia Kaspersky
Mabna Institute Silent Librarian 144 universities in the United States, 176 foreign universities in 21 countries, five https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers
https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment
https://twitter.com/ClearskySec/status/977899578346430464
federal and state government agencies in the United States, 36 private companies
in the United States, 11 foreign private companies, and two international non-
governmental organizations
Leafminer Raspite No evidence of https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.dragos.com/blog/20180802Raspite.html
overlapping Oilrig
DarkHydrus RogueRobin https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
Domestic Kitten https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/
Flash Kitten MENA Region long-running SWC https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
campaigns from
December 2016
until public
disclosure in July
2018
Gold lowell Boss Spider SamSam Criminal https://www.secureworks.com/research/samsam-ransomware-campaigns
https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/
https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public
https://garwarner.blogspot.com/2018/11/two-iranian-hackers-charged-with-6.html
Iridium Australian Parliament
Citrix
HackHack China Chopper / Ckife Webshells, LazyCat, reGeorge NOTHING https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/
https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/
CONFIRMED YET
DNSpionage https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
Israel
Common Name Other Name 1 Other Name 2 Other Name 3 NSA Operation 1 Operation 2 Toolset / Malware Targets Modus Operandi Comment Link 1 Link 2 Link 3 Link 4 Link 5
Unit 8200 Olympic Games / Stuxnet Directed at Iranian nuclear Stuxnet is typically http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
https://archive.org/details/Stuxnet
Stuxnet facilities introduced to the target
environment via an infected
USB flash drive.
Unit 8200 Duqu Group SIG35 Duqu 2.0 A threat actor, using a tool https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns
http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-ta
https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt
dubbed Duqu 2.0, targeted
individuals and companies
linked to the P5+1 (the five
permanent member states of
the UN Security Council, plus
Germany), which was
conducting negotiations on
Iran's nuclear program.
SunFlower MoonFlower Cheshire Cat Flowershop SIG17 / SIG18 Might be related to Duqu, Stuxnet https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/
https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar
https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt
and might attributed to Israel.
NATO
Common Name Other Name 1 Other Name 2 Other Name 3 Other Name 4 Symantec Kaspersky Operation 1 Operation 2 Operation 3 Toolset / Malware Targets Modus Operandi Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8
Equation Group Tilded Team EQGRP Housefly Remsec Longhorn Lamberts Socialist Olympic Games / Stuxnet
Project Sauron / Strider Regin, Flame, Stuxnet, EquationLaser, EquationDrug, NSA, GCHQ, CSIS, http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/
https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/
https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/
https://web.archive.org/web/20160304022846/http://www.kaspersky.com/about/news/virus/2012/Kasp
DoubleFantasy, TripleFantasy, Fanny, Grayfish, ASIS, GCSB,
RemSec, Gauss, Duqu FiveEyes, FVEY
Snowglobe Animal Farm Babar, Bunny, Dino, Casper, Tafacalou, NBot, Probably French https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france
http://www.cyphort.com/evilbunny-malware-instrumented-lua/
http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/
https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html
Chocopop origins
Slingshot Mikrotik Router Compromise Slingshot, Cahnadr, GollumApp, SsCB, ffproxy, Kenya, Yemen, Libya, Afghanistan, Iraq, https://securelist.com/apt-slingshot/84312/
NeedleWatch, Sfc2, Minisling, Spork downloader Tanzania, Jordan, Mauritius, Somalia,
Democratic Republic of the Congo, Turkey,
Sudan and United Arab Emirates
GOSSIPGIRL https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
Middle East
Common Name Other Name 1 Other Name 2 Other Name 3 Operation 1 Operation 2 Operation 3 Origin Toolset / Malware Targets Modus Operandi Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9 Link 10 Link 11
Molerats Gaza cyber gang Gaza Hacker Team Molerats DustySky TopHat Gaza Poison Ivy, DustySky, Israel, Palestine, Egypt, Saudi Arabia, United Arab Emirates, targeted emails with malware. fake website with https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
http://www.clearskysec.com/dustysky/
https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team
http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html
https://github.com/kbandla/APTnotes/raw/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf
http://pwc.blogs.com/cyber_security_updates/2016/11/molerats-theres-more-to-the-naked-eye.html
http://www.clearskysec.com/molerats-iec/
https://securelist.com/gaza-cybergang-updated-2017-activity
https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-e
NeD Worm, Scote, Don’t Turkey, USA. (Targeted sectors include governmental and malicipretending to be a legitimate iOS management
Kill My Cat (DKMC), RTFs diplomatic institutions, including embassies; companies from software, and linking to it in an online freelancing
Exploiting CVE-2017- the aerospace and defence Industries; financial institutions; marketplace.
0199 journalists; software developers.)
AridViper Desert Falcon APT-C-23 Two-tailed Scorpion Gaza Egypt, Palestine, Israel, Jordan, UAE, spear phishing Related: Operation Advtravel http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf
http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html
https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/
https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf
https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/
https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/
https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View
https://www.ci-project.org/blog/2017/3/4/arid-viper
http://blog.talosintelligence.com/2017/06/palestine-delphi.html
https://www.threatconnect.com/blog/kasperagent-malware-campaign/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatsp
Israeli-based organizations in the government,
transport/infrastructure, military, and academia. One
organization based in Kuwait is also as one of Arid Viper’s
victims.
Volatile Cedar Lebanon Explosive USA, Canada, UK, Turkey, Lebanon and Israel. Nation- The modus operandi for this attacker group initially The main threat is sensitive http://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf
http://blog.checkpoint.com/2015/03/31/volatilecedar/
state/political-group interests targets publicly facing web servers, with both automatic data theft and cyber
and manual vulnerability discovery. Once in control of a espionage
server, the attackers further penetrate the targeted
internal network via various means, including manual
online hacking as well as an automated USB infection
mechanism.
Syrian Electronic Army Deadeye Jackal Syria SeANux: Sea Shell (Basic Commercial, Financial, Media, Social Networking http://www.crowdstrike.com/blog/dns-lifeblood-your-domain/
https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
(SEA) Web Shell), Executer
Webshell
Cyber Caliphate Army United Cyber Islamic State Syria/Irak (Islamic State) Pro-ISIS https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697
https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division
(CCA) Caliphate (UCC) Hacking Division
Ghost Jackal Commercial, Energy, Financial https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Corsair Jackal Commercial, Technology, Financial, Energy https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Extreme Jackal Military, Government https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Electric Powder Electric Powder Downloader, keyloger Israel Electric Company spreading malware via fake Facebook profiles and http://www.clearskysec.com/iec/
https://www.riskiq.com/blog/analyst/powering-threat-investigations/
pages, breached websites, self-hosted and cloud based
websites
APT-C-23 KASPERAGENT and http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/
https://blog.lookout.com/frozencell-mobile-threat
https://ti.360.net/blog/uploads/2017/09/22/f41a337e10e992f17986af386a62c7ad.pdf
https://blog.lookout.com/desert-scorpion-google-play
https://www.cyberscoop.com/hamas-spyware-desert-scorpion-apt-c-23-google-play-lookout/
MICROPSIA, Desert
Scorpion
APT-C-27 Golden Rat Goldmouse https://www.anquanke.com/post/id/94072
https://securityaffairs.co/wordpress/74670/malware/apt-c-27-syria-espionage.html
https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/
https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/
Dark Caracal Lebanon Pallas https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
Bandook
CrossRAT
Infected Documents
Tempting Cedar Lebanon people in Eastern European and Middle Eastern countries https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware
? Big Bang MICROPSIA Palestinian authorities https://blog.talosintelligence.com/2017/06/palestine-delphi.html
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
Group WITRE people from the Palestinian authority and UAE 1. Rar file with a geo-political name in Arabic, usually https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
https://www.securityartwork.es/2019/01/18/grupo-wirte-atacando-a-oriente-medio/
https://twitter.com/ClearskySec/status/1085160222233112577
https://twitter.com/ItsReallyNick/status/1033413803470467072
https://twitter.com/jeFF0Falltrades/status/1085247772582912003
https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/
conerns the Palestinian Authority and Gaza
2. VBS/SCR with the same name.
3. Decoy Doc contains copied content that was
published by media outlet (modified content)
4. Backdoor
Other Actors
Common Name Other Name 1 Other Name 2 Other Name 3 Other Name 4 Other Name 5 Operation 1 Operation 2 Operation 3 Toolset / Malware Targets Origin Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8 Link 9
Corsair Jackal Tunesia https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/
The Mask Careto Spanish Speaking Country https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/
El Machete Machete This threat actor targets military, government entities, https://securelist.com/blog/research/66108/el-machete/
https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html
and telecommunications providers, primarily in Latin
America, for the purpose of espionage.
Patchwork Dropping Elephant Chinastrats Capricorn Organisation
APT-C-09 Viceroy Tiger Hangover Monsoon Unknown Logger global, including targets in the US, Europe, and the offshore APT India http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf
https://www.cymmetria.com/patchwork-targeted-attack/
https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign
https://securelist.com/the-dropping-elephant-actor/75328/
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
http://www.sohu.com/a/211497788_764248
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
https://mp.weixin.qq.com/s/AfGrEi-ViJxHEEDtSLvQSg
https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/
Public, TINYTYPHON, Middle East, many of the target countries are in the area organization
BADNEWS, AutoIt surrounding the Indian subcontinent from South Asia
backdoor
Hellsing APT Naikon Asia https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/
https://www.kaspersky.com/blog/deny-the-hellsing-apt-by-default/3851/
Wild Neutron Jripbot Morpho Sphinx Moth Jiripbot, Hesperbot https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
Sykipot https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919
Platinum TwoForOne Hotpatching primarily targets governmental organizations, defense South East Asia
techniques, CVE-2015- institutes, intelligence agencies, and telecommunication
2545 providers in South and Southeast Asia
Danti https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
SVCMONDR https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
Transparent Tribe Government of India diplomatic and military https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
APT 32 Ocean Lotus APT-C-00 SeaLotus Cobalt Kitty Unique suite & OTS, This threat actor targets organizations of interest Vietnam https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/
https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/
https://www.brighttalk.com/webcast/10703/261205
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
https://s.tencent.com/research/report/471.html
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
https://blog.cystack.net/word-based-malware-attack/
https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html
https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/
Microsoft to the Vietnamese government for espionage
ActiveMime file purposes. Victims have included human rights
attachments, organizations, research institutes and maritime
KerrDown, construction firms in China, and media
CobaltStrike organizations.
BlackOasis CVE-2015-5119 – June Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
2015, CVE-2016-0984 Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom
– June 2015, CVE- and Angola
2016-4117 – May
2016, CVE-2017-8759
– Sept 2017, CVE-
2017-11292 – Oct
2017, FinSpy Malware
NEODYMIUM https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
PROMETHIUM https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
Andromeda Spider https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Bamboo Spider Developed Panda Zeus https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 19
Boson Spider CoreBot Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf see slide 15
Carbon Spider Carbanak Anunak Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf
https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/ see slide 15 & 35
Cobalt Spider Point of Sale Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/
Dextorous Spider Retail https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Dundeon Spider Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/
Grim Spider TEMP.MixMaster Dataresolutio Ryuk Criminal / Currently refers to https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://blog.kryptoslogic.com/malware/2019/01/10/dprk-emotet.html
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/
n.net (MSP Ryuk deployments following
Onslow, North for multiple TrckBot infections
Carolina US
water newpapers)
Hound Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Indrik Spider Dridex Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
see slide 15
Lunar Spider IcedID (BokBot) Financial Crime Cooperation with Wizard https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/
https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
Spider
Magnetic Spider Financial Crime Russia Russia based "financial-crime http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
motivated actor" - Crowdstike
2014 Global TIR pg 57
Mimic Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Monty Spider Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 19
Mummy Spider Emotet Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr
Overlord Spider Entertainment and healthcare sector Criminal / Data Extortion https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 7
Pinchy Spider GandCrab Criminal https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
Pizzo Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Shark Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Singing Spider Commercial, Fiancial Criminal https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Skeleton Spider FIN6 FrameworkPoS, Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf
https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money.html
https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
https://webcache.googleusercontent.com/search?q=cache:wMkxJorBEKIJ:https://securityintelligence.com/x-force-iris-identifies-fin6-activity-on-pos-networks/+&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b
https://exchange.xforce.ibmcloud.com/collection/FIN6-Financial-Crime-Actor-f55930eb9f4438efe9101a618d6a8703
https://www.proofpoint.com/us/search/site?search_text=TA530&language=en
Vawtrak/Neverquest
Static Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Union Spider Manufacturing Criminal https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf
Wicked Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/ see slide 15
Wizard Spider TrickBot Criminal https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf
https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr
page 19 page 52
Wold Spider Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Zombie Spider Pytor Levashov Kelihos Criminal https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf
https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/ see slide 15; https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 18
Curious Jackal Activist https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Extreme Jackal Activist https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Gekko Jackal Activist https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Shifty Jackal Activist https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15
Mythic Leopard Pakistan https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/
GravityRAT India Pakistan https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
https://www.cyberscoop.com/gravityrat-cisco-talos-india-pakistan/
SilverTerrier Predator Pain, Pony, Nigeria Criminal https://www.paloaltonetworks.com/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise.html
KeyBase, ISpySoftware,
ISR Stealer, Agent
Tesla, LokiBot, Zeus
and Atmos, NetWire,
DarkComet and
NanoCore
InvisiMole Russia, Ukraine https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
SideWinder T-APT-04 Military, Govenment, Pakistan, "South Asian countries" India Origins believed to be traced https://s.tencent.com/research/report/479.html
https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c
"Rattlesnake" back to 2012
Blackgear Topgear Comnie Protux, Eliriks Japan, Taiwan, South Korea Dates back to 2008 https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/
Gorgon Group Subaat NanoCoreRAT, https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
QuasarRAT, NJRAT
Donot Team APT-C-35 Lucky Elephant EHDevel, yty Government officials, Pakistan, Kashmir Possible links to Hangover https://ti.360.net/blog/articles/pakistan-targeted-apt-campaign/
https://www.reuters.com/article/us-india-cyber-threat/exclusive-india-and-pakistan-hit-by-spy-malware-cybersecurity-firm-idUSKCN1B80Y2
https://labs.bitdefender.com/wp-content/uploads/downloads/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/
https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/
https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
https://github.com/aptnotes/data/files/679036/Snake.In.The.Grass.-.Python-based.Malware.Used.For.Targeted.Attacks.-.BLUE.COAT.LABS.pdf
https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china/
https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading
Nomadic Octopus DustSquad Central Asian users and diplomatic entities Russian-speaking https://securelist.com/octopus-infested-seas-of-central-asia/88200/
Anunak Carbanak Carbanak Group Carbon Spider Odinaff Mimikatz, MBR Eraser, Banks of Russia and payment system Ukraine Overlaps with FIN7 https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/
SoftPerfect Network
Scanner, SSHd with
BackDoor, Ammy
Admin, CVE-2012-2539
and CVE-2012-0158,
Netscan, PsExec,
Backdoor Batel,
Bateleur JScript
Backdoor, Cobalt
Strike, Sekur, Agent
ORM, VB Flash, JS
FLash, Bateleur
TA505 FlawedAmmyy, Remote Financial institutions, Retail https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times
https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments
https://seguranca-informatica.pt/flawedammyy-leveraging-undetected-xlm-macros-as-an-infection-vehicle/
https://e.cyberint.com/hubfs/CyberInt_Cybercriminals%20go%20after%20USA%20retailers_Report.pdf?utm_source=hs_automation&utm_medium=email&utm_content=70888132&_hsenc=p2ANqtz--B1ksVZeg-TD_yHlFjEeyVcX_q42Z-0nMIDTZJmvyObYuOQq7hTr1
https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
Manipulator System
Blind Eagle APT-C-36 Imminent RAT Colombian government institutions South America https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
Bitter BitterRAT, Pakistan, Saudi Arabia offshore APT ArtraDownloader: earliest https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/
https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
ArtraDownloader organization timestamp Feb 2015
from South Asia
Bahamut Middle Eastern human rights activists offshore APT https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html
organization
from South Asia
WindShift WindTail, WindTape Gulf Cooperation Council offshore APT https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
https://objective-see.com/blog/blog_0x38.html
https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/
https://digitasecurity.com/blog/2018/12/20/windtail/
organization
from South Asia
EmpireMonkey Bank of Valletta Criminal https://www.timesofmalta.com/articles/view/20190225/local/how-bov-hackers-got-away-with-13-million.702800
http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
Pacha Group https://www.intezer.com/blog-pacha-group-deploying-undetected-cryptojacking-campaigns/
https://www.intezer.com/blog-technical-analysis-pacha-group/
DNSpionage Lebanon, UAE https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://twitter.com/_CPResearch_/status/1103525899515973632
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
https://blog-cert.opmd.fr/dnspionage-weird-apt32-stuff/
https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/
Sea Turtle Sea Turtle DNS hijacking, CVE- industries: Ministries of foreign affairs, Military https://blog.talosintelligence.com/2019/04/seaturtle.html
2009-1151, CVE-2014- organizations, Intelligence agencies, Prominent energy
6271, CVE-2017-3881, organizations in US, Libya, Egypt, Lebanon, UAE, Albania,
CVE-2017-6736, CVE- Cyprus, Turkey, Iraq, Jordan, Syria, Armenia, Sweden
2017-12617, CVE-2018-
0296, CVE-2018-7600,
Drupalgeddon
Unknown / Unmapped Actors
Common Name Other Name 1 Other Name 2 Other Name 3 Other Name 4 Other Name 5 NSA Microsoft FireEye Operation 1 Operation 2 Operation 3 Toolset / Malware Targets Comment Link 1 Link 2 Link 3 Link 4 Link 5 Link 6 Link 7 Link 8
Crouching Yeti Links to Energetic Bear https://securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/
NewRomanic Cyber Army Team Whois Wiper http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf
The Whois Hacking Team http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf
ItaDuke
Roaming Tiger Russian http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/
Blue Termite Emdivi Cloudy Omega Blue Termite This threat actor is believed to have been http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets
https://web.archive.org/web/20160303010953/http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets
http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan
http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/
responsible for the Japan Pension Service
incident. It is also known as Emdivi and
Cloudy Omega.
Suckfly tcpscan, smbscan, wce, South Korea, India Alleged to be China based http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks
gsecdump, credentialdumper
? Groundbait Win32/Prikormka http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf
SPIVY PoisonIvy, CVE-2015-2545 Organisations in Hong Kong http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
EvilPost CVE-2015-2545 Japanese Defence Sector C2 Server in Japan https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
Danti CVE-2015-2545 Kazakhstan, Kyrgyzstan, Uzbekistan, probably related to NetTraveller and https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
Myanmar, Nepal and the Philippines DragonOK
? IronGate Industrial Control Systems (ICS) MitM, Sandbox Evasion https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html
Evanescent Bat Tracked by Crowdstrike
NewsBeef https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/
Poseidon https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
Ghoul Operation Ghoul mainly industrial, engineering and Financial interests https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/
manufacturing organizations in more than 30
countries
FruityArmor MS16-120 / CVE-2016-3393 Middle Eastern region https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/
https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/
0day exploits, 0day CVE-2018-
8453, PowerShell backdoor,
CVE-2018-8611
Tropic Trooper KeyBoy Tropic Trooper Poison Ivy, PCShare, Yahoyah Taiwan, High-Tech in Asia, Taiwanese http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/
Government, Fossil Fuel Provider, Taiwanese,
Philippine, and Hong Kong targets, focusing
on their government, healthcare,
transportation, and high-tech industries
Snake Wine Ham Backdoor, Tofu Backdoor Japanese Targets Tracked by Cylance https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
APT5 Leouncia Telecommunications and technology https://www.fireeye.com/current-threats/apt-groups.html
companies, particularly in Southeast Asia, as
well as high-tech manufacturing firms and
military application technology
Sowbug Felismus South American and Southeast Asian Tracked by Symantec https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments
governments
Triton TRISIS https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
? Olympic Destroyer Olympic Destroyer (destructive malware),
Winter Olympics Highly sophisticated
PsExec in Pyeongchang, South Korea; adversaries false
looking for flag
information fromhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://www.recordedfuture.com/olympic-destroyer-malware/
the games but instead http://www.intezer.com/2018-winter-cyber-olympics-code-similarities-cyber-attacks-pyeongchang/
they are aimed to disrupt the gameshttps://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights
https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/
https://securelist.com/the-devils-in-the-rich-header/84348/
https://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html
https://research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/
Orangeworm Kwampirs backdoor Known victims include healthcare providers, Possibly FIN10 Tracked by Symantec https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
https://www.databreaches.net/team-orangeworm-claims-to-be-dumping-carepartners-data-from-2018-breach/
https://www.databreaches.net/team_orangeworm-issues-new-threats-to-carepartners/
pharmaceuticals, IT solution providers for cybercriminal
healthcare and equipment manufacturers that
serve the healthcare industry, likely for the
purpose of corporate espionage
FIN10 Casinos and mining (natural resources) cybercriminal https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf
https://www.databreaches.net/team_orangeworm-issues-new-threats-to-carepartners/
BlackTech PLEAD Shrouded Crossbow
Waterbear targets in East Asia, particularly Taiwan, and Operation name "PLEAD" also used as https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/
https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/
occasionally, Japan and Hong Kong malware name
RANCOR KHRAT Trojan https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
White Company Shaheen Pakistani government and military — in https://threatvector.cylance.com/en_us/home/the-white-company-inside-the-operation-shaheen-espionage-campaign.html
particular, the Pakistani Air Force
SandCat CHAINSHOT, FinFisher/FinSpy, https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/
CVE-2018-8589
Silence Group Malicious CHM files, Truebot Targets are located in Eastern Europe and https://reaqta.com/2019/01/silence-group-targeting-russian-banks/
https://www.group-ib.com/media/silence/
Russia
Whitefly SingHealth CVE-2016-0051, Vcrodat, Healthcare, media, telecommunications, and Has been seen targeting organisations https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore
Nibatad, Termite, Mimikatz engineering sectors. Singapore based in Singaport and additionally
some multinational organizations with
a presence in Singapore.
Download Links
Download as XLSX https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pub?output=xlsx
Download as ODS https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pub?output=ods
Naming Schemes * not consistently used / malware focused
Country / Selector FireEye / Mandiant Crowdstrike Kaspersky DELL DELL Check Point Trend Micro Cisco Talos Verisign Microsoft Symantec 360
SecureWorks SecureWorks Labs iDefense Windows
(old) Defender
Research
Generic APT [X] TG-[X] Group [X] (Fish Names) (Elements) (Bug Names) APT-C-[X]
China [X] Panda [X] Dragon* BRONZE [X]
Russia [X] Bear [X] Duke* IRON [X]
North Korea [X] Chollima NICKEL [X]
South Korea [X] Crane
Iran [X] Kitten COBALT [X]
India [X] Tiger ZINC [X]
Vietnam [X] Buffalo
Lebanon [X] Cedar
Arab Countries [X] Falcon [X] Viper
Pakistan [X] Leopard
Criminal / Financial FIN[X] [X] Spider GOLD [X]

Activists [X] Jackal
Espionage [X] Bat
Temporary TEMP.[X]
Uncategorized UNC[X]
Malware / Tools
(Families / Overlaps)
Name 1 Name 2 Name 3 Name 4 Name 5 Name 6 Name 6 Name 7 Family Comment Link 1 Link 2 Link 3 Link 4
Gh0st RAT Moudoor Piano Gh0st Zegost https://cysinfo.com/hunting-and-decrypting-communications-of-gh0st-rat-in-memory/
http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/
https://sentinelone.com/blogs/the-curious-case-of-gh0st-malware/
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
Poison Ivy Darkmoon PIVY http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf
HydraQ 9002 RAT McRAT Naid BKDR_MDMBOT Troj/Agent-XAL http://cybercampaigns.net/wp-content/uploads/2013/05/Hydraq.pdf
https://cysinfo.com/hunting-apt-rat-9002-in-memory-using-volatility-plugin/
Hikit Matrix RAT Gaolmay
Zxshell Sensode http://pastebin.com/jCaLHvkM
https://blogs.cisco.com/security/talos/opening-zxshell
DeputyDog Fexel
PlugX Destory RAT Thoper Sogu Korplug TVT Kaba PlugX Often uses DLL side-loading http://blogs.cisco.com/security/talos/threat-spotlight-group-72
https://www.circl.lu/pub/tr-24/
http://labs.lastline.com/an-analysis-of-plugx
BACKSPACe Lecna BARYS
Regin Prax WarriorPride QUERTY FEYES malware
HttpBrowser TokenControl
NetTraveler TravNet RedStar Netfile
IceFog Fucobha http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_exposes_Icefog_a_new_cyber-espionage_campaign_focusing_on_supply_chain_attacks
https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/
HTran CTran ONHAT (similar) Xdoor Chinese Tunneling Tool http://www.secureworks.com/cyber-threat-intelligence/threats/htran/
Agent.BTZ SillyFDC http://cybercampaigns.net/wp-content/uploads/2013/05/Agent-BTZ.pdf
Comfoo RSA incident, Red October http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
DNSChanger RSPlug ZLob http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
IEXPLORE RAT Sharky RAT Briba Comfoo https://citizenlab.org/2012/09/citizen-lab-technical-brief-iexpl0re-rat/
https://www.secureworks.com/research/secrets-of-the-comfoo-masters
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99&tabid=2
LSB https://github.com/RobinDavid/LSB-Steganography
http://ijact.org/volume3issue4/IJ0340004.pdf
LStudio Emissary Elise http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/
MNKit WingD Tran Duy Linh http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
Derusbi Photo Shyape Sakula (variant) Mivast Derusbi Chinese Backdoor, Winnti https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf
https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf
Wipbot Epic Tavdig
Carbon Rootkit Snake Rootkit Cobra
Turla Uroburos
Winnti (Network Driver
Derusbi
Component) P2P Backdoor, Driver loaded into memory https://securelist.com/?s=winnti
http://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html#more-73
WCE AceHash Password Dumper, PTH http://www.ampliasecurity.com/research/windows-credentials-editor/
Mimikatz Powerkatz Password Dumper, PTH, DCSync, SkeletonKey, Golden/Silver
https://github.com/gentilkiwi/mimikatz
Tickets
HDRoot HDD Rootkit Winnti / Axiom Group http://williamshowalter.com/a-universal-windows-bootkit/
OrcaRAT LeoUnica Found with Comfoo malware http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html
https://github.com/kbandla/APTnotes/blob/master/2014/LeoUncia_OrcaRat.pdf
Etumbot Assocaited with Numbered Panda/APT12 https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/
https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/
xcmd Similar to psexec. Used in OPM and Anthem breaches
NjRAT
X-Agent Fysbis Used by Sofacy group, Linux backdoor http://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-software-uses/
Adwind RAT Frutas jFrutas AlienSpy Unrecom Sockrat jSocket jRAT jBifrost RAT Adwind https://t.co/x0jmdEp45w
Jiripbot Flacher Wild Neutron
Quasar RAT https://github.com/quasar/QuasarRAT/tree/v1.2.0.0
Mtool MultiTool Cn Group Tool for Recon
FallChill Manuscrypt Backdoor. Used by Lazarus Group, Bluenoroff. https://securelist.com/apt-trends-report-q2-2017/79332/
Infy Infy M https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
DustySky NeD Worm http://www.clearskysec.com/dustysky/
Exforel SIG30 in NSA report, Chinese origin https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:WinNT/Exforel.A
LoJax
ROKRAT https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
http://v3lo.tistory.com/24
Ryuk Hermes Ryuk based on Hermes GRIM SPIDER (cybercrime) https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://blog.kryptoslogic.com/malware/2019/01/10/dprk-emotet.html
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/
Xtunnel X-Tunnel Shunnael Used by APT28 / Sofacy
Malware / Tools
Malware / Tools
Malware / Tools
Malware / Tools
Malware / Tools
Malware / Tools
Sources
Source Link
APTNotes - Github Repo https://github.com/kbandla/APTnotes
APTNotes - Website https://aptnotes.malwareconfig.com/
Targeted Cyber Attacks Logbook (Kaspersky) https://apt.securelist.com/
Cyber Campaigns http://cybercampaigns.net/
(Slides) Cyber Espionage Nation-State APT Attacks on the http://www.slideshare.net/Cyphort/cyber-espionage-nation-stateaptattacksontherise
Rise
(Slides) CrowdCasts Monthly: You Have an Adversary Problem
http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
CrowdStrike Blog http://www.crowdstrike.com/blog/
Securelist.com Blog (Kaspersky) https://securelist.com/
Cyber Operations by CFR https://www.cfr.org/interactive/cyber-operations
Symantec Health Care Attacks https://www.symantec.com/content/dam/symantec/docs/reports/istr-healthcare-2017-en.pdf
FireEye Threat Actors https://www.fireeye.com/current-threats/apt-groups.html
MITRE ATT&CK Groups https://attack.mitre.org/wiki/Groups
APT_CyberCriminal_Campagin_Collections https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
Dragos' Adversary Groups (ICS Specialists) https://dragos.com/adversaries.html
ClearSky Raw Threat Intel https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub

APT Groups and Operations

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

APT Groups and Operations

Încărcat de

Drepturi de autor:

Formate disponibile

Topic Comment

Criminal / Financial FIN[X] [X] Spider GOLD [X]

S-ar putea să vă placă și