Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

misp-galaxy/clusters/threat-actor.json

Go to file
@sebdraven
sebdraven Update threat-actor.json
Latest commit d5843d4 Mar 21, 2023 History 
add ref to Aoqin Dragon
53 contributors

Users who have contributed to this file

@Delta-Sierra @adulau @r0ny123 @Mathieu4141 @danielplohmann @StefanKelm @nyx0 @3c7 @cvandeplas @Rafiot @sebdraven @Th4nat0s
10638 lines (10638 sloc) 576 KB
Raw Blame
Open in GitHub Desktop
{
"authors": [
"Alexandre Dulaunoy",
"Florian Roth",
"Thomas Schreck",
"Timo Steffens",
"Various"
],
"category": "actor",
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.",
"name": "Threat Actor",
"source": "MISP Project",
"type": "threat-actor",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"values": [
{
"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"Taiwan",
"Israel",
"Norway",
"United Arab Emirates",
"United Kingdom",
"Singapore",
"India",
"Belgium",
"South Africa",
"Switzerland",
"Canada",
"France",
"Luxembourg",
"Japan"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://en.wikipedia.org/wiki/PLA_Unit_61398",
"http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf",
"https://www.cfr.org/interactive/cyber-operations/pla-unit-61398",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/",
"https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/",
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0006/",
"https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"COMMENT PANDA",
"PLA Unit 61398",
"Comment Crew",
"Byzantine Candor",
"Group 3",
"TG-8223",
"Comment Group",
"Brown Fox",
"GIF89a",
"ShadyRAT",
"G0006"
]
},
"related": [
{
"dest-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
"value": "APT1"
},
{
"description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf",
"https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/"
],
"synonyms": [
"Covert Grove"
]
},
"uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80",
"value": "Nitro"
},
{
"description": "Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.",
"meta": {
"refs": [
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
"https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
"https://attack.mitre.org/groups/G0031/"
],
"synonyms": [
"G0031"
]
},
"related": [
{
"dest-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
"value": "Dust Storm"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
],
"synonyms": [
"Red Chimera"
]
},
"uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428",
"value": "WET PANDA"
},
{
"description": "Adversary group targeting telecommunication and technology organizations.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
]
},
"uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd",
"value": "FOXY PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
]
},
"uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f",
"value": "PREDATOR PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
]
},
"uuid": "7195b51f-500e-4034-a851-bf34a2728dc8",
"value": "UNION PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
]
},
"uuid": "4959652d-72fa-46e4-be20-4ec686409bfb",
"value": "SPICY PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
]
},
"uuid": "432b0304-768f-4fb9-9762-e745ef524ec7",
"value": "ELOQUENT PANDA"
},
{
"meta": {
"synonyms": [
"LadyBoyle"
]
},
"uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
"value": "DIZZY PANDA"
},
{
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"U.S. satellite and aerospace sector"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://www.cfr.org/interactive/cyber-operations/putter-panda",
"https://attack.mitre.org/groups/G0024",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"PLA Unit 61486",
"PUTTER PANDA",
"MSUpdater",
"4HCrew",
"SULPHUR",
"SearchFire",
"TG-6952",
"G0024"
]
},
"related": [
{
"dest-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0ca45163-e223-4167-b1af-f088ed14a93d",
"value": "APT2"
},
{
"description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"Hong Kong"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.cfr.org/interactive/cyber-operations/apt-3",
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"GOTHIC PANDA",
"TG-0110",
"Group 6",
"UPS",
"Buckeye",
"Boyusec",
"BORON",
"BRONZE MAYFAIR",
"Red Sylvan"
]
},
"related": [
{
"dest-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d144c83e-2302-4947-9e24-856fbf7949ae",
"value": "APT3"
},
{
"description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Korea (Republic of)",
"cfr-suspected-victims": [
"Japan",
"Russia",
"Taiwan",
"South Korea",
"China"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "KR",
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://securelist.com/blog/research/66779/the-darkhotel-apt/",
"https://securelist.com/the-darkhotel-apt/66779/",
"https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726",
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
"https://www.cfr.org/interactive/cyber-operations/darkhotel",
"https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
"https://attack.mitre.org/groups/G0012/",
"https://www.secureworks.com/research/threat-profiles/tungsten-bridge",
"https://www.antiy.cn/research/notice&report/research_report/20200522.html"
],
"synonyms": [
"DUBNIUM",
"Fallout Team",
"Karba",
"Luder",
"Nemim",
"Nemin",
"Tapaoux",
"Pioneer",
"Shadow Crane",
"APT-C-06",
"SIG25",
"TUNGSTEN BRIDGE",
"T-APT-02",
"G0012",
"ATK52"
]
},
"related": [
{
"dest-uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d",
"value": "DarkHotel"
},
{
"description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Taiwan",
"Japan"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-numbered-panda/",
"https://www.cfr.org/interactive/cyber-operations/apt-12",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
"https://www.secureworks.com/research/threat-profiles/bronze-globe",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"NUMBERED PANDA",
"TG-2754",
"BeeBus",
"Group 22",
"DynCalc",
"Calc Team",
"DNSCalc",
"Crimson Iron",
"IXESHE",
"BRONZE GLOBE"
]
},
"related": [
{
"dest-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "48146604-6693-4db1-bd94-159744726514",
"value": "APT12"
},
{
"description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Japan",
"Taiwan"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.cfr.org/interactive/cyber-operations/apt-16",
"https://attack.mitre.org/groups/G0023",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/"
],
"synonyms": [
"SVCMONDR",
"G0023"
]
},
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf",
"value": "APT16"
},
{
"description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"Netherlands",
"Italy",
"Japan",
"United Kingdom",
"Belgium",
"Russia",
"Indonesia",
"Germany",
"Switzerland",
"China"
],
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone",
"https://attack.mitre.org/groups/G0025/",
"https://cfr.org/cyber-operations/axiom",
"https://attack.mitre.org/groups/G0001/",
"https://www.youtube.com/watch?v=NFJqD-LcpIg",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"Group 8",
"AURORA PANDA",
"Hidden Lynx",
"Tailgater Team",
"Dogfish",
"BRONZE KEYSTONE",
"G0025",
"Group 72",
"G0001",
"Axiom",
"HELIUM"
]
},
"related": [
{
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"value": "APT17"
},
{
"description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828",
"https://www.cfr.org/interactive/cyber-operations/apt-18",
"https://attack.mitre.org/groups/G0026",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"DYNAMITE PANDA",
"TG-0416",
"SCANDIUM",
"PLA Navy",
"Wekby",
"G0026"
]
},
"related": [
{
"dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"value": "APT18"
},
{
"description": "Adversary group targeting financial, technology, non-profit organisations.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Private sector",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
"https://www.cfr.org/interactive/cyber-operations/deep-panda",
"https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
"https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/",
"https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/",
"https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/",
"https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/",
"https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/",
"https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/",
"https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442",
"https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html",
"https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/",
"https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/",
"https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html",
"https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/",
"https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
"https://attack.mitre.org/groups/G0009/",
"https://www.secureworks.com/research/threat-profiles/bronze-firestone",
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel",
"https://www.youtube.com/watch?v=FC9ARZIZglI"
],
"synonyms": [
"DEEP PANDA",
"Codoso",
"WebMasters",
"KungFu Kittens",
"Black Vine",
"TEMP.Avengers",
"Group 13",
"PinkPanther",
"Shell Crew",
"BRONZE FIRESTONE",
"G0009",
"G0073",
"Pupa",
"Sunshop Group"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fe8796a4-2a02-41a0-9d27-7aa1e995feb6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"value": "APT19"
},
{
"description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"India",
"Saudi Arabia",
"Vietnam",
"Myanmar",
"Singapore",
"Thailand",
"Malaysia",
"Cambodia",
"China",
"Philippines",
"South Korea",
"United States",
"Indonesia",
"Laos"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"https://www.cfr.org/interactive/cyber-operations/apt-30",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
"https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks",
"https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
"https://threatconnect.com/blog/tag/naikon/",
"https://attack.mitre.org/groups/G0019/",
"https://www.secureworks.com/research/threat-profiles/bronze-geneva",
"https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d",
"https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://attack.mitre.org/wiki/Group/G0013",
"https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"PLA Unit 78020",
"OVERRIDE PANDA",
"Camerashy",
"BRONZE GENEVA",
"G0019",
"Naikon",
"BRONZE STERLING",
"G0013"
]
},
"related": [
{
"dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
"value": "APT30"
},
{
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Japan",
"Philippines",
"Hong Kong",
"Indonesia",
"Taiwan",
"Vietnam"
],
"cfr-target-category": [
"Military",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://securelist.com/spring-dragon-updated-activity/79067/",
"https://www.cfr.org/interactive/cyber-operations/lotus-blossom",
"https://unit42.paloaltonetworks.com/operation-lotus-blossom/",
"https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf",
"https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/",
"https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting",
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
"https://attack.mitre.org/groups/G0030/",
"https://www.secureworks.com/research/threat-profiles/bronze-elgin",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
],
"synonyms": [
"Spring Dragon",
"ST Group",
"DRAGONFISH",
"BRONZE ELGIN",
"ATK1",
"G0030",
"Red Salamander",
"Lotus BLossom"
]
},
"related": [
{
"dest-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
"value": "LOTUS PANDA"
},
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
"https://www.crowdstrike.com/blog/storm-chasing/",
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
]
},
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "HURRICANE PANDA"
},
{
"description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"France",
"Japan",
"Taiwan",
"India",
"Canada",
"China",
"Thailand",
"Israel",
"Australia",
"Republic of Korea",
"Russia",
"Iran",
"Turkey"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf",
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
"https://www.secureworks.com/research/bronze-union",
"http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
"https://securelist.com/luckymouse-ndisproxy-driver/87914/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
"https://attack.mitre.org/groups/G0027/",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"GreedyTaotie",
"TG-3390",
"EMISSARY PANDA",
"TEMP.Hippo",
"Red Phoenix",
"Budworm",
"Group 35",
"ZipToken",
"Iron Tiger",
"BRONZE UNION",
"Lucky Mouse",
"G0027",
"Iron Taurus"
]
},
"related": [
{
"dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
"value": "APT27"
},
{
"description": "menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Japan",
"India",
"South Africa",
"South Korea",
"Sweden",
"United States",
"Canada",
"Australia",
"France",
"Finland",
"United Kingdom",
"Brazil",
"Thailand",
"Switzerland",
"Norway"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.cfr.org/interactive/cyber-operations/apt-10",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
"https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret",
"https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
"https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
"https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf",
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
"https://attack.mitre.org/groups/G0045/",
"https://www.secureworks.com/research/threat-profiles/bronze-riverside",
"https://unit42.paloaltonetworks.com/atoms/granite-taurus",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"STONE PANDAD",
"Menupass Team",
"happyyongzi",
"POTASSIUM",
"Red Apollo",
"CVNX",
"HOGFISH",
"Cloud Hopper",
"BRONZE RIVERSIDE",
"ATK41",
"G0045",
"Granite Taurus"
]
},
"related": [
{
"dest-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c",
"value": "APT10"
},
{
"description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Malaysia",
"Indonesia",
"Philippines",
"United States",
"India"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/hellsing",
"https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/"
]
},
"uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3",
"value": "Hellsing"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150",
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf",
"https://attack.mitre.org/groups/G0014/"
],
"synonyms": [
"G0014"
]
},
"related": [
{
"dest-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d",
"value": "Night Dragon"
},
{
"description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"European Union",
"India",
"United Kingdom"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html",
"http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/",
"https://github.com/nccgroup/Royal_APT",
"https://www.cfr.org/interactive/cyber-operations/mirage",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf",
"https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
"https://attack.mitre.org/groups/G0004/",
"https://www.secureworks.com/research/threat-profiles/bronze-palace",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi"
],
"synonyms": [
"VIXEN PANDA",
"Ke3Chang",
"Playful Dragon",
"Metushy",
"Lurid",
"Social Network Team",
"Royal APT",
"BRONZE PALACE",
"BRONZE DAVENPORT",
"BRONZE IDLEWOOD",
"NICKEL",
"G0004",
"Red Vulture"
]
},
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "APT15"
},
{
"description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"Germany",
"Australia",
"Sweden"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"motive": "Espionage",
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/",
"https://www.cfr.org/interactive/cyber-operations/anchor-panda",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"ANCHOR PANDA",
"QAZTeam",
"ALUMINUM"
]
},
"related": [
{
"dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "32a67552-3b31-47bb-8098-078099bbc813",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104",
"value": "APT14"
},
{
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Mongolia",
"Kazakhstan",
"Tajikistan",
"Germany",
"United Kingdom",
"India",
"Kyrgyzstan",
"South Korea",
"United States",
"Chile",
"Russia",
"China",
"Spain",
"Canada",
"Morocco"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/",
"https://www.cfr.org/interactive/cyber-operations/nettraveler",
"https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes",
"https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary",
"https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/",
"https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests",
"http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"HAMMER PANDA",
"TEMP.Zhenbao",
"NetTraveler"
]
},
"uuid": "b80f4788-ccb2-466d-ae16-b397159d907e",
"value": "APT21"
},
{
"description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"South Korea",
"United States",
"Japan",
"Germany",
"China"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/",
"https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/",
"https://www.cfr.org/interactive/cyber-operations/icefog",
"https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf"
],
"synonyms": [
"IceFog",
"Trident",
"RedFoxtrot",
"Red Wendigo",
"PLA Unit 69010"
]
},
"uuid": "32c534b9-abec-4823-b223-a810f897b47b",
"value": "DAGGER PANDA"
},
{
"description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
"https://attack.mitre.org/groups/G0011",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"PITTY PANDA",
"G0011",
"Temp.Pittytiger"
]
},
"related": [
{
"dest-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189",
"value": "APT24"
},
{
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-woodland"
],
"synonyms": [
"BRONZE WOODLAND",
"Rotten Tomato"
]
},
"uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d",
"value": "Roaming Tiger"
},
{
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"Canada",
"United Kingdom",
"Switzerland",
"Hong Kong",
"Australia",
"India",
"Taiwan",
"China",
"Denmark"
],
"cfr-target-category": [
"Private sector",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf",
"https://attack.mitre.org/groups/G0066/"
],
"synonyms": [
"SNEAKY PANDA",
"Elderwood",
"Elderwood Gang",
"SIG22",
"G0066"
]
},
"related": [
{
"dest-uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "da754aeb-a86d-4874-b388-d1d2028a56be",
"value": "Beijing Group"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"synonyms": [
"Shrouded Crossbow"
]
},
"uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e",
"value": "RADIO PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"
]
},
"uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf",
"value": "APT.3102"
},
{
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"Hong Kong"
],
"cfr-target-category": [
"Private sector",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-samurai-panda/"
],
"synonyms": [
"PLA Navy",
"Wisp Team"
]
},
"related": [
{
"dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
"value": "SAMURAI PANDA"
},
{
"meta": {
"attribution-confidence": "50",
"country": "CN"
},
"uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1",
"value": "IMPERSONATING PANDA"
},
{
"description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf",
"https://unit42.paloaltonetworks.com/atoms/crawling-taurus/",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"VIOLIN PANDA",
"TH3Bug",
"Crawling Taurus"
]
},
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
"value": "APT20"
},
{
"description": "A group targeting dissident groups in China and at the boundaries.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761",
"value": "TOXIC PANDA"
},
{
"description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Hong Kong",
"United States"
],
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html",
"https://www.cfr.org/interactive/cyber-operations/admin338",
"https://attack.mitre.org/groups/G0018/"
],
"synonyms": [
"Admin338",
"Team338",
"MAGNESIUM",
"admin@338",
"G0018"
]
},
"related": [
{
"dest-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b",
"value": "TEMPER PANDA"
},
{
"description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
"http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"https://blog.lookout.com/titan-mobile-threat",
"https://attack.mitre.org/groups/G0081/",
"https://www.secureworks.com/research/threat-profiles/bronze-hobart",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"PIRATE PANDA",
"KeyBoy",
"Tropic Trooper",
"BRONZE HOBART",
"G0081",
"Red Orthrus"
]
},
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
"value": "APT23"
},
{
"description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Iranian internet activists"
],
"cfr-target-category": [
"Military",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf",
"https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/",
"https://www.cfr.org/interactive/cyber-operations/saffron-rose"
],
"synonyms": [
"SaffronRose",
"Saffron Rose",
"AjaxSecurityTeam",
"Ajax Security Team",
"Group 26",
"Sayad"
]
},
"related": [
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"value": "Flying Kitten"
},
{
"description": "One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Bank of America",
"US Bancorp",
"Fifth Third Bank",
"Citigroup",
"PNC",
"BB&T",
"Wells Fargo",
"Capital One",
"HSBC",
"AT&T",
"NYSE"
],
"cfr-type-of-incident": [
"Denial of service"
],
"country": "IR",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/itsecteam",
"https://www.justice.gov/usao-sdny/file/835061/download"
],
"synonyms": [
"ITsecTeam"
]
},
"uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"value": "Cutting Kitten"
},
{
"description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"U.S. government/defense sector websites",
"Saudi Arabia",
"Israel",
"Iraq",
"United Kingdom"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://en.wikipedia.org/wiki/Operation_Newscaster",
"https://iranthreats.github.io/resources/macdownloader-macos-malware/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf",
"https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/",
"https://cryptome.org/2012/11/parastoo-hacks-iaea.htm",
"https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf",
"https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/",
"https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf",
"https://www.cfr.org/interactive/cyber-operations/newscaster",
"https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/",
"https://securelist.com/freezer-paper-around-free-meat/74503/",
"https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/",
"http://www.arabnews.com/node/1195681/media",
"https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f",
"https://blog.certfa.com/posts/the-return-of-the-charming-kitten/",
"https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
"https://attack.mitre.org/groups/G0058/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"Newscaster",
"Parastoo",
"iKittens",
"Group 83",
"NewsBeef",
"G0058"
]
},
"related": [
{
"dest-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"value": "Charming Kitten"
},
{
"description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
"meta": {
"attribution-confidence": "50",
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Saudi Arabia",
"South Korea"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
"https://www.brighttalk.com/webcast/10703/275683",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
"https://attack.mitre.org/groups/G0064/",
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
"https://www.cfr.org/interactive/cyber-operations/apt-33",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html"
],
"synonyms": [
"APT 33",
"Elfin",
"MAGNALLIUM",
"Refined Kitten",
"HOLMIUM",
"COBALT TRINITY",
"G0064",
"ATK35"
],
"victimology": "Petrochemical, Aerospace, Saudi Arabia"
},
"related": [
{
"dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
"value": "APT33"
},
{
"description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"meta": {
"attribution-confidence": "50",
"country": "IR",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140"
],
"synonyms": [
"Group 42",
"VOYEUR"
]
},
"uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4",
"value": "Magic Kitten"
},
{
"description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"Saudi Arabia",
"Venezuela",
"Afghanistan",
"United Arab Emirates",
"Iran",
"Israel",
"Iraq",
"Kuwait",
"Turkey",
"Canada",
"Yemen",
"United Kingdom",
"Egypt",
"Syria",
"Jordan"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
"http://www.clearskysec.com/thamar-reservoir/",
"https://citizenlab.ca/2015/08/iran_two_factor_phishing/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://en.wikipedia.org/wiki/Rocket_Kitten",
"https://www.cfr.org/interactive/cyber-operations/rocket-kitten"
],
"synonyms": [
"TEMP.Beanie",
"Operation Woolen Goldfish",
"Operation Woolen-Goldfish",
"Thamar Reservoir",
"Timberworm"
]
},
"related": [
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"value": "Rocket Kitten"
},
{
"description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"Canada",
"France",
"Israel",
"Mexico",
"Saudi Arabia",
"China",
"Germany",
"United States",
"Pakistan",
"South Korea",
"United Kingdom",
"India",
"Kuwait",
"Qatar",
"Turkey"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.secureworks.com/research/the-curious-case-of-mia-ash",
"https://www.cfr.org/interactive/cyber-operations/operation-cleaver",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://attack.mitre.org/groups/G0003/",
"https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/",
"https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles",
"https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten",
"https://www.cfr.org/cyber-operations/operation-cleaver",
"https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html",
"https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf"
],
"synonyms": [
"Operation Cleaver",
"Op Cleaver",
"Tarh Andishan",
"Alibaba",
"TG-2889",
"Cobalt Gypsy",
"G0003"
]
},
"related": [
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"value": "Cleaver"
},
{
"meta": {
"attribution-confidence": "50",
"country": "IR"
},
"uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff",
"value": "Sands Casino"
},
{
"description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.",
"meta": {
"attribution-confidence": "50",
"country": "TN",
"motive": "Hacktivists-Nationalists",
"synonyms": [
"FallagaTeam"
]
},
"uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b",
"value": "Rebel Jackal"
},
{
"meta": {
"attribution-confidence": "50",
"country": "AE",
"synonyms": [
"Vikingdom"
]
},
"uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1",
"value": "Viking Jackal"
},
{
"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Georgia",
"France",
"Jordan",
"United States",
"Hungary",
"World Anti-Doping Agency",
"Armenia",
"Tajikistan",
"Japan",
"NATO",
"Ukraine",
"Belgium",
"Pakistan",
"Asia Pacific Economic Cooperation",
"International Association of Athletics Federations",
"Turkey",
"Mongolia",
"OSCE",
"United Kingdom",
"Germany",
"Poland",
"European Commission",
"Afghanistan",
"Kazakhstan",
"China"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://attack.mitre.org/groups/G0007/",
"https://en.wikipedia.org/wiki/Fancy_Bear",
"https://en.wikipedia.org/wiki/Sofacy_Group",
"https://www.bbc.com/news/technology-37590375",
"https://www.bbc.co.uk/news/technology-45257081",
"https://www.cfr.org/interactive/cyber-operations/apt-28",
"https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
"https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
"https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
"https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
"https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
"https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf",
"https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff",
"https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf",
"https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
"https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
"https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny",
"https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/",
"https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
"https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
"https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
"https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
"https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
"https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
"https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
],
"synonyms": [
"Pawn Storm",
"FANCY BEAR",
"Sednit",
"SNAKEMACKEREL",
"Tsar Team",
"TG-4127",
"STRONTIUM",
"Swallowtail",
"IRON TWILIGHT",
"Group 74",
"SIG40",
"Grizzly Steppe",
"G0007",
"ATK5",
"Fighting Ursa",
"ITG05",
"Blue Athena",
"TA422",
"T-APT-12",
"APT-C-20",
"UAC-0028",
"FROZENLAKE",
"Sofacy"
]
},
"related": [
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"value": "APT28"
},
{
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"United States",
"China",
"New Zealand",
"Ukraine",
"Romania",
"Georgia",
"Japan",
"South Korea",
"Belgium",
"Kazakhstan",
"Brazil",
"Mexico",
"Turkey",
"Portugal",
"India"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf",
"https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf",
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
"https://www.cfr.org/interactive/cyber-operations/dukes",
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
"https://www.secureworks.com/research/threat-profiles/iron-hemlock",
"https://attack.mitre.org/groups/G0016",
"https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf"
],
"synonyms": [
"Group 100",
"COZY BEAR",
"The Dukes",
"Minidionis",
"SeaDuke",
"YTTRIUM",
"IRON HEMLOCK",
"Grizzly Steppe",
"G0016",
"ATK7",
"Cloaked Ursa",
"TA421",
"Blue Kitsune",
"ITG11",
"BlueBravo"
]
},
"related": [
{
"dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"value": "APT29"
},
{
"description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"France",
"Romania",
"Kazakhstan",
"Poland",
"Tajikistan",
"Russia",
"United States",
"Saudi Arabia",
"Germany",
"India",
"Belarus",
"Netherlands",
"Iran",
"Uzbekistan",
"Iraq"
],
"cfr-target-category": [
"Government",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.circl.lu/pub/tr-25/",
"https://securelist.com/introducing-whitebear/81638/",
"https://securelist.com/the-epic-turla-operation/65545/",
"https://www.cfr.org/interactive/cyber-operations/turla",
"https://www.nytimes.com/2010/08/26/technology/26cyber.html",
"https://securelist.com/blog/research/67962/the-penquin-turla-2/",
"https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
"https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/",
"https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/",
"https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
"https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548",
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
"https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
"https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
"https://attack.mitre.org/groups/G0010/",
"https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
],
"synonyms": [
"Snake",
"VENOMOUS Bear",
"Group 88",
"Waterbug",
"WRAITH",
"Uroburos",
"Pfinet",
"TAG_0530",
"KRYPTON",
"Hippo Team",
"Pacifier APT",
"Popeye",
"SIG23",
"IRON HUNTER",
"MAKERSMARK",
"ATK13",
"G0010",
"ITG12",
"Blue Python",
"SUMMIT",
"UNC4210"
]
},
"related": [
{
"dest-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
"value": "Turla"
},
{
"description": "A Russian group that collects intelligence on the energy industry.",
"meta": {
"attribution-confidence": "75",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"United States",
"Germany",
"Turkey",
"China",
"Spain",
"France",
"Ireland",
"Japan",
"Italy",
"Poland"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet",
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
"https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
"https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
"https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
"https://www.riskiq.com/blog/labs/energetic-bear/",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/",
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector",
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/dymalloy"
],
"synonyms": [
"BERSERK BEAR",
"ALLANITE",
"CASTLE",
"DYMALLOY",
"TG-4192",
"Dragonfly",
"Crouching Yeti",
"Group 24",
"Havex",
"Koala Team",
"IRON LIBERTY",
"G0035",
"ATK6",
"ITG15",
"BROMINE",
"Blue Kraken"
]
},
"related": [
{
"dest-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
"value": "ENERGETIC BEAR"
},
{
"description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Lithuania",
"Kyrgyzstan",
"Israel",
"Ukraine",
"Belarus",
"Kazakhstan",
"Georgia",
"Poland",
"Azerbaijan",
"Iran"
],
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks",
"https://attack.mitre.org/groups/G0034",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html",
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine",
"https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare",
"https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
],
"synonyms": [
"Quedagh",
"VOODOO BEAR",
"TEMP.Noble",
"IRON VIKING",
"G0034",
"ELECTRUM",
"TeleBots",
"IRIDIUM",
"Blue Echidna",
"FROZENBARENTS"
]
},
"related": [
{
"dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d52ca4c4-d214-11e8-8d29-c3e7cb78acce",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"value": "Sandworm"
},
{
"description": "Groups targeting financial organizations or people with significant financial assets.",
"meta": {
"attribution-confidence": "50",
"country": "RU",
"motive": "Cybercrime",
"refs": [
"https://en.wikipedia.org/wiki/Carbanak",
"https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
"http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf",
"https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/",
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
"https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
"https://attack.mitre.org/groups/G0008/",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
"https://blog.morphisec.com/fin7-attack-modifications-revealed",
"https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"https://attack.mitre.org/groups/G0046/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://threatintel.blog/OPBlueRaven-Part1/",
"https://threatintel.blog/OPBlueRaven-Part2/",
"https://www.secureworks.com/research/threat-profiles/gold-niagara",
"https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
],
"synonyms": [
"CARBON SPIDER",
"GOLD NIAGARA",
"Calcium",
"ATK32",
"G0046",
"G0008",
"Coreid",
"Carbanak"
]
},
"related": [
{
"dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"value": "FIN7"
},
{
"description": "Researchers have uncovered a long-term cyber-