A Primer: APT and Criminal Actor Groups List. Their Names, Countries of Origin, Goals, Agencies, Campaigns, and Verticals
2023-12-14 05:6:32
Author: krypt3ia.wordpress.com(查看原文)
阅读量:18
收藏
This blog post was created in tandem with ChatGPT4 and Bard by Scot Terban
China
Ministry of State Security (MSS)
PLA Unit 61398 (APT1)
Alternate Names: Comment Crew, Comment Group.
PLA Unit 61486 (APT2)
Alternate Names: Often grouped with APT1 but distinct identifiers are less common.
Aerospace & Defense: Military contractors, satellite communications
Media & Telecommunications: News outlets, social media platforms, telecommunications companies
Campaigns:
While Unit 8200’s activities are largely classified, some notable operations include:
Stuxnet (2009-2010): Developed and deployed a worm that disrupted Iranian nuclear centrifuges.
Duqu (2011): A sophisticated cyberespionage campaign targeting critical infrastructure in Europe and the Middle East.
Operation Dancing Water (2012-2014): Infiltrated Palestinian telecommunications networks to gather intelligence.
Havoc (2013): Cyberattack on Syrian air defense systems.
WannaCry (2017): Global ransomware attack believed to have been developed by Unit 8200 alumni.
Pegasus (2016-present): Spyware developed by NSO Group, an Israeli company with close ties to Unit 8200,used to target journalists, activists, and political figures worldwide.
Additional notes:
Unit 8200’s capabilities are extensive and include advanced malware development, network intrusion, data exfiltration, and targeted surveillance.
The unit is known for its close cooperation with other intelligence agencies, including the US National Security Agency (NSA).
Its activities raise concerns about privacy violations and the potential for misuse of cyberweapons.
North Korea
Ricochet Chollima (APT37)
Lazarus Group (APT38)
Kimsuky
Ricochet Chollima (APT37)
Verticals:
Financial institutions: Primarily targeted for financial gain and sanctions evasion.
Government: South Korean government and defectors, as well as other countries like Japan and the Middle East.
Industrial sector: Stealing intellectual property and trade secrets.
Academics and journalists: Gathering intelligence and potentially silencing dissent.
Campaigns:
Operation Daybreak (2016): Targeted South Korean banks and financial institutions.
Operation Erebus (2017): Struck South Korean cryptocurrency exchanges.
Operation Golden Time (2017): Hacked South Korean defense contractors.
Operation Evil New Year (2018): Disrupted South Korean websites with malware.
Malware:
RICECURRY: JavaScript-based browser profiler to deliver malicious code.
DOGCALL, RUHAPPY, CORALDECK: Destructive malware capable of overwriting systems.
SHUTTERSPEED, WINERACK: Malware for data exfiltration.
Lazarus Group (APT38)
Verticals:
Financial institutions: Banks, cryptocurrency exchanges, and other financial services.
Critical infrastructure: Power grids, transportation systems, and other essential services.
Defense contractors: Stealing military technology and intelligence.
Campaigns:
Sony Pictures Entertainment hack (2014): Leaked sensitive data and disrupted operations.
Bangladesh Bank Heist (2016): Stole $81 million from the Bangladesh central bank.
WannaCry ransomware attack (2017): Infected millions of computers worldwide, causing billions of dollars in damage.
Cyberattacks against cryptocurrency exchanges (2018-present): Stolen millions of dollars in cryptocurrency.
Malware:
GandCrab ransomware: Used in numerous cyberattacks against businesses and individuals.
WannaCry ransomware: Global ransomware attack with devastating consequences.
DALTON, JADU: Malware for network intrusion and data exfiltration.
Kimsuky
Verticals:
Defense contractors and aerospace companies: Stealing military technology and intelligence.
Financial institutions: Banks and cryptocurrency exchanges for financial gain.
Critical infrastructure: Power grids and other essential services for disruption.
Campaigns:
Operation DarkSeoul (2013): Targeted South Korean banks and government websites.
Operation ShareThePain (2014): Attacked South Korean defense contractors.
Operation MoonRise (2018): Hacked cryptocurrency exchanges in South Korea and Japan.
Operation GoldenHope (2019): Targeted South Korean banks and cryptocurrency exchanges.
Malware:
KIMSUKY: A modular malware framework used in various cyberattacks.
METASPOIT: Open-source penetration testing framework often used by attackers.
RATs (Remote Access Trojans): Used for remote control of infected systems.
Russia
Fancy Bear (APT28)
Cozy Bear (APT29)
Berserk Bear
FIN7
Gamaredon (Primitive Bear)
Sandworm
Venomous Bear.
Verticals:
Government: Primarily targeting political and military organizations, including election systems and diplomatic missions.
Critical infrastructure: Power grids, nuclear facilities, and other essential services.
Technology: Telecommunications companies, software developers, and research institutions.
Media: News outlets and journalists.
Campaigns:
DDoS attacks against Georgian government websites (2008): Disrupted operations during the Russia-Georgia War.
Hacking of Democratic National Committee (2016): Leaked emails and influenced the US presidential election.
Cyberattacks against the World Anti-Doping Agency (2016): Released confidential athlete data.
Targeting of Olympic Games (2014, 2018): Compromised anti-doping databases and athlete information.
Supply chain attacks against Microsoft (2020): Compromised software updates to infiltrate targeted systems.
Cozy Bear (APT29)
Verticals:
Government: Primarily targeting foreign ministries, think tanks, and defense contractors.
Critical infrastructure: Energy grid, nuclear facilities, and transportation systems.
Finance: Banks, financial institutions, and cryptocurrency exchanges.
Think tanks and research institutions: Stealing intellectual property and confidential information.
Campaigns:
Operation Olympic Destroyer (2016): Disrupted the 2016 Olympic Games in Rio de Janeiro.
Hacking of the US State Department (2014): Compromised classified diplomatic cables and emails.
Targeting of European government agencies (2015-present): Stealing sensitive information on political and economic issues.
SolarWinds supply chain attack (2020): Infiltrated networks of government agencies and private companies through compromised software.
Microsoft Exchange Server vulnerabilities (2021): Exploited vulnerabilities to gain access to email systems.
Fancy Bear (APT28)
Verticals:
Government: Primarily targeting political and military organizations, including election systems and diplomatic missions.
Critical infrastructure: Power grids, nuclear facilities, and other essential services.
Technology: Telecommunications companies, software developers, and research institutions.
Media: News outlets and journalists.
Campaigns:
DDoS attacks against Georgian government websites (2008): Disrupted operations during the Russia-Georgia War.
Hacking of Democratic National Committee (2016): Leaked emails and influenced the US presidential election.
Cyberattacks against the World Anti-Doping Agency (2016): Released confidential athlete data.
Targeting of Olympic Games (2014, 2018): Compromised anti-doping databases and athlete information.
Supply chain attacks against Microsoft (2020): Compromised software updates to infiltrate targeted systems.
Berserk Bear
Verticals:
Financial institutions: Banks, credit card companies, and ATM networks.
Retail: Retailers and payment processing companies.
Healthcare: Hospitals and medical institutions.
Campaigns:
Carbanak (2013-2015): Stole millions of dollars from banks worldwide.
FIN7 (2016-present): A prolific financial cybercrime group targeting banks and other financial institutions.
Cobalt Strike (2012-present): A powerful penetration testing tool used by various threat actors, including Berserk Bear.
FIN7
Verticals:
Financial institutions: Banks, credit card companies, and ATM networks.
Retail: Retailers and payment processing companies.
Healthcare: Hospitals and medical institutions.
Campaigns:
Carbanak (2013-2015): Stole millions of dollars from banks worldwide.
Operation MoneyTaker (2016-present): A long-running campaign targeting financial institutions with malware and phishing attacks.
Cobalt Strike (2012-present): A powerful penetration testing tool used by FIN7 and other threat actors.
Gamaredon (Primitive Bear)
Verticals:
Government: Primarily targeting Eastern European government agencies and military organizations.
Critical infrastructure: Power grids, transportation systems, and other essential services.
Energy sector: Oil and gas companies, nuclear facilities, and electricity grids.
Campaigns:
Cyberattacks against Ukrainian government websites (2014-present): Disrupted operations and spread disinformation.
Targeting of critical infrastructure in Eastern Europe (2015-present): Launched DDoS attacks and deployed malware to disrupt operations.
Operation PowerFall (2016): Widespread attack against Ukrainian power grid causing blackouts.
Sandworm
Verticals:
Critical infrastructure: Power grids, nuclear facilities, and transportation systems.
Military: Targeting military networks and command-and-control systems.
Government: Stealing intelligence and disrupting operations.
Campaigns:
Cyberattacks against Ukrainian power grid (2015-present): Caused blackouts and disrupted operations.
NotPetya ransomware attack (2017): Infected
Turkey
StrongPity (APT-C-41, PROMETHIUM).
Verticals:
Government: Primarily targeting Turkish and Syrian government agencies and military organizations.
Critical infrastructure: Power grids, telecommunications networks, and transportation systems.
Defense contractors: Stealing sensitive military technology and intelligence.
Media and telecommunications: Targeting journalists, activists, and dissidents.
Campaigns:
Operation Sandvine (2018): Exploited vulnerabilities in network monitoring equipment to spy on Turkish and Egyptian users.
Trojanized Telegram App (2020): Used a fake Telegram app to backdoor and spy on victims.
Operation StrongPity3 (2020): Used new infrastructure and malware variants to expand their reach.
Targeting of Kurdish journalists and activists (2016-present): Spying on and harassing individuals critical of the Turkish government.
Tools and Malware:
StrongPity: The group’s primary backdoor, capable of remote access, data exfiltration, and command execution.
StrongPity2, StrongPity3: Variants of the original StrongPity backdoor with additional features and functionalities.
Truvasys: A readily available malware often used as a first-stage dropper for StrongPity.
Additional Notes:
StrongPity is considered a highly sophisticated and adaptable threat group with a history of targeting sensitive Turkish and Syrian infrastructure and individuals.
The group’s activities raise concerns about government-sponsored cyberespionage and the potential for attacks against critical infrastructure.
Attribution of cyberattacks to specific groups can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.
United States
Equation Group.
The Equation Group is a highly sophisticated cyber espionage group suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Here’s a breakdown of their activities:
Verticals:
Government: Primarily targeting foreign ministries, diplomatic missions, and defense contractors.
Critical infrastructure: Power grids, nuclear facilities, and telecommunications networks.
Technology: Software developers, research institutions, and technology companies.
Aerospace & Defense: Stealing military technology and intelligence.
Campaigns:
Operation Aurora (2009): Targeted critical infrastructure in the US and other countries, including power grids and financial institutions.
Operation Cloud Hopper (2014-2015): Espionage campaign targeting European and Asian government agencies and businesses.
Operation Titan Rain (2014-2017): Hacking of cloud computing accounts and networks, including those of Google and Yahoo.
Operation Shady RAT (2016-2017): Spying on diplomatic and military personnel.
Supply Chain Attacks (2020-present): Compromising software supply chains to target various industries.
Tools and Malware:
Equation Group Suite: A collection of custom-built malware tools designed for espionage and infiltration.
Gumshoe: A backdoor that allows remote access to infected systems.
SurfinBird: A tool used for network reconnaissance and data exfiltration.
EquationDisk: A persistent malware that survives system reboots.
Additional Notes:
The Equation Group is considered one of the most sophisticated cyber espionage groups in the world, with a long history of targeting sensitive infrastructure and organizations.
The group’s activities raise concerns about government-sponsored cyberespionage and the potential for widespread disruption and data theft.
Attribution of cyberattacks to specific groups can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.
Uzbekistan
SandCat: associated with the State Security Service.
SandCat is a hacking group linked to the State Security Service (SSS) of Uzbekistan. While their exact activities remain largely classified, available information paints a picture of a group involved in cyber espionage and malware development, targeting primarily journalists, activists, and government entities.
Verticals:
Government: Uzbek government agencies, including military and intelligence units.
Media and Telecommunications: Journalists, human rights activists, and independent media outlets.
Critical Infrastructure: Potential for targeting critical infrastructure, although specific instances haven’t been documented.
Campaigns:
Malware Development: SandCat has been observed developing its own malware, suggesting a shift from relying on commercially available tools to building custom capabilities.
Journalist Targeting: Reports indicate SandCat targeting journalists and activists through various methods,including:
Phishing attacks: Malicious emails disguised as legitimate sources to lure victims into compromising their systems.
Zero-day exploits: Exploiting previously unknown vulnerabilities in software to gain unauthorized access.
Malware-laced documents: Documents containing embedded malware that, once opened, infect the victim’s system.
Tools and Malware:
SandCat Malware: Custom-developed malware for espionage and data exfiltration. Specific details remain confidential.
Commercially Available Tools: SandCat has also been observed using commercially available hacking tools,suggesting a blend of sophisticated and readily available techniques.
Unfortunately, due to the secretive nature of SandCat’s activities, no readily available images directly represent the group.
Additional Notes:
Attributing cyberattacks to specific groups like SandCat can be challenging due to the complex nature of cyberspace and the use of sophisticated techniques to mask identities.
The full extent of SandCat’s capabilities and target range remains unclear, requiring further investigation and monitoring.
SandCat’s activities raise concerns about government-sponsored cyberespionage and potential threats to freedom of expression and digital security in Uzbekistan.
It’s important to stay informed about cyber threats like SandCat and take necessary precautions to protect yourself online. Practicing good cyber hygiene, being vigilant against phishing attempts, and keeping software updated can help mitigate the risks associated with such groups.
Vietnam
OceanLotus (APT32).
OceanLotus, also known as APT32, is a cyber espionage group suspected of being affiliated with the Vietnamese Ministry of Public Security (MPS). They’ve been active since at least 2014, targeting various entities considered hostile to Vietnamese interests.
Verticals:
Government: Primarily targeting Vietnamese government agencies, foreign diplomatic missions, and dissidents.
Critical Infrastructure: Energy, telecommunications, and transportation sectors.
Defense Contractors: Stealing military technology and intelligence.
Think Tanks and Media Outlets: Gathering information and potentially influencing public opinion.
Campaigns:
Watering Hole Attacks (2014-present): Compromising websites frequented by target groups to implant malware on their devices.
Operation SeaPea (2017-2018): Attacks against critical infrastructure in Vietnam and Thailand.
Operation Hangover (2018): Targeting Israeli government and military organizations.
Operation Eximiner (2020): Espionage campaign targeting US defense contractors and intelligence agencies.
Supply Chain Attacks (2020-present): Compromising software supply chains to target various industries.
Tools and Malware:
OceanLotus Suite: A collection of custom-built malware tools designed for espionage and infiltration.
REDLILY: A backdoor capable of remote access, data exfiltration, and command execution.
COBALTDUCK: A malware framework used for various attacks, including watering holes and spear phishing.
WATERMELON: A tool used for network reconnaissance and data exfiltration.
Additional Notes:
OceanLotus is considered a sophisticated and adaptable threat group, constantly developing new techniques and malware to evade detection.
The group’s activities raise concerns about government-sponsored cyberespionage and the potential for attacks against critical infrastructure and sensitive information.
Attribution of cyberattacks to specific groups like OceanLotus can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.
The ransomware landscape is constantly evolving, with new groups emerging and older ones adapting their tactics. Here’s a list of some of the most prominent ransomware groups known to be active today:
LockBit:
Dominant player: LockBit has consistently been the top ransomware threat for the past two years, responsible for a significant portion of attacks against businesses and individuals.
Sophisticated: Utilizes advanced encryption algorithms and double extortion tactics, threatening to leak stolen data if the ransom isn’t paid.
Targets: Wide range of victims, including healthcare, education, and critical infrastructure organizations.
BlackCat (AlphV):
Rapidly rising: Emerged in late 2021 and quickly gained notoriety for its aggressive tactics and focus on high-profile targets.
Technical innovation: Uses the Rust programming language, making it more difficult to detect and analyze.
Targets: Critical infrastructure, energy, and manufacturing sectors.
Clop:
Established threat: Active since 2017, Clop has a long track record of successful attacks, targeting primarily European organizations.
Professional approach: Maintains a leak site and engages in negotiations with victims, suggesting a more organized operation.
Targets: Healthcare, finance, and government organizations.
Hive:
Ransomware-as-a-Service (RaaS): Operates as a platform that allows other actors to launch ransomware attacks using their tools and infrastructure.
Lucrative model: Hive has reportedly earned millions of dollars from its RaaS operations.
Targets: Wide range of organizations, with a recent focus on critical infrastructure.
REvil (Sodinokibi):
Major player: Was one of the most active and prolific ransomware groups until its alleged shutdown by Russian authorities in 2022.
High-profile attacks: Responsible for major attacks against Kaseya and JBS, causing significant disruption and financial losses.
Uncertain future: While REvil’s core operation may be disrupted, its code and infrastructure may be used by other groups.
Other notable groups:
Conti (disbanded but elements may be active through other groups)